summaryrefslogtreecommitdiff
path: root/drivers/mailbox/imx-mailbox.c
diff options
context:
space:
mode:
authorPeng Fan <peng.fan@nxp.com>2020-04-14 16:21:15 +0300
committerJassi Brar <jaswinder.singh@linaro.org>2020-05-31 02:07:07 +0300
commit9d8ca628c0286a35e3f8382e44f8b79846a88603 (patch)
tree820e7d186902e9c072bb193fe973aa46f7813211 /drivers/mailbox/imx-mailbox.c
parentca27fc26cd2219d964b4fc0efac634ab237b6c8e (diff)
downloadlinux-9d8ca628c0286a35e3f8382e44f8b79846a88603.tar.xz
mailbox: imx-mailbox: fix scu msg header size check
The i.MX8 SCU message header size is the number of "u32" elements, not "u8", so fix the check. Reported-by: coverity-bot <keescook+coverity-bot@chromium.org> Addresses-Coverity-ID: 1461658 ("Memory - corruptions") Signed-off-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Leonard Crestez <leonard.crestez@nxp.com> Acked-by: Oleksij Rempel <o.rempel@pengutronix.de> Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Diffstat (limited to 'drivers/mailbox/imx-mailbox.c')
-rw-r--r--drivers/mailbox/imx-mailbox.c14
1 files changed, 9 insertions, 5 deletions
diff --git a/drivers/mailbox/imx-mailbox.c b/drivers/mailbox/imx-mailbox.c
index 19f8d79cebac..bd69ecfb9352 100644
--- a/drivers/mailbox/imx-mailbox.c
+++ b/drivers/mailbox/imx-mailbox.c
@@ -155,12 +155,17 @@ static int imx_mu_scu_tx(struct imx_mu_priv *priv,
switch (cp->type) {
case IMX_MU_TYPE_TX:
- if (msg->hdr.size > sizeof(*msg)) {
+ /*
+ * msg->hdr.size specifies the number of u32 words while
+ * sizeof yields bytes.
+ */
+
+ if (msg->hdr.size > sizeof(*msg) / 4) {
/*
* The real message size can be different to
* struct imx_sc_rpc_msg_max size
*/
- dev_err(priv->dev, "Exceed max msg size (%zu) on TX, got: %i\n", sizeof(*msg), msg->hdr.size);
+ dev_err(priv->dev, "Maximal message size (%zu bytes) exceeded on TX; got: %i bytes\n", sizeof(*msg), msg->hdr.size << 2);
return -EINVAL;
}
@@ -199,9 +204,8 @@ static int imx_mu_scu_rx(struct imx_mu_priv *priv,
imx_mu_xcr_rmw(priv, 0, IMX_MU_xCR_RIEn(0));
*data++ = imx_mu_read(priv, priv->dcfg->xRR[0]);
- if (msg.hdr.size > sizeof(msg)) {
- dev_err(priv->dev, "Exceed max msg size (%zu) on RX, got: %i\n",
- sizeof(msg), msg.hdr.size);
+ if (msg.hdr.size > sizeof(msg) / 4) {
+ dev_err(priv->dev, "Maximal message size (%zu bytes) exceeded on RX; got: %i bytes\n", sizeof(msg), msg.hdr.size << 2);
return -EINVAL;
}