From 4873b6bc7a35a36fcd2a850b2c0b3f6e421d440c Mon Sep 17 00:00:00 2001 From: Yu-Ping Wu Date: Fri, 1 Nov 2024 11:15:19 +0800 Subject: soc/mediatek/mt8188/spi: Fix out-of-bound array access for pad_funcs The size of the inner array of the 2-dimensional array pad_funcs should be 4 instead of SPI_BUS_NUMBER (6). This bug leads to two extra gpio_set_mode() calls with unexpected GPIOs. Inspecting spi.o, the data immediately after the .rodata.pad_funcs section is .rodata.spi_ctrlr_bus_map, with the following data: 00000428 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00000438 00 00 00 00 00 00 00 00 ... This is equivalent to the following calls: gpio_set_mode(GPIO(GPIO05), 0); gpio_set_mode(GPIO(GPIO00), 0); The second call is already included in the pad_funcs array, so the first call is the only practical impact of this bug. Change-Id: I9c44f09b3cdadbbf039b95efca7144f213672092 Signed-off-by: Yu-Ping Wu Reviewed-on: https://review.coreboot.org/c/coreboot/+/84950 Tested-by: build bot (Jenkins) Reviewed-by: Yidi Lin Reviewed-by: Hung-Te Lin Reviewed-by: Paul Menzel --- src/soc/mediatek/mt8188/spi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/soc/mediatek/mt8188') diff --git a/src/soc/mediatek/mt8188/spi.c b/src/soc/mediatek/mt8188/spi.c index 994663d02c..66fbf0f373 100644 --- a/src/soc/mediatek/mt8188/spi.c +++ b/src/soc/mediatek/mt8188/spi.c @@ -114,7 +114,7 @@ void mtk_spi_set_gpio_pinmux(unsigned int bus, enum spi_pad_mask pad_select) ptr = pad_funcs[bus]; - for (unsigned int i = 0; i < SPI_BUS_NUMBER; i++) + for (unsigned int i = 0; i < ARRAY_SIZE(pad_funcs[0]); i++) gpio_set_mode(ptr[i].gpio, ptr[i].func); } -- cgit v1.2.3