git.proxmox.com Git - mirror

author	Peter Delevoryas <pdel@fb.com>
	Tue, 12 Oct 2021 06:20:08 +0000 (08:20 +0200)
committer	Cédric Le Goater <clg@kaod.org>
	Tue, 12 Oct 2021 06:20:08 +0000 (08:20 +0200)
commit	87bd33e8b0d2e08a6030ffced9433e5927360de5
tree	cf6e2ecc9b81be74d7b9297a459d89890fb9d4b5	tree
parent	9fffe140a9424e80af5f30a149c9f0d67424434f	commit \| diff

hw: aspeed_gpio: Fix GPIO array indexing

The gpio array is declared as a dense array:

  qemu_irq gpios[ASPEED_GPIO_NR_PINS];

(AST2500 has 228, AST2400 has 216, AST2600 has 208)

However, this array is used like a matrix of GPIO sets
(e.g. gpio[NR_SETS][NR_PINS_PER_SET] = gpio[8][32])

  size_t offset = set * GPIOS_PER_SET + gpio;
  qemu_set_irq(s->gpios[offset], !!(new & mask));

This can result in an out-of-bounds access to "s->gpios" because the
gpio sets do _not_ have the same length. Some of the groups (e.g.
GPIOAB) only have 4 pins. 228 != 8 * 32 == 256.

To fix this, I converted the gpio array from dense to sparse, to that
match both the hardware layout and this existing indexing code.

Fixes: 4b7f956862dc2db4c5c ("hw/gpio: Add basic Aspeed GPIO model for AST2400 and AST2500")
Signed-off-by: Peter Delevoryas <pdel@fb.com>
Message-Id: <20211008033501.934729-2-pdel@fb.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>

hw/gpio/aspeed_gpio.c		diff \| blob \| blame \| history
include/hw/gpio/aspeed_gpio.h		diff \| blob \| blame \| history