diff options
author | Tim Wawrzynczak <twawrzynczak@chromium.org> | 2019-08-07 20:54:01 -0600 |
---|---|---|
committer | Martin Roth <martinroth@google.com> | 2019-08-09 01:28:04 +0000 |
commit | 680027edf6dce0fca22b4e4b9525b1a88cd2ade9 (patch) | |
tree | 3f2e8a163fd84935ea00b0584119638feb18b772 /src | |
parent | 98f43a1f757a89afa4e48d15ff48abdd7e62f46b (diff) | |
download | coreboot-680027edf6dce0fca22b4e4b9525b1a88cd2ade9.tar.xz |
soc/nvidia/tegra210: Fix potential NULL pointer dereference
Recent Coverity scan indicated potential NULL deference; if either
spi->dma_in or spi->dma_out are NULL, the fifo_error() check could
dereference a NULL pointer.
Also fixed what appears to be a logic bug for the spi->dma_out case,
where it was using the todo (count) from spi->dma_in.
Found-by: Coverity CID 1241838, 1241854
Change-Id: Icd1412f0956c0a4a75266d1873d5e9848aceee32
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34787
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/soc/nvidia/tegra210/spi.c | 46 |
1 files changed, 25 insertions, 21 deletions
diff --git a/src/soc/nvidia/tegra210/spi.c b/src/soc/nvidia/tegra210/spi.c index 9310e0cc09..6ec8b641ab 100644 --- a/src/soc/nvidia/tegra210/spi.c +++ b/src/soc/nvidia/tegra210/spi.c @@ -286,25 +286,27 @@ static void dump_spi_regs(struct tegra_spi_channel *spi) static void dump_dma_regs(struct apb_dma_channel *dma) { - printk(BIOS_INFO, "DMA regs:\n" - "\tahb_ptr: 0x%08x\n" - "\tapb_ptr: 0x%08x\n" - "\tahb_seq: 0x%08x\n" - "\tapb_seq: 0x%08x\n" - "\tcsr: 0x%08x\n" - "\tcsre: 0x%08x\n" - "\twcount: 0x%08x\n" - "\tdma_byte_sta: 0x%08x\n" - "\tword_transfer: 0x%08x\n", - read32(&dma->regs->ahb_ptr), - read32(&dma->regs->apb_ptr), - read32(&dma->regs->ahb_seq), - read32(&dma->regs->apb_seq), - read32(&dma->regs->csr), - read32(&dma->regs->csre), - read32(&dma->regs->wcount), - read32(&dma->regs->dma_byte_sta), - read32(&dma->regs->word_transfer)); + if (dma) { + printk(BIOS_INFO, "DMA regs:\n" + "\tahb_ptr: 0x%08x\n" + "\tapb_ptr: 0x%08x\n" + "\tahb_seq: 0x%08x\n" + "\tapb_seq: 0x%08x\n" + "\tcsr: 0x%08x\n" + "\tcsre: 0x%08x\n" + "\twcount: 0x%08x\n" + "\tdma_byte_sta: 0x%08x\n" + "\tword_transfer: 0x%08x\n", + read32(&dma->regs->ahb_ptr), + read32(&dma->regs->apb_ptr), + read32(&dma->regs->ahb_seq), + read32(&dma->regs->apb_seq), + read32(&dma->regs->csr), + read32(&dma->regs->csre), + read32(&dma->regs->wcount), + read32(&dma->regs->dma_byte_sta), + read32(&dma->regs->word_transfer)); + } } static inline unsigned int spi_byte_count(struct tegra_spi_channel *spi) @@ -574,9 +576,9 @@ static int tegra_spi_dma_finish(struct tegra_spi_channel *spi) struct apb_dma * const apb_dma = (struct apb_dma *)TEGRA_APB_DMA_BASE; - todo = read32(&spi->dma_in->regs->wcount); - if (spi->dma_in) { + todo = read32(&spi->dma_in->regs->wcount); + while ((read32(&spi->dma_in->regs->dma_byte_sta) < todo) || dma_busy(spi->dma_in)) ; @@ -589,6 +591,8 @@ static int tegra_spi_dma_finish(struct tegra_spi_channel *spi) } if (spi->dma_out) { + todo = read32(&spi->dma_out->regs->wcount); + while ((read32(&spi->dma_out->regs->dma_byte_sta) < todo) || dma_busy(spi->dma_out)) ; |