Yu-Ping Wu has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/84950?usp=email )

Change subject: soc/mediatek/mt8188/spi: Fix out-of-bound array access for pad_funcs ......................................................................

soc/mediatek/mt8188/spi: Fix out-of-bound array access for pad_funcs

The size of the inner array of the 2-dimensional array pad_funcs should be 4 instead of SPI_BUS_NUMBER (6). This bug leads to two extra gpio_set_mode() calls with unexpected GPIOs.

Inspecting spi.o, the data immediately after the .rodata.pad_funcs section is .rodata.spi_ctrlr_bus_map, with the following data:

00000428 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00000438 00 00 00 00 00 00 00 00 ...

This is equivalent to the following calls:

gpio_set_mode(GPIO(GPIO05), 0); gpio_set_mode(GPIO(GPIO00), 0);

The second call is already included in the pad_funcs array, so the first call is the only practical impact of this bug.

Change-Id: I9c44f09b3cdadbbf039b95efca7144f213672092 Signed-off-by: Yu-Ping Wu yupingso@chromium.org --- M src/soc/mediatek/mt8188/spi.c 1 file changed, 1 insertion(+), 1 deletion(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/50/84950/1

diff --git a/src/soc/mediatek/mt8188/spi.c b/src/soc/mediatek/mt8188/spi.c index 994663d..66fbf0f 100644 --- a/src/soc/mediatek/mt8188/spi.c +++ b/src/soc/mediatek/mt8188/spi.c @@ -114,7 +114,7 @@

ptr = pad_funcs[bus];

- for (unsigned int i = 0; i < SPI_BUS_NUMBER; i++) + for (unsigned int i = 0; i < ARRAY_SIZE(pad_funcs[0]); i++) gpio_set_mode(ptr[i].gpio, ptr[i].func); }