Yu-Ping Wu has submitted this change. ( https://review.coreboot.org/c/coreboot/+/84950?usp=email )

Change subject: soc/mediatek/mt8188/spi: Fix out-of-bound array access for pad_funcs ......................................................................

soc/mediatek/mt8188/spi: Fix out-of-bound array access for pad_funcs

The size of the inner array of the 2-dimensional array pad_funcs should be 4 instead of SPI_BUS_NUMBER (6). This bug leads to two extra gpio_set_mode() calls with unexpected GPIOs.

Inspecting spi.o, the data immediately after the .rodata.pad_funcs section is .rodata.spi_ctrlr_bus_map, with the following data:

00000428 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00000438 00 00 00 00 00 00 00 00 ...

This is equivalent to the following calls:

gpio_set_mode(GPIO(GPIO05), 0); gpio_set_mode(GPIO(GPIO00), 0);

The second call is already included in the pad_funcs array, so the first call is the only practical impact of this bug.

Change-Id: I9c44f09b3cdadbbf039b95efca7144f213672092 Signed-off-by: Yu-Ping Wu yupingso@chromium.org Reviewed-on: https://review.coreboot.org/c/coreboot/+/84950 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Yidi Lin yidilin@google.com Reviewed-by: Hung-Te Lin hungte@chromium.org Reviewed-by: Paul Menzel paulepanter@mailbox.org --- M src/soc/mediatek/mt8188/spi.c 1 file changed, 1 insertion(+), 1 deletion(-)

Approvals: Paul Menzel: Looks good to me, but someone else must approve Hung-Te Lin: Looks good to me, approved Yidi Lin: Looks good to me, approved build bot (Jenkins): Verified

diff --git a/src/soc/mediatek/mt8188/spi.c b/src/soc/mediatek/mt8188/spi.c index 994663d..66fbf0f 100644 --- a/src/soc/mediatek/mt8188/spi.c +++ b/src/soc/mediatek/mt8188/spi.c @@ -114,7 +114,7 @@

ptr = pad_funcs[bus];

- for (unsigned int i = 0; i < SPI_BUS_NUMBER; i++) + for (unsigned int i = 0; i < ARRAY_SIZE(pad_funcs[0]); i++) gpio_set_mode(ptr[i].gpio, ptr[i].func); }