1. Patchew
  2. linux
  3. [PATCH 0/3] mailbox: zynqmp-ipi: Improve resource cleanup on driver unbind
  4. View patch

[PATCH 2/3] mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop

Harini T posted 3 patches 1 month, 1 week ago
There is a newer version of this series
[PATCH 2/3] mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
Posted by Harini T 1 month, 1 week ago 
Fix mailbox cleanup loop that accesses array out-of-bounds by starting
at num_boxes instead of numb_boxes-1 for 0-indexed arrays.

Signed-off-by: Harini T <harini.t@amd.com>
---
 drivers/mailbox/zynqmp-ipi-mailbox.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
index bdcc6937ee30..3b806d1f89bb 100644
--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
@@ -891,7 +891,7 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
 		xlnx_mbox_cleanup_sgi(pdata);
 
 	i = pdata->num_mboxes;
-	for (; i >= 0; i--) {
+	for (i--; i >= 0; i--) {
 		ipi_mbox = &pdata->ipi_mboxes[i];
 		if (device_is_registered(&ipi_mbox->dev))
 			device_unregister(&ipi_mbox->dev);
-- 
2.43.0
Re: [PATCH 2/3] mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
Posted by Peng Fan 2 weeks, 2 days ago 
On Fri, Aug 22, 2025 at 10:27:31AM +0530, Harini T wrote:
>Fix mailbox cleanup loop that accesses array out-of-bounds by starting
>at num_boxes instead of numb_boxes-1 for 0-indexed arrays.
>

Fix tag?

>Signed-off-by: Harini T <harini.t@amd.com>
>---
> drivers/mailbox/zynqmp-ipi-mailbox.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
>index bdcc6937ee30..3b806d1f89bb 100644
>--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
>+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
>@@ -891,7 +891,7 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
> 		xlnx_mbox_cleanup_sgi(pdata);
> 
> 	i = pdata->num_mboxes;
>-	for (; i >= 0; i--) {
>+	for (i--; i >= 0; i--) {

I would avoid i-- as the 1st param in for loop.

i = pdata->num_mboxes - 1;
or
for (i = 0; i < pdata->num_mboxes; i++)

Thanks,
Peng

> 		ipi_mbox = &pdata->ipi_mboxes[i];
> 		if (device_is_registered(&ipi_mbox->dev))
> 			device_unregister(&ipi_mbox->dev);
>-- 
>2.43.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.