From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jarkko Nikula <jarkko.nikula@linux.intel.com>,
Alexandre Belloni <alexandre.belloni@bootlin.com>,
Sasha Levin <sashal@kernel.org>,
gustavoars@kernel.org, keescook@chromium.org,
linux-i3c@lists.infradead.org
Subject: [PATCH AUTOSEL 6.5 1/7] i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
Date: Sun, 12 Nov 2023 08:23:33 -0500 [thread overview]
Message-ID: <20231112132347.174334-1-sashal@kernel.org> (raw)
From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
[ Upstream commit 45a832f989e520095429589d5b01b0c65da9b574 ]
Do not loop over ring headers in hci_dma_irq_handler() that are not
allocated and enabled in hci_dma_init(). Otherwise out of bounds access
will occur from rings->headers[i] access when i >= number of allocated
ring headers.
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Link: https://lore.kernel.org/r/20230921055704.1087277-5-jarkko.nikula@linux.intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index 2990ac9eaade7..71b5dbe45c45c 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -734,7 +734,7 @@ static bool hci_dma_irq_handler(struct i3c_hci *hci, unsigned int mask)
unsigned int i;
bool handled = false;
- for (i = 0; mask && i < 8; i++) {
+ for (i = 0; mask && i < rings->total; i++) {
struct hci_rh_data *rh;
u32 status;
--
2.42.0
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jarkko Nikula <jarkko.nikula@linux.intel.com>,
Alexandre Belloni <alexandre.belloni@bootlin.com>,
Sasha Levin <sashal@kernel.org>,
gustavoars@kernel.org, keescook@chromium.org,
linux-i3c@lists.infradead.org
Subject: [PATCH AUTOSEL 6.5 1/7] i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
Date: Sun, 12 Nov 2023 08:23:33 -0500 [thread overview]
Message-ID: <20231112132347.174334-1-sashal@kernel.org> (raw)
From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
[ Upstream commit 45a832f989e520095429589d5b01b0c65da9b574 ]
Do not loop over ring headers in hci_dma_irq_handler() that are not
allocated and enabled in hci_dma_init(). Otherwise out of bounds access
will occur from rings->headers[i] access when i >= number of allocated
ring headers.
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Link: https://lore.kernel.org/r/20230921055704.1087277-5-jarkko.nikula@linux.intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/mipi-i3c-hci/dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index 2990ac9eaade7..71b5dbe45c45c 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -734,7 +734,7 @@ static bool hci_dma_irq_handler(struct i3c_hci *hci, unsigned int mask)
unsigned int i;
bool handled = false;
- for (i = 0; mask && i < 8; i++) {
+ for (i = 0; mask && i < rings->total; i++) {
struct hci_rh_data *rh;
u32 status;
--
2.42.0
next reply other threads:[~2023-11-13 9:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-12 13:23 Sasha Levin [this message]
2023-11-12 13:23 ` [PATCH AUTOSEL 6.5 1/7] i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Sasha Levin
2023-11-12 13:23 ` [PATCH AUTOSEL 6.5 2/7] i2c: i801: Add support for Intel Birch Stream SoC Sasha Levin
2023-11-12 13:23 ` [PATCH AUTOSEL 6.5 3/7] i2c: fix memleak in i2c_new_client_device() Sasha Levin
2023-11-12 13:23 ` [PATCH AUTOSEL 6.5 4/7] i2c: sun6i-p2wi: Prevent potential division by zero Sasha Levin
2023-11-12 13:23 ` Sasha Levin
2023-11-12 13:23 ` [PATCH AUTOSEL 6.5 5/7] virtio-blk: fix implicit overflow on virtio_max_dma_size Sasha Levin
2023-11-12 13:23 ` [PATCH AUTOSEL 6.5 6/7] vhost-vdpa: clean iotlb map during reset for older userspace Sasha Levin
2023-11-12 13:23 ` [PATCH AUTOSEL 6.5 7/7] i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data Sasha Levin
2023-11-12 13:23 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231112132347.174334-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alexandre.belloni@bootlin.com \
--cc=gustavoars@kernel.org \
--cc=jarkko.nikula@linux.intel.com \
--cc=keescook@chromium.org \
--cc=linux-i3c@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.