From: Lee Jones <lee@kernel.org>
To: cy_huang <u0084500@gmail.com>
Cc: matthias.bgg@gmail.com, gene_chen@richtek.com,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org,
ChiYuan Huang <cy_huang@richtek.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] mfd: mt6360: add bound check in regmap read/write function
Date: Wed, 28 Sep 2022 11:30:24 +0100 [thread overview]
Message-ID: <YzQiQIpwpd8rD2qs@google.com> (raw)
In-Reply-To: <1663143973-29254-1-git-send-email-u0084500@gmail.com>
On Wed, 14 Sep 2022, cy_huang wrote:
> From: ChiYuan Huang <cy_huang@richtek.com>
>
> Fix the potential risk for null pointer if bank index is over the maximimum.
>
> Refer to the discussion list for the experiment result on mt6370.
> https://lore.kernel.org/all/20220914013345.GA5802@cyhuang-hp-elitebook-840-g3.rt/
> If not to check the bound, there is the same issue on mt6360.
>
> Fixes: 3b0850440a06c (mfd: mt6360: Merge different sub-devices I2C read/write)
> Cc: stable@vger.kernel.org
> Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
> ---
> drivers/mfd/mt6360-core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/mfd/mt6360-core.c b/drivers/mfd/mt6360-core.c
> index 6eaa677..d375333 100644
> --- a/drivers/mfd/mt6360-core.c
> +++ b/drivers/mfd/mt6360-core.c
> @@ -410,6 +410,9 @@ static int mt6360_regmap_read(void *context, const void *reg, size_t reg_size,
> u8 crc;
> int ret;
>
> + if (bank >= MT6360_SLAVE_MAX)
> + return -EINVAL;
> +
It's too late to check bank's value here, we have already used it to
index into an array by this point. Please fix that.
> if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) {
> crc_needed = true;
> ret = mt6360_xlate_pmicldo_addr(®_addr, val_size);
> @@ -460,6 +463,9 @@ static int mt6360_regmap_write(void *context, const void *val, size_t val_size)
> int write_size = val_size - MT6360_REGMAP_REG_BYTE_SIZE;
> int ret;
>
> + if (bank >= MT6360_SLAVE_MAX)
> + return -EINVAL;
> +
> if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) {
> crc_needed = true;
> ret = mt6360_xlate_pmicldo_addr(®_addr, val_size - MT6360_REGMAP_REG_BYTE_SIZE);
--
Lee Jones [李琼斯]
WARNING: multiple messages have this Message-ID (diff)
From: Lee Jones <lee@kernel.org>
To: cy_huang <u0084500@gmail.com>
Cc: matthias.bgg@gmail.com, gene_chen@richtek.com,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org,
ChiYuan Huang <cy_huang@richtek.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] mfd: mt6360: add bound check in regmap read/write function
Date: Wed, 28 Sep 2022 11:30:24 +0100 [thread overview]
Message-ID: <YzQiQIpwpd8rD2qs@google.com> (raw)
In-Reply-To: <1663143973-29254-1-git-send-email-u0084500@gmail.com>
On Wed, 14 Sep 2022, cy_huang wrote:
> From: ChiYuan Huang <cy_huang@richtek.com>
>
> Fix the potential risk for null pointer if bank index is over the maximimum.
>
> Refer to the discussion list for the experiment result on mt6370.
> https://lore.kernel.org/all/20220914013345.GA5802@cyhuang-hp-elitebook-840-g3.rt/
> If not to check the bound, there is the same issue on mt6360.
>
> Fixes: 3b0850440a06c (mfd: mt6360: Merge different sub-devices I2C read/write)
> Cc: stable@vger.kernel.org
> Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
> ---
> drivers/mfd/mt6360-core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/mfd/mt6360-core.c b/drivers/mfd/mt6360-core.c
> index 6eaa677..d375333 100644
> --- a/drivers/mfd/mt6360-core.c
> +++ b/drivers/mfd/mt6360-core.c
> @@ -410,6 +410,9 @@ static int mt6360_regmap_read(void *context, const void *reg, size_t reg_size,
> u8 crc;
> int ret;
>
> + if (bank >= MT6360_SLAVE_MAX)
> + return -EINVAL;
> +
It's too late to check bank's value here, we have already used it to
index into an array by this point. Please fix that.
> if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) {
> crc_needed = true;
> ret = mt6360_xlate_pmicldo_addr(®_addr, val_size);
> @@ -460,6 +463,9 @@ static int mt6360_regmap_write(void *context, const void *val, size_t val_size)
> int write_size = val_size - MT6360_REGMAP_REG_BYTE_SIZE;
> int ret;
>
> + if (bank >= MT6360_SLAVE_MAX)
> + return -EINVAL;
> +
> if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) {
> crc_needed = true;
> ret = mt6360_xlate_pmicldo_addr(®_addr, val_size - MT6360_REGMAP_REG_BYTE_SIZE);
--
Lee Jones [李琼斯]
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-09-28 10:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 8:26 [PATCH] mfd: mt6360: add bound check in regmap read/write function cy_huang
2022-09-14 8:26 ` cy_huang
2022-09-28 10:30 ` Lee Jones [this message]
2022-09-28 10:30 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YzQiQIpwpd8rD2qs@google.com \
--to=lee@kernel.org \
--cc=cy_huang@richtek.com \
--cc=gene_chen@richtek.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
--cc=stable@vger.kernel.org \
--cc=u0084500@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.