Re: iio: xilinx-ams: shift-out-of-bounds in ams_enable_channel_sequence

[Sean Anderson <sean.anderson@linux.dev>]

On 3/11/24 12:11, Sean Anderson wrote:
> +CC Conall
> 
> On 3/9/24 14:06, Jonathan Cameron wrote:
>> On Tue, 5 Mar 2024 12:30:53 -0500
>> Sean Anderson <sean.anderson@linux.dev> wrote:
>> 
>>> Hi,
>>> 
>>> When enabling UBSAN on a ZynqMP Ultrascale+, I see the following error during boot:
>>> 
>>> [    1.447628] ================================================================================
>>> [    1.447832] UBSAN: shift-out-of-bounds in ../drivers/iio/adc/xilinx-ams.c:426:16
>>> [    1.448019] shift exponent 66 is too large for 64-bit type 'long long unsigned int'
>>> [    1.448211] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 6.6.20+ #90
>>> [    1.448368] Hardware name: xlnx,zynqmp (DT)
>>> [    1.448475] Call trace:
>>> [    1.448547]  dump_backtrace+0x9c/0x11c
>>> [    1.448655]  show_stack+0x18/0x24
>>> [    1.448749]  dump_stack_lvl+0xac/0xd4
>>> [    1.448853]  dump_stack+0x18/0x24
>>> [    1.448947]  ubsan_epilogue+0x10/0x44
>>> [    1.449051]  __ubsan_handle_shift_out_of_bounds+0x98/0x134
>>> [    1.449191]  ams_enable_channel_sequence+0x22c/0x23c
>>> [    1.449324]  ams_probe+0x570/0x6d4
>>> [    1.449423]  platform_probe+0x68/0x108
>>> [    1.449530]  really_probe+0x158/0x3b0
>>> [    1.449632]  __driver_probe_device+0x88/0x1a0
>>> [    1.449747]  driver_probe_device+0x3c/0x138
>>> [    1.449859]  __driver_attach+0xe4/0x1bc
>>> [    1.449964]  bus_for_each_dev+0x78/0xe0
>>> [    1.450068]  driver_attach+0x24/0x30
>>> [    1.450167]  bus_add_driver+0x110/0x240
>>> [    1.450271]  driver_register+0x60/0x128
>>> [    1.450376]  __platform_driver_register+0x28/0x34
>>> [    1.450500]  ams_driver_init+0x1c/0x28
>>> [    1.450609]  do_one_initcall+0x78/0x2c8
>>> [    1.450714]  kernel_init_freeable+0x2f8/0x59c
>>> [    1.450831]  kernel_init+0x30/0x150
>>> [    1.450932]  ret_from_fork+0x10/0x20
>>> [    1.451073] ================================================================================
>>> 
>>> When applying the following patch:
>>> 
>> That channel definition looks suspicious. Anyone shed light on what the channel scan index layout
>> is supposed to be?
>> There seem to be substantial gaps in used numbers.
>> If I read it right the offset to jump over the AUX_CHAN is too large (22 - should be 16) but
>> that still ends up with us going above the range of supported scan indexes.
>> 
>> The PL Sequence mask used is GENMASK_ULL(59, 22)
>> 
>> Whilst the bits are set, nothing actually reads them that I can see.
>> So why are they set and how are those channels supposed to work?
>> 
>> So agreed buggy; no idea what it supposed to do!
> 
> OK, so there are three groups of channels in this device, as set up by
> ams_init_module:
> 
> 	- CTRL channels (xlnx,zynqmp-ams)
> 	- PS channels (xlnx,zynqmp-ams-ps)
> 	- PL channels (xlnx,zynqmp-ams-pl)
> 
> According to the comment in ams_enable_channel_sequence,
> 
> 	/*
> 	 * Enable channel sequence. First 22 bits of scan_mask represent
> 	 * PS channels, and next remaining bits represent PL channels.
> 	 */
> 
> and indeed, the following code only touches the PS and PL registers. So
> I think we just need to add a check for
> chan->scan_index >= AMS_CTRL_SEQ_BASE, like in ams_read_raw.

https://lore.kernel.org/linux-iio/20240311162800.11074-1-sean.anderson@linux.dev/

--Sean