[PATCH] Input: ads7846 - Expand xfer array to match usage

linux-input.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] Input: ads7846 - Expand xfer array to match usage
@ 2024-11-17  3:34 Kees Cook
  2024-11-17 22:06 ` Marek Vasut
  0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2024-11-17  3:34 UTC (permalink / raw)
  To: Dmitry Torokhov
  Cc: Kees Cook, Marek Vasut, Andy Shevchenko, Linus Walleij,
	Arnd Bergmann, Luca Ellero, linux-input, Alexander Stein, Al Viro,
	linux-kernel, linux-hardening

Commit 781a07da9bb9 ("Input: ads7846 - add dummy command register
clearing cycle") added commands to struct ser_req::xfer without
expanding it to hold them. Expand the array to the correct size.

../drivers/input/touchscreen/ads7846.c: In function 'ads7846_read12_ser':
../drivers/input/touchscreen/ads7846.c:416:18: error: array subscript 7 is above array bounds of 'struct spi_transfer[6]' [-Werror=array-bounds=]
  416 |         req->xfer[7].rx_buf = &req->scratch;
      |         ~~~~~~~~~^~~
../drivers/input/touchscreen/ads7846.c:334:33: note: while referencing 'xfer'
  334 |         struct spi_transfer     xfer[6];
      |                                 ^~~~

Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle")
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Luca Ellero <l.ellero@asem.it>
Cc: linux-input@vger.kernel.org
---
 drivers/input/touchscreen/ads7846.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c
index 75e5b2e4368d..066dc04003fa 100644
--- a/drivers/input/touchscreen/ads7846.c
+++ b/drivers/input/touchscreen/ads7846.c
@@ -331,7 +331,7 @@ struct ser_req {
 	u8			ref_off;
 	u16			scratch;
 	struct spi_message	msg;
-	struct spi_transfer	xfer[6];
+	struct spi_transfer	xfer[8];
 	/*
 	 * DMA (thus cache coherency maintenance) requires the
 	 * transfer buffers to live in their own cache lines.
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] Input: ads7846 - Expand xfer array to match usage
  2024-11-17  3:34 [PATCH] Input: ads7846 - Expand xfer array to match usage Kees Cook
@ 2024-11-17 22:06 ` Marek Vasut
  2024-11-18  4:39   ` Kees Cook
  0 siblings, 1 reply; 4+ messages in thread
From: Marek Vasut @ 2024-11-17 22:06 UTC (permalink / raw)
  To: Kees Cook, Dmitry Torokhov
  Cc: Andy Shevchenko, Linus Walleij, Arnd Bergmann, Luca Ellero,
	linux-input, Alexander Stein, Al Viro, linux-kernel,
	linux-hardening

On 11/17/24 4:34 AM, Kees Cook wrote:
> Commit 781a07da9bb9 ("Input: ads7846 - add dummy command register
> clearing cycle") added commands to struct ser_req::xfer without
> expanding it to hold them. Expand the array to the correct size.
> 
> ../drivers/input/touchscreen/ads7846.c: In function 'ads7846_read12_ser':
> ../drivers/input/touchscreen/ads7846.c:416:18: error: array subscript 7 is above array bounds of 'struct spi_transfer[6]' [-Werror=array-bounds=]
>    416 |         req->xfer[7].rx_buf = &req->scratch;
>        |         ~~~~~~~~~^~~
> ../drivers/input/touchscreen/ads7846.c:334:33: note: while referencing 'xfer'
>    334 |         struct spi_transfer     xfer[6];
>        |                                 ^~~~
> 
> Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle")
> Signed-off-by: Kees Cook <kees@kernel.org>
I think Nathan already sent a fix too.

Thanks !

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Input: ads7846 - Expand xfer array to match usage
  2024-11-17 22:06 ` Marek Vasut
@ 2024-11-18  4:39   ` Kees Cook
  2024-11-18  4:57     ` Dmitry Torokhov
  0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2024-11-18  4:39 UTC (permalink / raw)
  To: Marek Vasut
  Cc: Dmitry Torokhov, Andy Shevchenko, Linus Walleij, Arnd Bergmann,
	Luca Ellero, linux-input, Alexander Stein, Al Viro, linux-kernel,
	linux-hardening

On Sun, Nov 17, 2024 at 11:06:27PM +0100, Marek Vasut wrote:
> On 11/17/24 4:34 AM, Kees Cook wrote:
> > Commit 781a07da9bb9 ("Input: ads7846 - add dummy command register
> > clearing cycle") added commands to struct ser_req::xfer without
> > expanding it to hold them. Expand the array to the correct size.
> > 
> > ../drivers/input/touchscreen/ads7846.c: In function 'ads7846_read12_ser':
> > ../drivers/input/touchscreen/ads7846.c:416:18: error: array subscript 7 is above array bounds of 'struct spi_transfer[6]' [-Werror=array-bounds=]
> >    416 |         req->xfer[7].rx_buf = &req->scratch;
> >        |         ~~~~~~~~~^~~
> > ../drivers/input/touchscreen/ads7846.c:334:33: note: while referencing 'xfer'
> >    334 |         struct spi_transfer     xfer[6];
> >        |                                 ^~~~
> > 
> > Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle")
> > Signed-off-by: Kees Cook <kees@kernel.org>
> I think Nathan already sent a fix too.

Oh excellent! I did a search in lore before sending it but must have
failed to find it. Do you have a link to it?

-Kees

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Input: ads7846 - Expand xfer array to match usage
  2024-11-18  4:39   ` Kees Cook
@ 2024-11-18  4:57     ` Dmitry Torokhov
  0 siblings, 0 replies; 4+ messages in thread
From: Dmitry Torokhov @ 2024-11-18  4:57 UTC (permalink / raw)
  To: Kees Cook
  Cc: Marek Vasut, Andy Shevchenko, Linus Walleij, Arnd Bergmann,
	Luca Ellero, linux-input, Alexander Stein, Al Viro, linux-kernel,
	linux-hardening

On Sun, Nov 17, 2024 at 08:39:01PM -0800, Kees Cook wrote:
> On Sun, Nov 17, 2024 at 11:06:27PM +0100, Marek Vasut wrote:
> > On 11/17/24 4:34 AM, Kees Cook wrote:
> > > Commit 781a07da9bb9 ("Input: ads7846 - add dummy command register
> > > clearing cycle") added commands to struct ser_req::xfer without
> > > expanding it to hold them. Expand the array to the correct size.
> > > 
> > > ../drivers/input/touchscreen/ads7846.c: In function 'ads7846_read12_ser':
> > > ../drivers/input/touchscreen/ads7846.c:416:18: error: array subscript 7 is above array bounds of 'struct spi_transfer[6]' [-Werror=array-bounds=]
> > >    416 |         req->xfer[7].rx_buf = &req->scratch;
> > >        |         ~~~~~~~~~^~~
> > > ../drivers/input/touchscreen/ads7846.c:334:33: note: while referencing 'xfer'
> > >    334 |         struct spi_transfer     xfer[6];
> > >        |                                 ^~~~
> > > 
> > > Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle")
> > > Signed-off-by: Kees Cook <kees@kernel.org>
> > I think Nathan already sent a fix too.
> 
> Oh excellent! I did a search in lore before sending it but must have
> failed to find it. Do you have a link to it?

I am pretty sure I applied the fix already, but I might have forgotten
to push it out. My workstation is offline at the moment, when it comes
back online I'll make sure the fix is there.

Thanks.

-- 
Dmitry

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-11-18  4:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-17  3:34 [PATCH] Input: ads7846 - Expand xfer array to match usage Kees Cook
2024-11-17 22:06 ` Marek Vasut
2024-11-18  4:39   ` Kees Cook
2024-11-18  4:57     ` Dmitry Torokhov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).