From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99825C41535 for ; Sun, 12 Nov 2023 13:23:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231409AbjKLNXc (ORCPT ); Sun, 12 Nov 2023 08:23:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229441AbjKLNXb (ORCPT ); Sun, 12 Nov 2023 08:23:31 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED1082702; Sun, 12 Nov 2023 05:23:27 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5E8EDC433C8; Sun, 12 Nov 2023 13:23:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1699795407; bh=KIXhWrqL7vDKt6zj9PJHDRT9sxGHrsKjJWVor0Hm6qc=; h=From:To:Cc:Subject:Date:From; b=m55gmcU0yOatShkB1n6w3f0JPVSxFamZYKA+t2mtyhfyiXx5aONEapszPtKxKx4bk R+o/6YnWISaWWi29Pu/uqltNTzFkMOXiqDMjCNKAPn5CFO7ziNGNJ805pPizEbNPto +WigjWwa+ljFBYa1iAM8LqiXIornDU3rWZxuuOB6PjTzyk4vMQBiNuD3CeET4bhXiy CFDOZs3K7OG9/bDUAxLlmZWwH8601GYMHGUbopoKQDv5QxKx4RFDUci001LrJakKTk wYqTMmc+SZCd6ySZEU0TB1e3znkQyMFM79wo5jgO81VWnnzXQcjrOQfILLEI/BkL99 pgDtdXWOPIDew== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jarkko Nikula , Alexandre Belloni , Sasha Levin , keescook@chromium.org, gustavoars@kernel.org, linux-i3c@lists.infradead.org Subject: [PATCH AUTOSEL 6.6 1/7] i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Date: Sun, 12 Nov 2023 08:23:10 -0500 Message-ID: <20231112132323.174148-1-sashal@kernel.org> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6.1 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jarkko Nikula [ Upstream commit 45a832f989e520095429589d5b01b0c65da9b574 ] Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers. Signed-off-by: Jarkko Nikula Link: https://lore.kernel.org/r/20230921055704.1087277-5-jarkko.nikula@linux.intel.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin --- drivers/i3c/master/mipi-i3c-hci/dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c index 2990ac9eaade7..71b5dbe45c45c 100644 --- a/drivers/i3c/master/mipi-i3c-hci/dma.c +++ b/drivers/i3c/master/mipi-i3c-hci/dma.c @@ -734,7 +734,7 @@ static bool hci_dma_irq_handler(struct i3c_hci *hci, unsigned int mask) unsigned int i; bool handled = false; - for (i = 0; mask && i < 8; i++) { + for (i = 0; mask && i < rings->total; i++) { struct hci_rh_data *rh; u32 status; -- 2.42.0