From: ChiYuan Huang <[email protected]>
This potential risk could happen at regmap_raw_read or
regmap_raw_write when accessing the over-bound register address.
Below's the issue reproduce log to access over-bound register with
regmap_raw_read function.
[ 41.301385] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
[ 41.307296] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 41.314358] pc : i2c_smbus_xfer+0x58/0x120
[ 41.314371] lr : i2c_smbus_read_i2c_block_data+0x74/0xc0
[ 41.314376] sp : ffffffc008ceb9a0
[ 41.327261] x29: ffffffc008ceb9a0 x28: 0000000000000000 x27: ffffffc008cebb94
[ 41.334505] x26: ffffffe529116000 x25: ffffffc008ceba30 x24: 0000000000000008
[ 41.334513] x23: 0000000000000000 x22: 0000000000000001 x21: 0000000000000000
[ 41.334520] x20: 0000000000000000 x19: ffffff804e1e8010 x18: ffffffe529116538
[ 41.348994] x17: 0000000000000000 x16: ffffffe528ae11f0 x15: ffffff804e1be01e
[ 41.349002] x14: 0000000000000000 x13: ffffff804e1bd03c x12: 7220303032783020
[ 41.370710] x11: 0000000000000000 x10: 000000000000000a x9 : ffffffc008cebb60
[ 41.377953] x8 : 0000000000000000 x7 : ffffffe529116538 x6 : ffffffc008ceba30
[ 41.385196] x5 : 0000000000000008 x4 : 0000000000000000 x3 : 0000000000000001
[ 41.392436] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffff804e1e8010
[ 41.399677] Call trace:
[ 41.402153] i2c_smbus_xfer+0x58/0x120
[ 41.405956] i2c_smbus_read_i2c_block_data+0x74/0xc0
[ 41.410991] mt6370_regmap_read+0x40/0x60 [mt6370]
[ 41.415855] _regmap_raw_read+0xe4/0x278
[ 41.419834] regmap_raw_read+0xec/0x240
[ 41.423721] rg_bound_show+0xb0/0x120 [mt6370]
[ 41.428226] dev_attr_show+0x3c/0x80
[ 41.431851] sysfs_kf_seq_show+0xc4/0x150
[ 41.435916] kernfs_seq_show+0x48/0x60
[ 41.439718] seq_read_iter+0x11c/0x450
[ 41.443519] kernfs_fop_read_iter+0x124/0x1c0
[ 41.447937] vfs_read+0x1a8/0x288
[ 41.451296] ksys_read+0x74/0x100
[ 41.454654] __arm64_sys_read+0x24/0x30
[ 41.458541] invoke_syscall+0x54/0x118
[ 41.462344] el0_svc_common.constprop.4+0x94/0x128
[ 41.467202] do_el0_svc+0x3c/0xd0
[ 41.470562] el0_svc+0x20/0x60
[ 41.473658] el0t_64_sync_handler+0x94/0xb8
[ 41.477899] el0t_64_sync+0x15c/0x160
[ 41.481614] Code: 54000388 f9401262 aa1303e0 52800041 (f9400042)
[ 41.487793] ---[ end trace 0000000000000000 ]---
Fixes: b2adf788e603 ("mfd: mt6370: Add MediaTek MT6370 support")
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: ChiYuan Huang <[email protected]>
---
Hi,
The previous discussion thread can be found here.
https://lore.kernel.org/all/[email protected]/
---
drivers/mfd/mt6370.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/mfd/mt6370.c b/drivers/mfd/mt6370.c
index cf19cce..acbf960 100644
--- a/drivers/mfd/mt6370.c
+++ b/drivers/mfd/mt6370.c
@@ -190,6 +190,9 @@ static int mt6370_regmap_read(void *context, const void *reg_buf,
bank_idx = u8_buf[0];
bank_addr = u8_buf[1];
+ if (bank_idx >= MT6370_MAX_I2C)
+ return -EINVAL;
+
ret = i2c_smbus_read_i2c_block_data(info->i2c[bank_idx], bank_addr,
val_size, val_buf);
if (ret < 0)
@@ -211,6 +214,9 @@ static int mt6370_regmap_write(void *context, const void *data, size_t count)
bank_idx = u8_buf[0];
bank_addr = u8_buf[1];
+ if (bank_idx >= MT6370_MAX_I2C)
+ return -EINVAL;
+
return i2c_smbus_write_i2c_block_data(info->i2c[bank_idx], bank_addr,
len, data + MT6370_MAX_ADDRLEN);
}
--
2.7.4
On Thu, Oct 20, 2022 at 7:31 PM cy_huang <[email protected]> wrote:
>
> From: ChiYuan Huang <[email protected]>
>
> This potential risk could happen at regmap_raw_read or
> regmap_raw_write when accessing the over-bound register address.
Functions are referred to as func().
> Below's the issue reproduced log to access over-bound register with
> regmap_raw_read function.
Ditto.
> [ 41.301385] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
> [ 41.307296] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
Please, read Submitting Patches, and trim your commit message accordingly.
--
With Best Regards,
Andy Shevchenko