Received: by 10.223.185.116 with SMTP id b49csp5458644wrg;
        Wed, 7 Mar 2018 12:06:51 -0800 (PST)
X-Google-Smtp-Source: AG47ELtmUyak1t8V/dcNcRP9m64/kjubdPmkCIReiRuj5u0EyZmHrzSXDGD77x/WcZbBIwFw81B9
X-Received: by 10.99.176.68 with SMTP id z4mr18624721pgo.74.1520453211820;
        Wed, 07 Mar 2018 12:06:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520453211; cv=none;
        d=google.com; s=arc-20160816;
        b=AkPB/YwtDPwLaTISU8Lb6YyeN0yrBs4TIZruVvvJRyteMptutqZ/la3+BLDhH2Rk+I
         QUIkFmzS9pzkdsr7y2KI17krD0Q902iedfHUlx0ECKmh8pGSfKFRZ/JUo85abIHwJJCU
         UozDa79wzDAr/mffA0xZzscr5nX6TjQPz5qzYxyKI5h7QB+CzgPKQFRH1HyFv9oVlnVR
         s+8kEL5d03SUU/4lVONF9y9/EcUmfR39g5Ewvm2GNCiAqPQ3zfwIdZ9sC6V28BtC/HgT
         8vjZSNYCudeuHatMl9nC3o53FPdguPo/jR2PZ0aQ8+DfZJzcJsGaQSgfZC49KJr8KfEC
         27iw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=qEZsKuboQtkXW+kbTKWIde9OwqlLojrYZdjUucCZ7f4=;
        b=uIKWM8YeeQOGozZgpKZu0UfWLxYXp/HfZ6H8Us7oZbjgKAOLv0/+2/Py0oR0eKJ5qf
         btKdrR/z/Ip8k3g/ScDRbtYdNoCAXCUYDhM8HO/ipFql1RVRCuxKtP63f9k6HYYQHaaP
         UjhGu/9NYsDBqYuJg5w8TZuG6PqSVlYuCjYaqjdzwsjpBsD72dD/QX1GcCr52iaRndYv
         tP62ksof/KKbEpun9puil5SzDLhZGYnfuRJjc9oHJk6/3A1fzJUaTNRLCuBGxvqYA9PY
         sQjEDIXRdRPZZbFVTM3M4bmkpIiwipcbv7a4aCmI6vCqwaoANQfoY2VSu68GxT1li1L9
         z2gA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p3si14142838pfh.84.2018.03.07.12.06.37;
        Wed, 07 Mar 2018 12:06:51 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965531AbeCGUFr (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Wed, 7 Mar 2018 15:05:47 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:44504 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S965482AbeCGTqM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Mar 2018 14:46:12 -0500
Received: from localhost (unknown [185.236.200.248])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 1BE851058;
        Wed,  7 Mar 2018 19:46:12 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Geert Uytterhoeven <geert+renesas@glider.be>,
        Shawn Lin <shawn.lin@rock-chips.com>,
        Ulf Hansson <ulf.hansson@linaro.org>
Subject: [PATCH 4.14 019/110] mmc: dw_mmc: Fix out-of-bounds access for slots caps
Date:   Wed,  7 Mar 2018 11:38:02 -0800
Message-Id: <20180307191042.182346451@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180307191039.748351103@linuxfoundation.org>
References: <20180307191039.748351103@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shawn Lin <shawn.lin@rock-chips.com>

commit 0d84b9e5631d923744767dc6608672df906dd092 upstream.

Add num_caps field for dw_mci_drv_data to validate the controller
id from DT alias and non-DT ways.

Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation specific callbacks")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/dw_mmc-exynos.c   |    1 +
 drivers/mmc/host/dw_mmc-k3.c       |    1 +
 drivers/mmc/host/dw_mmc-rockchip.c |    1 +
 drivers/mmc/host/dw_mmc-zx.c       |    1 +
 drivers/mmc/host/dw_mmc.c          |    9 ++++++++-
 drivers/mmc/host/dw_mmc.h          |    2 ++
 6 files changed, 14 insertions(+), 1 deletion(-)

--- a/drivers/mmc/host/dw_mmc-exynos.c
+++ b/drivers/mmc/host/dw_mmc-exynos.c
@@ -487,6 +487,7 @@ static unsigned long exynos_dwmmc_caps[4
 
 static const struct dw_mci_drv_data exynos_drv_data = {
 	.caps			= exynos_dwmmc_caps,
+	.num_caps		= ARRAY_SIZE(exynos_dwmmc_caps),
 	.init			= dw_mci_exynos_priv_init,
 	.set_ios		= dw_mci_exynos_set_ios,
 	.parse_dt		= dw_mci_exynos_parse_dt,
--- a/drivers/mmc/host/dw_mmc-k3.c
+++ b/drivers/mmc/host/dw_mmc-k3.c
@@ -210,6 +210,7 @@ static int dw_mci_hi6220_execute_tuning(
 
 static const struct dw_mci_drv_data hi6220_data = {
 	.caps			= dw_mci_hi6220_caps,
+	.num_caps		= ARRAY_SIZE(dw_mci_hi6220_caps),
 	.switch_voltage		= dw_mci_hi6220_switch_voltage,
 	.set_ios		= dw_mci_hi6220_set_ios,
 	.parse_dt		= dw_mci_hi6220_parse_dt,
--- a/drivers/mmc/host/dw_mmc-rockchip.c
+++ b/drivers/mmc/host/dw_mmc-rockchip.c
@@ -319,6 +319,7 @@ static const struct dw_mci_drv_data rk29
 
 static const struct dw_mci_drv_data rk3288_drv_data = {
 	.caps			= dw_mci_rk3288_dwmmc_caps,
+	.num_caps		= ARRAY_SIZE(dw_mci_rk3288_dwmmc_caps),
 	.set_ios		= dw_mci_rk3288_set_ios,
 	.execute_tuning		= dw_mci_rk3288_execute_tuning,
 	.parse_dt		= dw_mci_rk3288_parse_dt,
--- a/drivers/mmc/host/dw_mmc-zx.c
+++ b/drivers/mmc/host/dw_mmc-zx.c
@@ -195,6 +195,7 @@ static unsigned long zx_dwmmc_caps[3] =
 
 static const struct dw_mci_drv_data zx_drv_data = {
 	.caps			= zx_dwmmc_caps,
+	.num_caps		= ARRAY_SIZE(zx_dwmmc_caps),
 	.execute_tuning		= dw_mci_zx_execute_tuning,
 	.prepare_hs400_tuning	= dw_mci_zx_prepare_hs400_tuning,
 	.parse_dt               = dw_mci_zx_parse_dt,
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -2788,8 +2788,15 @@ static int dw_mci_init_slot_caps(struct
 	} else {
 		ctrl_id = to_platform_device(host->dev)->id;
 	}
-	if (drv_data && drv_data->caps)
+
+	if (drv_data && drv_data->caps) {
+		if (ctrl_id >= drv_data->num_caps) {
+			dev_err(host->dev, "invalid controller id %d\n",
+				ctrl_id);
+			return -EINVAL;
+		}
 		mmc->caps |= drv_data->caps[ctrl_id];
+	}
 
 	if (host->pdata->caps2)
 		mmc->caps2 = host->pdata->caps2;
--- a/drivers/mmc/host/dw_mmc.h
+++ b/drivers/mmc/host/dw_mmc.h
@@ -542,6 +542,7 @@ struct dw_mci_slot {
 /**
  * dw_mci driver data - dw-mshc implementation specific driver data.
  * @caps: mmc subsystem specified capabilities of the controller(s).
+ * @num_caps: number of capabilities specified by @caps.
  * @init: early implementation specific initialization.
  * @set_ios: handle bus specific extensions.
  * @parse_dt: parse implementation specific device tree properties.
@@ -553,6 +554,7 @@ struct dw_mci_slot {
  */
 struct dw_mci_drv_data {
 	unsigned long	*caps;
+	u32		num_caps;
 	int		(*init)(struct dw_mci *host);
 	void		(*set_ios)(struct dw_mci *host, struct mmc_ios *ios);
 	int		(*parse_dt)(struct dw_mci *host);