Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp834713pxu;
        Mon, 23 Nov 2020 05:29:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxkhqVj7G5pUpsvK/42ZQVoKD75kS10c8hbflxlHq0hpcVSTtBPg6ywOnsPngFiXn1pQ3M3
X-Received: by 2002:a17:906:8415:: with SMTP id n21mr12721323ejx.399.1606138183086;
        Mon, 23 Nov 2020 05:29:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606138183; cv=none;
        d=google.com; s=arc-20160816;
        b=AzRh3BiUsxUtxEhzl4FMoW9yq86+lJJRVjFggImRU8bk1898Jdw9zARCWF+s8r6sJv
         6cysKG1q74Uz1PRXCwbFXZdCcUoXLQqzauohTI8MNa/Bqr6LqStOzrbxy2K0e4Vz0OK4
         iHCkQofLFzGMcV0Dzlt40cb+UuoZCIjbuYhVLxPNSohEHPZXmHvQ+oQf3zQmUFvEgV0O
         IQqxZTLAIuyCu3YS6tfjcQTgEX5evS6q6m/f4LWCniRnSIXAWnYfS8b01Z4aLGESIcsj
         z6goTw+rvQeg7pWvJBuAPhdABs5BARdtaUb3pT1JRLqnSXhqb/O/36DcbY2eWOhTIO5L
         oCiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=YBxZIAMm9cB8aaYekBCL0V3e8jWZyY+DB8seoJIJ+GU=;
        b=x2a+5b9PY+6vyESz0SrLdjgNYmV6qI6QStr+8CyuEmdBxg9gmBt+FgpFYARPfqpSfo
         MMVsTrVhdLlGtNe3AZCBdcbLmPxhysrtkijs0GjPzrDY8y1r2k+j7V5sWfXcx6G78psF
         I0TkPqIJcwGFbToPda1DRUyhO2DhDn0pAlplmgf2xzqcJ+lE7dx1hDiL72WI5WqqCGWl
         ArPdTnCr2Uz5osC7AhCsdnd7WPpZcRKRd5udheAIRAvWLrCZfCGVzGF8BJOD9fi2t9YQ
         Xr109UMP7yGjL7pj8mpZpr7XdL9+U78MPwB4J3PDKXhszp0Ea+nl+dHiQCUvapXh6OS5
         BFpg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sqYRfAPx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j5si6053369eds.113.2020.11.23.05.29.19;
        Mon, 23 Nov 2020 05:29:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sqYRfAPx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731089AbgKWMca (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Mon, 23 Nov 2020 07:32:30 -0500
Received: from mail.kernel.org ([198.145.29.99]:43266 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731028AbgKWMcK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Nov 2020 07:32:10 -0500
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 302F72076E;
        Mon, 23 Nov 2020 12:32:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1606134729;
        bh=WnoWaPOliwfCDnB34vVQAmgvOEREp88/2DhlefrORCw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=sqYRfAPx0b5PKGaic6gatV1Qk/4BULBkASq3KjLp095u7sbcYngSmf9gknTdqZZzJ
         z8bV842HzZtRqS3CsR2Qtn+yPakfpfSW9lVLyFdwWVn+TPGZZgZl9OwGG8SYQbOFnH
         wnA9kdVLvLS4ML7/3JI2DpbfQ2xEk8Ed+Ic6n0WM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Naresh Kamboju <naresh.kamboju@linaro.org>,
        Arnd Bergmann <arnd@arndb.de>, Nishanth Menon <nm@ti.com>,
        Mark Brown <broonie@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 61/91] regulator: ti-abb: Fix array out of bound read access on the first transition
Date:   Mon, 23 Nov 2020 13:22:21 +0100
Message-Id: <20201123121812.287151293@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201123121809.285416732@linuxfoundation.org>
References: <20201123121809.285416732@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Nishanth Menon <nm@ti.com>

[ Upstream commit 2ba546ebe0ce2af47833d8912ced9b4a579f13cb ]

At the start of driver initialization, we do not know what bias
setting the bootloader has configured the system for and we only know
for certain the very first time we do a transition.

However, since the initial value of the comparison index is -EINVAL,
this negative value results in an array out of bound access on the
very first transition.

Since we don't know what the setting is, we just set the bias
configuration as there is nothing to compare against. This prevents
the array out of bound access.

NOTE: Even though we could use a more relaxed check of "< 0" the only
valid values(ignoring cosmic ray induced bitflips) are -EINVAL, 0+.

Fixes: 40b1936efebd ("regulator: Introduce TI Adaptive Body Bias(ABB) on-chip LDO driver")
Link: https://lore.kernel.org/linux-mm/CA+G9fYuk4imvhyCN7D7T6PMDH6oNp6HDCRiTUKMQ6QXXjBa4ag@mail.gmail.com/
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20201118145009.10492-1-nm@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/regulator/ti-abb-regulator.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/regulator/ti-abb-regulator.c b/drivers/regulator/ti-abb-regulator.c
index 89b9314d64c9d..016330f909c09 100644
--- a/drivers/regulator/ti-abb-regulator.c
+++ b/drivers/regulator/ti-abb-regulator.c
@@ -342,8 +342,17 @@ static int ti_abb_set_voltage_sel(struct regulator_dev *rdev, unsigned sel)
 		return ret;
 	}
 
-	/* If data is exactly the same, then just update index, no change */
 	info = &abb->info[sel];
+	/*
+	 * When Linux kernel is starting up, we are'nt sure of the
+	 * Bias configuration that bootloader has configured.
+	 * So, we get to know the actual setting the first time
+	 * we are asked to transition.
+	 */
+	if (abb->current_info_idx == -EINVAL)
+		goto just_set_abb;
+
+	/* If data is exactly the same, then just update index, no change */
 	oinfo = &abb->info[abb->current_info_idx];
 	if (!memcmp(info, oinfo, sizeof(*info))) {
 		dev_dbg(dev, "%s: Same data new idx=%d, old idx=%d\n", __func__,
@@ -351,6 +360,7 @@ static int ti_abb_set_voltage_sel(struct regulator_dev *rdev, unsigned sel)
 		goto out;
 	}
 
+just_set_abb:
 	ret = ti_abb_set_opp(rdev, abb, info);
 
 out:
-- 
2.27.0