Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1326127pxu;
        Mon, 23 Nov 2020 18:38:45 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzG80G24W2HwnzHunDygaXMg3c0cZk9CQMydb0aZa1WrKUjUto7b7hZ2WrAoUp2GcifA/FH
X-Received: by 2002:a50:e8c7:: with SMTP id l7mr2052215edn.356.1606185525234;
        Mon, 23 Nov 2020 18:38:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606185525; cv=none;
        d=google.com; s=arc-20160816;
        b=ilOmlqGzIuy0Dryd/0at1fJIllT95R/vIrZLWF+/QDsGa0PeRD3Qg+bHp9oxK7RASy
         6/OGQUuW3Q4EGo2dqN2BTsqwslOIWsUElADRBtuYfSb/M3V7ORhJGR32FOgFnXNTO49e
         GeYpqJBROYQ8jzDLDYU3ZHl40ZWioSI6zNglWN+WO5O3Tr9jdMjiXQ0yf5zMFte83NmM
         HCYFS8lorrrB/sMuRmbmYNdP2oRAynz+EFlh/587/HwyT0gSba9OYUxaPR1SH2bb9cgK
         ISjUthHXsT7wrWm0ur7Z9i+VuGSyY/y8wMNT7GgG0gtmKWHsb3pwEM/Y3aXj2iAiQtLq
         +7Ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=YBxZIAMm9cB8aaYekBCL0V3e8jWZyY+DB8seoJIJ+GU=;
        b=ivFVoppHpo987iTX4Kayo6uqbvrCN5v/rvZ4gHC9jruQPRZ0jK9wOMcc4Okd/OFwJC
         3z+KyRUWrgOhtJ2SzVeh2OMX/k08nKoijiwrzdgD6oZl0yRYSU3khRpdImAhEMDlluP8
         e9zOBM2qN5dq52r2YM9iSQ8oljlqKEMhl3qHsZpoWh5TLLk6Qmx3H7LWZ0JZf5j2s8Qx
         w0srIHlBglAg9Uhzdym3d9oxMgiokHymGhjnarDWkQgyQ2daL/SCO3ZE5EgBHNajlNFO
         0OzeZFtyZSwArTU3qoBxbCc0GaP0TjIr+HfKX4qjY/jFoVEyZTeoahcXu4TUnn+f6lRW
         BCeA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xw2th9Xf;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id k25si7687577ejr.647.2020.11.23.18.38.21;
        Mon, 23 Nov 2020 18:38:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xw2th9Xf;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732143AbgKWMiy (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Mon, 23 Nov 2020 07:38:54 -0500
Received: from mail.kernel.org ([198.145.29.99]:50844 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732077AbgKWMiS (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Nov 2020 07:38:18 -0500
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 3D04520732;
        Mon, 23 Nov 2020 12:38:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1606135097;
        bh=WnoWaPOliwfCDnB34vVQAmgvOEREp88/2DhlefrORCw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=xw2th9Xf2TZUFmQHaZq1Gji1sRe7VMxDq7c8/xfnKcdRIUJTO/IJlaBrVa1RH5fAk
         jVBaTlA+kfDGsJQZmbJLK4evPYs2MAtzkaR94R2KDo9yy3z2nThVj98E2WksHIfNEP
         DHqCJ1SufwD47rpbifw4Zr5sM6sd8hePcJMmIVnc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Naresh Kamboju <naresh.kamboju@linaro.org>,
        Arnd Bergmann <arnd@arndb.de>, Nishanth Menon <nm@ti.com>,
        Mark Brown <broonie@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 104/158] regulator: ti-abb: Fix array out of bound read access on the first transition
Date:   Mon, 23 Nov 2020 13:22:12 +0100
Message-Id: <20201123121824.954536672@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201123121819.943135899@linuxfoundation.org>
References: <20201123121819.943135899@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Nishanth Menon <nm@ti.com>

[ Upstream commit 2ba546ebe0ce2af47833d8912ced9b4a579f13cb ]

At the start of driver initialization, we do not know what bias
setting the bootloader has configured the system for and we only know
for certain the very first time we do a transition.

However, since the initial value of the comparison index is -EINVAL,
this negative value results in an array out of bound access on the
very first transition.

Since we don't know what the setting is, we just set the bias
configuration as there is nothing to compare against. This prevents
the array out of bound access.

NOTE: Even though we could use a more relaxed check of "< 0" the only
valid values(ignoring cosmic ray induced bitflips) are -EINVAL, 0+.

Fixes: 40b1936efebd ("regulator: Introduce TI Adaptive Body Bias(ABB) on-chip LDO driver")
Link: https://lore.kernel.org/linux-mm/CA+G9fYuk4imvhyCN7D7T6PMDH6oNp6HDCRiTUKMQ6QXXjBa4ag@mail.gmail.com/
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20201118145009.10492-1-nm@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/regulator/ti-abb-regulator.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/regulator/ti-abb-regulator.c b/drivers/regulator/ti-abb-regulator.c
index 89b9314d64c9d..016330f909c09 100644
--- a/drivers/regulator/ti-abb-regulator.c
+++ b/drivers/regulator/ti-abb-regulator.c
@@ -342,8 +342,17 @@ static int ti_abb_set_voltage_sel(struct regulator_dev *rdev, unsigned sel)
 		return ret;
 	}
 
-	/* If data is exactly the same, then just update index, no change */
 	info = &abb->info[sel];
+	/*
+	 * When Linux kernel is starting up, we are'nt sure of the
+	 * Bias configuration that bootloader has configured.
+	 * So, we get to know the actual setting the first time
+	 * we are asked to transition.
+	 */
+	if (abb->current_info_idx == -EINVAL)
+		goto just_set_abb;
+
+	/* If data is exactly the same, then just update index, no change */
 	oinfo = &abb->info[abb->current_info_idx];
 	if (!memcmp(info, oinfo, sizeof(*info))) {
 		dev_dbg(dev, "%s: Same data new idx=%d, old idx=%d\n", __func__,
@@ -351,6 +360,7 @@ static int ti_abb_set_voltage_sel(struct regulator_dev *rdev, unsigned sel)
 		goto out;
 	}
 
+just_set_abb:
 	ret = ti_abb_set_opp(rdev, abb, info);
 
 out:
-- 
2.27.0