Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp2876193rwb;
        Mon, 15 Aug 2022 13:07:00 -0700 (PDT)
X-Google-Smtp-Source: AA6agR7aCoYfRhv9ZBfPU5Npz+d8w8vpbL3LGTymBKneRcUjAMfwIBpAeskD14rhnDFmzJBO4lUF
X-Received: by 2002:a17:90a:c782:b0:1f7:a4ed:11a1 with SMTP id gn2-20020a17090ac78200b001f7a4ed11a1mr20670528pjb.12.1660594019768;
        Mon, 15 Aug 2022 13:06:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1660594019; cv=none;
        d=google.com; s=arc-20160816;
        b=PV5A3/Qn9cIkBuYPr7/Ogb+pTzF4oedOaJ6ei15yBgVW+25uDEdIPhLVeUIrWk4f4p
         omoy4sc8Oj9s6uSy/BZPEgHPpaL3OVZPBj3hdeBNQlNnpisWpXsiqDkGeTRZ+Fe4L/cg
         3CmMp9pRlUNtyvajGTkjFZtU1hEqyHqeti7qQIy9e0TuDW+95S9DXqByMomne+TzmACE
         pKUDxGXXzJrjkDextC3rObXEX02I2irSSp9tD1iEdeKULdJ6tIbt27muA4neFD0QkAnW
         1i74YdJvCTm2JrCNDVYTfaTqB8FZdv/8LPR1AtgS0ZsIBheoq8BHdD6NNpTrvPTClE49
         Hfcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=wdJoLnpsevELzIrrye3oI7yDQbSXeiNn7DcbWcbEjU4=;
        b=P0r/Y2e5DUOnIcuE1FnwJhg6Ru44/cUlMWKOM0dnNFGyl7J/yHEk7VIKDyEOzFmV4S
         HTU2ZhBEzCD5lRQW2xMVYr7mqs4A/S6MImNrRJzyVxyRTgHbfaBEWwmZ9uEzCfjNEdEx
         n+p6wcSLcCMAIIxGqEVj03jNXxjh7TTi0ErdCPnSc9MzV//l2IbBJ8S6JhkRK8eHr5IM
         visirsSPG/VZbB7GQP2nNbZyoOTTrN9KVnMfVdsKQsrhwq72T3ZXxZaAjEj1mxolY6Q0
         2qE8c24sKsetqU/3QW7zwavDa4hSgzbIhE7tNWBP0f4RAZcdmyG2XdVsEcPjNFVqE4fL
         8kBw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=c1NFdBa2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id q23-20020a170902edd700b0016f12f2cb15si10401581plk.405.2022.08.15.13.06.48;
        Mon, 15 Aug 2022 13:06:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=c1NFdBa2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243282AbiHOSe0 (ORCPT <rfc822;andrey.bzh.r@gmail.com>
        + 99 others); Mon, 15 Aug 2022 14:34:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42238 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243634AbiHOSdy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Aug 2022 14:33:54 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06BA637FA6;
        Mon, 15 Aug 2022 11:22:00 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id D6B1FB81074;
        Mon, 15 Aug 2022 18:21:57 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2A727C433D7;
        Mon, 15 Aug 2022 18:21:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1660587716;
        bh=lC1PDtOD4kVcf3eDjo4yBR1rOPmdYM1OQZgn1WPyCNM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=c1NFdBa2RxBSDr/Tvdt5maO47mjS0+noafwBOEzuKD/zZvTE/VaaEKIl0Km4S+juG
         LJFca0mthf5VbD3VHou0y7cpM6eUni7+h5ngPfBMvp3XccNvK4/e9rKLOL47GFR88h
         kUq4tPluTCNuYmDS/qtRL43wM+Yb2hgOwbBWUfAs=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Guenter Roeck <linux@roeck-us.net>,
        "Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 155/779] ARM: findbit: fix overflowing offset
Date:   Mon, 15 Aug 2022 19:56:39 +0200
Message-Id: <20220815180343.948725163@linuxfoundation.org>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20220815180337.130757997@linuxfoundation.org>
References: <20220815180337.130757997@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>

[ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ]

When offset is larger than the size of the bit array, we should not
attempt to access the array as we can perform an access beyond the
end of the array. Fix this by changing the pre-condition.

Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since
this will always take the branch when r1 is zero, irrespective of
the value of r2. This means we can fix this bug without adding any
additional code!

Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/lib/findbit.S | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S
index b5e8b9ae4c7d..7fd3600db8ef 100644
--- a/arch/arm/lib/findbit.S
+++ b/arch/arm/lib/findbit.S
@@ -40,8 +40,8 @@ ENDPROC(_find_first_zero_bit_le)
  * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset)
  */
 ENTRY(_find_next_zero_bit_le)
-		teq	r1, #0
-		beq	3b
+		cmp	r2, r1
+		bhs	3b
 		ands	ip, r2, #7
 		beq	1b			@ If new byte, goto old routine
  ARM(		ldrb	r3, [r0, r2, lsr #3]	)
@@ -81,8 +81,8 @@ ENDPROC(_find_first_bit_le)
  * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset)
  */
 ENTRY(_find_next_bit_le)
-		teq	r1, #0
-		beq	3b
+		cmp	r2, r1
+		bhs	3b
 		ands	ip, r2, #7
 		beq	1b			@ If new byte, goto old routine
  ARM(		ldrb	r3, [r0, r2, lsr #3]	)
@@ -115,8 +115,8 @@ ENTRY(_find_first_zero_bit_be)
 ENDPROC(_find_first_zero_bit_be)
 
 ENTRY(_find_next_zero_bit_be)
-		teq	r1, #0
-		beq	3b
+		cmp	r2, r1
+		bhs	3b
 		ands	ip, r2, #7
 		beq	1b			@ If new byte, goto old routine
 		eor	r3, r2, #0x18		@ big endian byte ordering
@@ -149,8 +149,8 @@ ENTRY(_find_first_bit_be)
 ENDPROC(_find_first_bit_be)
 
 ENTRY(_find_next_bit_be)
-		teq	r1, #0
-		beq	3b
+		cmp	r2, r1
+		bhs	3b
 		ands	ip, r2, #7
 		beq	1b			@ If new byte, goto old routine
 		eor	r3, r2, #0x18		@ big endian byte ordering
-- 
2.35.1