Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp479227rwi; Thu, 20 Oct 2022 00:56:36 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7S9iS+e+7QuQYjb3kFrU/Se0LPWlLpzEivR5MxPF7xODq/u0Aj99zi+28aXq0zx1aOEc1Q X-Received: by 2002:a63:1d1a:0:b0:433:f6ea:dce6 with SMTP id d26-20020a631d1a000000b00433f6eadce6mr10455400pgd.178.1666252596706; Thu, 20 Oct 2022 00:56:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666252596; cv=none; d=google.com; s=arc-20160816; b=W8T+D3sH1hvdKvylswfaaxjLzokjJup8kciS249jQIOOcfVzNypZD90dVGBmLjl9wB RnXuDjN+dGVcmh8wAdcSAa4esMOIufe5leN73sdkmBEA010ysUBK4lyr1JOW8pkNWbqU D1yKsTtDSk+G2jzKu8wnak537IERriHG6wGbmTbEZEX771sP2683Em9YhMwMK3i4Dp8v xbXkJ8NHjmLGpRvbaDRES/Tnw/Eo9piMCd9PPskTnoFijZENGMXSVXOox9NdmaOMkAlV V2f8u3TX97AQYx2gkdyFbiP+D/PCw9GBiuLenoibddUMELJyrSQbiqs6EFFj+ySYIY3T jVnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=TEyeAqRkz8ofVgcg3/w5/1i7hyOQQ7idefgTfAJdXBA=; b=SFCrWJ95oPG074CC6TJNGm5hiGj02e/pG96mp3Tyg/8ob3o2yztNoONq/vU8JgPLsR TQAG/JrL5Ma6twIKr9zxcwUrJ/KmVhJYwxYXDrykdnoWAG0yYG3Fmzgs38ZKob8/yIst Bj9gFjapdwYzwbELK1/pEz118ZWrLAbPN7axjCUt7svA32GcLaBoBu8J8+Zr9XZqEWhp 76sVxE/QRbcG9xJcdhnMxXJEMFZCLMK1d6K3XJa65zL3FRmTuLk4VDGnn7TkqUlxfYt+ /NPPDvS2V0jgmsVWLHo0WoNn4hGE0AwPmrngOup9Nr7hDWKrg1INTMcIarBYYojuCmZO VMVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hEm1Ipxa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 198-20020a6303cf000000b0046afdd18766si21179282pgd.163.2022.10.20.00.56.19; Thu, 20 Oct 2022 00:56:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hEm1Ipxa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230452AbiJTHqe (ORCPT + 99 others); Thu, 20 Oct 2022 03:46:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230407AbiJTHqd (ORCPT ); Thu, 20 Oct 2022 03:46:33 -0400 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64206148FFA; Thu, 20 Oct 2022 00:46:31 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id m29-20020a05600c3b1d00b003c6bf423c71so1712302wms.0; Thu, 20 Oct 2022 00:46:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=TEyeAqRkz8ofVgcg3/w5/1i7hyOQQ7idefgTfAJdXBA=; b=hEm1IpxaWE2L7Eu+1FXjU4xARijFwJiRezVcpAN8LvztZOmcmf5UMeNzJIsGAHNStS GJvsug79uDSID7yxrGnqitO5AS8WhrhOFqCYLHeJdTe9mHx/L3VeywC20Ow90NgeVuOJ IGLre+lmBJNGL8nbT7lPc3y/3bHDdsordGbJTugTfAWGthwjO4kSx1eKKHh7dLzRED0R u/2mzANKneQkAE3cC4GSHMP3sZ0f6wWbWu4Kk7WnfUmrOQBK9D1fmqCRdlMuNa+VBeWd 60y3OuxfGkIjF7mZRIGeLpFO5QEyWeksnBkczvSV6K/66gT5FKoPmJ9SAoW7Iv7g4g+V 2+CQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TEyeAqRkz8ofVgcg3/w5/1i7hyOQQ7idefgTfAJdXBA=; b=g2K3AEsl4PlmqIWLysjZO8dA7+pMcEuFh+/q6noS5s3ImJcNWoQ4YwAIscaZD7KI2L 0T8sunqH3rE3OnzVtTvIggfiVwKm45QZJXZ1nzXttEVG3BF2E0GJjM4wEP9/JP4kK6X6 AchP0+Fk5BcXw9T513tp25by/YJXQdAVFKHO78CDUCjJtfMbJaStqVKSyonGuqgcxEDQ QDaz52bCLqzqOGfPMvlgtxF3ppzqpci9/bMmCzKnwGDA+RhB4n44LZw4obBaVuIpenz3 YbRaMRkBuERvAaO5lmKgAHHm6xnrlYLdwEGFsPgriXJ4LoPMb2udBcRAn270dlZCPTuP PO4w== X-Gm-Message-State: ACrzQf3GmkHS9G1jbM8za4HiFdfklpTG6Q1Yf97hloqjSd4srEPHyiSW TQ16yRs9pLZ8XWxVuLMlygP12pm4PTAXUkt5Zuw= X-Received: by 2002:a05:600c:198d:b0:3b4:a62c:a085 with SMTP id t13-20020a05600c198d00b003b4a62ca085mr27820940wmq.140.1666251989062; Thu, 20 Oct 2022 00:46:29 -0700 (PDT) MIME-Version: 1.0 References: <1664416817-31590-1-git-send-email-u0084500@gmail.com> In-Reply-To: <1664416817-31590-1-git-send-email-u0084500@gmail.com> From: ChiYuan Huang Date: Thu, 20 Oct 2022 15:46:17 +0800 Message-ID: Subject: Re: [PATCH v2] mfd: mt6360: add bound check in regmap read/write function To: lee@kernel.org Cc: matthias.bgg@gmail.com, gene_chen@richtek.com, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org, ChiYuan Huang , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, cy_huang =E6=96=BC 2022=E5=B9=B49=E6=9C=8829=E6=97=A5 = =E9=80=B1=E5=9B=9B =E4=B8=8A=E5=8D=8810:00=E5=AF=AB=E9=81=93=EF=BC=9A > > From: ChiYuan Huang > > Fix the potential risk for null pointer if bank index is over the maximum= . > > Refer to the discussion list for the experiment result on mt6370. > https://lore.kernel.org/all/20220914013345.GA5802@cyhuang-hp-elitebook-84= 0-g3.rt/ > If not to check the bound, there is the same issue on mt6360. > > Fixes: 3b0850440a06c (mfd: mt6360: Merge different sub-devices I2C read/w= rite) > Cc: stable@vger.kernel.org > Signed-off-by: ChiYuan Huang > --- > Since v2: > - Assign i2c bank variable after bank index is already checked. > > --- > drivers/mfd/mt6360-core.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > Any comment? > diff --git a/drivers/mfd/mt6360-core.c b/drivers/mfd/mt6360-core.c > index 6eaa677..d3b32eb 100644 > --- a/drivers/mfd/mt6360-core.c > +++ b/drivers/mfd/mt6360-core.c > @@ -402,7 +402,7 @@ static int mt6360_regmap_read(void *context, const vo= id *reg, size_t reg_size, > struct mt6360_ddata *ddata =3D context; > u8 bank =3D *(u8 *)reg; > u8 reg_addr =3D *(u8 *)(reg + 1); > - struct i2c_client *i2c =3D ddata->i2c[bank]; > + struct i2c_client *i2c; > bool crc_needed =3D false; > u8 *buf; > int buf_len =3D MT6360_ALLOC_READ_SIZE(val_size); > @@ -410,6 +410,11 @@ static int mt6360_regmap_read(void *context, const v= oid *reg, size_t reg_size, > u8 crc; > int ret; > > + if (bank >=3D MT6360_SLAVE_MAX) > + return -EINVAL; > + > + i2c =3D ddata->i2c[bank]; > + > if (bank =3D=3D MT6360_SLAVE_PMIC || bank =3D=3D MT6360_SLAVE_LDO= ) { > crc_needed =3D true; > ret =3D mt6360_xlate_pmicldo_addr(®_addr, val_size); > @@ -453,13 +458,18 @@ static int mt6360_regmap_write(void *context, const= void *val, size_t val_size) > struct mt6360_ddata *ddata =3D context; > u8 bank =3D *(u8 *)val; > u8 reg_addr =3D *(u8 *)(val + 1); > - struct i2c_client *i2c =3D ddata->i2c[bank]; > + struct i2c_client *i2c; > bool crc_needed =3D false; > u8 *buf; > int buf_len =3D MT6360_ALLOC_WRITE_SIZE(val_size); > int write_size =3D val_size - MT6360_REGMAP_REG_BYTE_SIZE; > int ret; > > + if (bank >=3D MT6360_SLAVE_MAX) > + return -EINVAL; > + > + i2c =3D ddata->i2c[bank]; > + > if (bank =3D=3D MT6360_SLAVE_PMIC || bank =3D=3D MT6360_SLAVE_LDO= ) { > crc_needed =3D true; > ret =3D mt6360_xlate_pmicldo_addr(®_addr, val_size - M= T6360_REGMAP_REG_BYTE_SIZE); > -- > 2.7.4 >