Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp6138879rdb; Mon, 1 Jan 2024 10:06:04 -0800 (PST) X-Google-Smtp-Source: AGHT+IFdE5ixR9Ym8sMEeyIxNJrCPvjQzL9z4hM8cw00HHY65BGhdLpVFtqefgFV2dLfBwbrl7Bw X-Received: by 2002:a17:906:ca1:b0:a23:5411:1c59 with SMTP id k1-20020a1709060ca100b00a2354111c59mr6549611ejh.35.1704132364675; Mon, 01 Jan 2024 10:06:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704132364; cv=none; d=google.com; s=arc-20160816; b=e7HS8VUZZl5gaSjQSh1yBISIpdXJzoUCCkuSvc+CsbEi+jIiIWOu5JK2j4b9dJDmXV PWAC8Uthg4cAqgqZlatbbcPO629qoVqahi15ZIJnSEzOwsrrpNqicaDUcTTjNykh1DAf 1rAuJ8K9KJ0YpiioRXU4NT9msXxzkOLq4DbwSLMDle8qFMmX/FSJ0XDVClU5gdX0VCbk 8ryf8gEoDQv8y9VkXytYAAUvuXXR3miNXhggh+jefjP/6YD3aqKIivrqSceBRqgQb6XU +85Rck6n5KxwnxjNS/SVZ0uGrRYRUXGXID9EwDX5w/91NDpnYIe+zdoKBUIYcPFVNU1y ho5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=5cjQDm7P5oRq3xR+TkoWRx2F8oLOso004Xu4UAZAQiA=; fh=if3UhIgSfvcnF40BmqtsR1plXFLPrRKZa41EYMpoivo=; b=BRE/C2R16/NluTGJi09p30cZUJZn0wdyaV1DMyfnJD2xl3gvKoABThXLE/u8obbhf1 fqlVMcRfU673fpDe8fqgPDc8MmxeCKJGItwIU+iTMabTJ4zKhszWtKf29Y1932fEwXV4 Fx2gyBKnAZFjxM5FstMHiS9XsFhoXV2TEHvbrab+P8VPTqYgJE8sxdtOLzjdwOSjT8w1 Ba/rXTImYHtGVoqEfQG4K9o92IZYUQOUsSHt1B8LttTARK1z2Z6kzpNoZxBd9oSA1oge lGK+Z4A1fYHDlTuL8ntRcXqUK4nVd6XlWnoPb2eYAnoD89qOaV8sl1ypV6SYLT+qQTbs oJQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qfxGlA1y; spf=pass (google.com: domain of linux-kernel+bounces-13922-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-13922-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id ew1-20020a170907950100b00a26aad24bcasi9310549ejc.214.2024.01.01.10.06.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jan 2024 10:06:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-13922-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qfxGlA1y; spf=pass (google.com: domain of linux-kernel+bounces-13922-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-13922-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 6CC9D1F2149F for ; Mon, 1 Jan 2024 18:06:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A6836BA3C; Mon, 1 Jan 2024 18:05:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qfxGlA1y" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA4FB8F6E; Mon, 1 Jan 2024 18:05:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4A75FC433C8; Mon, 1 Jan 2024 18:05:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1704132355; bh=+cCe5o3RRCYAMqeKsVmrT8NhuMZxadYYIe3PASgNwg0=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=qfxGlA1yXV18HvyP44JXFlAiWbAt4VR9PcGCJokRXAhdpXKMjdMOpO7QKA3hWXwM+ h/gxKtSzLK8awgjdYs3iUWD7IshU9fhm4/GoqDDVKJuJH++yb2CXLWF15V8BsepN7/ EnBmbCZS8orVO2L2GIU2Gds/tQkuCdo6Tp+8ePkHch/trW5hvORM9FYB5F0Jb2IEZd Gsl4c/P5E0UDHz0Lh5donS3YaSWewoXXiJ5MNz0N3cp0W8ZCSVCGPZcbBMoA91nOBV GY1wAJooRnw8ziJFoJGzAVuhSRjBgc1wN9vdh/UHEqglmvNDKed0JVAh2LkK5aDvxV n3EV0EJ47ahHQ== Date: Mon, 1 Jan 2024 18:05:49 +0000 From: Jonathan Cameron To: zhouzhouyi@gmail.com Cc: songqiang1304521@gmail.com, lars@metafoo.de, linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, "zhili.liu" Subject: Re: [PATCH v2] iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC Message-ID: <20240101180549.1be7e6de@jic23-huawei> In-Reply-To: <1704034604-9846-1-git-send-email-zhouzhouyi@gmail.com> References: <1704034604-9846-1-git-send-email-zhouzhouyi@gmail.com> X-Mailer: Claws Mail 4.2.0 (GTK 3.24.38; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sun, 31 Dec 2023 22:56:44 +0800 zhouzhouyi@gmail.com wrote: > From: "zhili.liu" > > Recently, we encounter kernel crash in function rm3100_common_probe > caused by out of bound access of array rm3100_samp_rates (because of > underlying hardware failures). Add boundary check to prevent out of > bound access. > > Suggested-by: Zhouyi Zhou > Signed-off-by: zhili.liu Please provide a Fixes tag so we know how far back to backport this. Seems like a reasonable bit of hardening against potential hardware issues. However it would be cleaner with a local variable used for the index. See inline. Jonathan > --- > The format of the previous patch was a bit problematic, > we are sending it again. > > Sorry for the trouble. > > Thank you very much. > -- > drivers/iio/magnetometer/rm3100-core.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/iio/magnetometer/rm3100-core.c b/drivers/iio/magnetometer/rm3100-core.c > index 69938204456f..fc50b6d4a334 100644 > --- a/drivers/iio/magnetometer/rm3100-core.c > +++ b/drivers/iio/magnetometer/rm3100-core.c > @@ -586,6 +586,12 @@ int rm3100_common_probe(struct device *dev, struct regmap *regmap, int irq) > ret = regmap_read(regmap, RM3100_REG_TMRC, &tmp); > if (ret < 0) > return ret; > + > + if (tmp < RM3100_SAMP_NUM || tmp - RM3100_TMRC_OFFSET >= RM3100_SAMP_NUM) { Just a local variable of int samp_rate_index = tmp - RM3100_TMRC_OFFSET; Check that for negative or >= RM3100_SAMP_NUM > + dev_err(dev, "The value read from RM3100_REG_TMRC is invalid!\n"); > + return -EINVAL; > + } > + > /* Initializing max wait time, which is double conversion time. */ > data->conversion_time = rm3100_samp_rates[tmp - RM3100_TMRC_OFFSET][2] > * 2;