Received: by 2002:ab2:23c8:0:b0:1f2:fdbc:cb93 with SMTP id a8csp244073lqe;
        Wed, 27 Mar 2024 04:44:20 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCW3z5fefo+BDw4u2k5p1v1HfHQsdkYgtAPADnTkR2sm2pFPGK/BcrWCzcFPEWZyMtyyXGAzbKehFSfyJcteZ8G6bSEKKAHzjXsulZBJdQ==
X-Google-Smtp-Source: AGHT+IF3EV1dfDPZXmRNcooTN7E2rXxZ1k9STznSmFi/PrG3Z8R/72GFTMSXV/Shc2EiaKeVeEZk
X-Received: by 2002:a05:620a:569a:b0:78a:6a4b:3e32 with SMTP id wg26-20020a05620a569a00b0078a6a4b3e32mr2671120qkn.52.1711539860376;
        Wed, 27 Mar 2024 04:44:20 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711539860; cv=pass;
        d=google.com; s=arc-20160816;
        b=RPUUBo/aEoQtYr3AFGFFDqu7w4JxHmFtu8kZTA7FoKSoWiZ1TgZszLZLA5LuDdrUIe
         KBxDykHdF/SEC0bNSP0N4DeJyt+jcBwqI4mdDGavU4oJ3fNL0xRVm5HNLY4A+lEbax+v
         8ULoCLQZEwsPCkgviMxqrmkUoAUCsw+SSZG1D2zToUAZ9Qp/NAUlkICCMNMiTvbs2fcU
         5FVkyGYkneLa6o488JuI4m5cPJN6IErdSaqLvWgv6fet/H+m6vWp5tGbbCInXtuWbIR/
         GrieLeDneLAH03uP3smar31LTTEaSzczBZopzL6m5Dm4+5ZY+fI9SeVH+ZDxPna1FLHy
         C7pg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Lac8H7R3zm0lUQHp4v6nVKoKn2WF9gC+zAcJfYjCrEA=;
        fh=CpWGL0kPt/6lZb0GWvNT7y2IVz7KXjXP5Oh3nfa9mcg=;
        b=DiOsIXemp6mXRLiOwjN807aG1heq6BKfyOxiYzNWoadoz86YXZPi1QmgrAPTeINJSM
         /iV43nK1AlRd7YpzZh0SWCU+5V31AUmfyMBQKrHKidp6EoBZ5UvB+W55jZTeZcEPWLK2
         8qGRUsItRd4I5wnMyBdl9sV27QLC0R/eioLLji3WQSADd3gNjkdkCmk4iCp8IzpVs2YU
         M8KMmx8QNqd5syUnR+taJKx4cFN1+5ZixNwDuJHJevQ8F3LXsjgWfGRnFLpqvqLpOTn6
         1AFFi/QRhpLtfVCnAQE+ql4sAz1S3DjCBEuAGYTUPrUpGU9N3Rb52cznaR4b0AM56SEh
         vMsQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@cirrus.com header.s=PODMain02222019 header.b=GeaZvMfp;
       arc=pass (i=1 spf=pass spfdomain=opensource.cirrus.com dkim=pass dkdomain=cirrus.com dmarc=pass fromdomain=opensource.cirrus.com);
       spf=pass (google.com: domain of linux-kernel+bounces-120768-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-120768-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cirrus.com
Return-Path: <linux-kernel+bounces-120768-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id h10-20020a05620a21ca00b0078a677b4ba9si2951916qka.49.2024.03.27.04.44.20
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Mar 2024 04:44:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-120768-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@cirrus.com header.s=PODMain02222019 header.b=GeaZvMfp;
       arc=pass (i=1 spf=pass spfdomain=opensource.cirrus.com dkim=pass dkdomain=cirrus.com dmarc=pass fromdomain=opensource.cirrus.com);
       spf=pass (google.com: domain of linux-kernel+bounces-120768-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-120768-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cirrus.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id DABB91C22BC3
	for <linux.lists.archive@gmail.com>; Wed, 27 Mar 2024 11:44:19 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C46CE1292CB;
	Wed, 27 Mar 2024 11:44:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=cirrus.com header.i=@cirrus.com header.b="GeaZvMfp"
Received: from mx0b-001ae601.pphosted.com (mx0a-001ae601.pphosted.com [67.231.149.25])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 502C9128827
	for <linux-kernel@vger.kernel.org>; Wed, 27 Mar 2024 11:44:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=67.231.149.25
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1711539853; cv=none; b=fZtJUuRk+gYD/P2sbqJgJunL7i7A2lyNbDDQ0GRViL7oh47PP9n22Nvutyr3wZ/sF3qDlt2HMeM1R6W6rDqX7dGKkpo2U+Zo7SqG3Wxx++zVWDe6q5GmMvAZTugu6dnViHBeVvSLvBz/wyoia13iV6b46fIModr3DhR20YlXrU8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1711539853; c=relaxed/simple;
	bh=nljWhfqKr4AC2yw5PlZRC4zCYIVGlHgtDCtDA93Dp2E=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=H15VtHO4YpPzV/FmqnWDtUyRGA/8vxQj7fTt5qVYardh2ddRUbXPi9pJ6/HYK6kxHKX3rC9ONc2pq9hunjyH8gCGU62y4m94NtHIQJ1hPMipy5BTIKvElZGttswUw1NGSbCL0b0uA0ppOQ2U6r1btu7LCq3oDiwm2MrMqg0V3BE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=opensource.cirrus.com; spf=pass smtp.mailfrom=opensource.cirrus.com; dkim=pass (2048-bit key) header.d=cirrus.com header.i=@cirrus.com header.b=GeaZvMfp; arc=none smtp.client-ip=67.231.149.25
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=opensource.cirrus.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=opensource.cirrus.com
Received: from pps.filterd (m0077473.ppops.net [127.0.0.1])
	by mx0a-001ae601.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 42R4cFXC010149;
	Wed, 27 Mar 2024 06:44:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cirrus.com; h=
	from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding:content-type; s=PODMain02222019; bh=L
	ac8H7R3zm0lUQHp4v6nVKoKn2WF9gC+zAcJfYjCrEA=; b=GeaZvMfpoKiU+WMsE
	YInMtRawsD7a9CfmGyPuCFwg9xmvXgXXWv1+berbDGlzNMOpwMLjGkUjMoDwsbv8
	qkKvB0CIK90a4gfPcLEEvfep/EjZHNwLRfqNeEhNzXX+D4xrajGqm6SKmNRiq8q4
	dV3r7qYfij7w+7PClZvE3gE4wEyh8fpm8m2tirWhJchbtR7ZS1P5Lgbw92ER2yST
	xEXRmNq2nEJ3vpyEgq3B2vlLl+U8bYl5C+z65oDfPyuXZk9S/gabSjk6rS5yt2pe
	p6LVsY5a8X9AK8zPML2jYSZkzafsw4faheIt+KLwaTT0UNGY/kZRyFnn2zNi7/Fo
	b3lQA==
Received: from ediex01.ad.cirrus.com ([84.19.233.68])
	by mx0a-001ae601.pphosted.com (PPS) with ESMTPS id 3x1vfyev5y-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 27 Mar 2024 06:44:09 -0500 (CDT)
Received: from ediex02.ad.cirrus.com (198.61.84.81) by ediex01.ad.cirrus.com
 (198.61.84.80) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Wed, 27 Mar
 2024 11:44:07 +0000
Received: from ediswmail9.ad.cirrus.com (198.61.86.93) by
 anon-ediex02.ad.cirrus.com (198.61.84.81) with Microsoft SMTP Server id
 15.2.1544.4 via Frontend Transport; Wed, 27 Mar 2024 11:44:06 +0000
Received: from ediswws06.ad.cirrus.com (ediswws06.ad.cirrus.com [198.90.208.18])
	by ediswmail9.ad.cirrus.com (Postfix) with ESMTP id EA14E820245;
	Wed, 27 Mar 2024 11:44:06 +0000 (UTC)
From: Richard Fitzgerald <rf@opensource.cirrus.com>
To: <broonie@kernel.org>
CC: <linux-kernel@vger.kernel.org>, <patches@opensource.cirrus.com>,
        "Richard
 Fitzgerald" <rf@opensource.cirrus.com>
Subject: [PATCH] regmap: maple: Fix cache corruption in regcache_maple_drop()
Date: Wed, 27 Mar 2024 11:44:06 +0000
Message-ID: <20240327114406.976986-1-rf@opensource.cirrus.com>
X-Mailer: git-send-email 2.39.2
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Proofpoint-ORIG-GUID: yzrfu7CvoQ5N5nsH931g8ql30Jzs26r8
X-Proofpoint-GUID: yzrfu7CvoQ5N5nsH931g8ql30Jzs26r8
X-Proofpoint-Spam-Reason: safe

When keeping the upper end of a cache block entry, the entry[] array
must be indexed by the offset from the base register of the block,
i.e. max - mas.index.

The code was indexing entry[] by only the register address, leading
to an out-of-bounds access that copied some part of the kernel
memory over the cache contents.

This bug was not detected by the regmap KUnit test because it only
tests with a block of registers starting at 0, so mas.index == 0.

Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: f033c26de5a5 ("regmap: Add maple tree based register cache")
---
 drivers/base/regmap/regcache-maple.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/regmap/regcache-maple.c b/drivers/base/regmap/regcache-maple.c
index 41edd6a430eb..c1776127a572 100644
--- a/drivers/base/regmap/regcache-maple.c
+++ b/drivers/base/regmap/regcache-maple.c
@@ -145,7 +145,7 @@ static int regcache_maple_drop(struct regmap *map, unsigned int min,
 			upper_index = max + 1;
 			upper_last = mas.last;
 
-			upper = kmemdup(&entry[max + 1],
+			upper = kmemdup(&entry[max - mas.index + 1],
 					((mas.last - max) *
 					 sizeof(unsigned long)),
 					map->alloc_flags);
-- 
2.39.2