From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C097CC00144 for ; Mon, 1 Aug 2022 19:04:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234354AbiHATEh (ORCPT ); Mon, 1 Aug 2022 15:04:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233721AbiHATDi (ORCPT ); Mon, 1 Aug 2022 15:03:38 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 484AD3E744; Mon, 1 Aug 2022 12:03:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E34A5B8163D; Mon, 1 Aug 2022 19:03:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D0E05C433C1; Mon, 1 Aug 2022 19:02:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1659380580; bh=AUD2YRSKrurU/v6HsvLglxCz/I21f5Z1sO8HDOk/ie0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Eaoe92R8CxBbRleJGu5w4c06KE1QKgCCa5uLleQwpNuAmAL+NPqouV2+vQRINS+nZ yDVj4gw+09pbdzhfAbg0xmhJhBlEts40Nrd9eS4yoo4GDXcEe8gCa9Y9LGCacSmcB4 uhWy2ZQCz3rIaRhXq6fnLF7C82Bo3/jOo41HN93n0iAf6E2p1Rn487SFcVUo7szoes VBiTNzjW1QqKZ439LiAlfFMMny0fDJZjtG2DbqS405EWk7k4d1aD5uD3wvTcXA4XL5 6Xea1jv5meY6M9N7pMh3xsyI4E5iiOciofWRVn7wS9PkBxNKnKWFUQicHkUgW9q4FZ K/PgpwtoYMTMA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: "Russell King (Oracle)" , Guenter Roeck , Sasha Levin , linux@armlinux.org.uk, linux-arm-kernel@lists.infradead.org Subject: [PATCH AUTOSEL 5.15 8/8] ARM: findbit: fix overflowing offset Date: Mon, 1 Aug 2022 15:02:43 -0400 Message-Id: <20220801190243.3818811-8-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220801190243.3818811-1-sashal@kernel.org> References: <20220801190243.3818811-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Russell King (Oracle)" [ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ] When offset is larger than the size of the bit array, we should not attempt to access the array as we can perform an access beyond the end of the array. Fix this by changing the pre-condition. Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since this will always take the branch when r1 is zero, irrespective of the value of r2. This means we can fix this bug without adding any additional code! Tested-by: Guenter Roeck Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin --- arch/arm/lib/findbit.S | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S index b5e8b9ae4c7d..7fd3600db8ef 100644 --- a/arch/arm/lib/findbit.S +++ b/arch/arm/lib/findbit.S @@ -40,8 +40,8 @@ ENDPROC(_find_first_zero_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_zero_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -81,8 +81,8 @@ ENDPROC(_find_first_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -115,8 +115,8 @@ ENTRY(_find_first_zero_bit_be) ENDPROC(_find_first_zero_bit_be) ENTRY(_find_next_zero_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering @@ -149,8 +149,8 @@ ENTRY(_find_first_bit_be) ENDPROC(_find_first_bit_be) ENTRY(_find_next_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering -- 2.35.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D50DDC19F2B for ; Mon, 1 Aug 2022 19:04:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=haV1XxJ7z/GLWDzdUFB0gYdFVLbmdG+/LmRpEdooovk=; b=j7WPxPAJAPbqpw EZDr06X5DOZFQkfwwesv6RB0E2B8Mgt2qtzGa0hTz+YaATUidj1lO/Wseihh+QdBNdpJ9StSrnuWE emt5kYbe53IqsWOUvfvNz1z8YYvwcFjBFDJzPmDkMu7j+UdVyQVO6JQ/lVstdO1RJxdQIamBcEcxA o6O3BNX4e16Mxwi63MP37ueTYXfQwAVE8JdvUxzHdRp50oCVDQrOat8IY9e4RSSJsAe5D5Qw+K9hC RV2NVxJEV3xfcpb339PHVf0mpY50zmoic7U6JOuy18rnLm4GxL2Wfkrq3QQieiwS2G1R0e6sl3WSz jKNzfcja6T1SZcrwDHKA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oIah0-009af1-EN; Mon, 01 Aug 2022 19:03:06 +0000 Received: from ams.source.kernel.org ([145.40.68.75]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oIagw-009acw-8X for linux-arm-kernel@lists.infradead.org; Mon, 01 Aug 2022 19:03:04 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E8518B81616; Mon, 1 Aug 2022 19:03:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D0E05C433C1; Mon, 1 Aug 2022 19:02:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1659380580; bh=AUD2YRSKrurU/v6HsvLglxCz/I21f5Z1sO8HDOk/ie0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Eaoe92R8CxBbRleJGu5w4c06KE1QKgCCa5uLleQwpNuAmAL+NPqouV2+vQRINS+nZ yDVj4gw+09pbdzhfAbg0xmhJhBlEts40Nrd9eS4yoo4GDXcEe8gCa9Y9LGCacSmcB4 uhWy2ZQCz3rIaRhXq6fnLF7C82Bo3/jOo41HN93n0iAf6E2p1Rn487SFcVUo7szoes VBiTNzjW1QqKZ439LiAlfFMMny0fDJZjtG2DbqS405EWk7k4d1aD5uD3wvTcXA4XL5 6Xea1jv5meY6M9N7pMh3xsyI4E5iiOciofWRVn7wS9PkBxNKnKWFUQicHkUgW9q4FZ K/PgpwtoYMTMA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: "Russell King (Oracle)" , Guenter Roeck , Sasha Levin , linux@armlinux.org.uk, linux-arm-kernel@lists.infradead.org Subject: [PATCH AUTOSEL 5.15 8/8] ARM: findbit: fix overflowing offset Date: Mon, 1 Aug 2022 15:02:43 -0400 Message-Id: <20220801190243.3818811-8-sashal@kernel.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220801190243.3818811-1-sashal@kernel.org> References: <20220801190243.3818811-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220801_120303_244289_6F2EAA19 X-CRM114-Status: GOOD ( 13.64 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: "Russell King (Oracle)" [ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ] When offset is larger than the size of the bit array, we should not attempt to access the array as we can perform an access beyond the end of the array. Fix this by changing the pre-condition. Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since this will always take the branch when r1 is zero, irrespective of the value of r2. This means we can fix this bug without adding any additional code! Tested-by: Guenter Roeck Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin --- arch/arm/lib/findbit.S | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S index b5e8b9ae4c7d..7fd3600db8ef 100644 --- a/arch/arm/lib/findbit.S +++ b/arch/arm/lib/findbit.S @@ -40,8 +40,8 @@ ENDPROC(_find_first_zero_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_zero_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -81,8 +81,8 @@ ENDPROC(_find_first_bit_le) * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) */ ENTRY(_find_next_bit_le) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine ARM( ldrb r3, [r0, r2, lsr #3] ) @@ -115,8 +115,8 @@ ENTRY(_find_first_zero_bit_be) ENDPROC(_find_first_zero_bit_be) ENTRY(_find_next_zero_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering @@ -149,8 +149,8 @@ ENTRY(_find_first_bit_be) ENDPROC(_find_first_bit_be) ENTRY(_find_next_bit_be) - teq r1, #0 - beq 3b + cmp r2, r1 + bhs 3b ands ip, r2, #7 beq 1b @ If new byte, goto old routine eor r3, r2, #0x18 @ big endian byte ordering -- 2.35.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel