* [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access
@ 2017-04-15 14:52 Axel Lin
2017-04-15 16:53 ` Stefan Agner
0 siblings, 1 reply; 5+ messages in thread
From: Axel Lin @ 2017-04-15 14:52 UTC (permalink / raw)
To: Lee Jones
Cc: Stefan Agner, Marcel Ziswiler, Mark Brown, Liam Girdwood,
linux-kernel, Axel Lin
The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
So for rn5t618, there is out of bounds array access when checking
regulators[i].name in the for loop.
The number of regulators is different for rn5t567 and rn5t618, so we had
better remove RN5T618_REG_NUM and get the correct num_regulators during
probe instead.
Fixes: ed6d362d8dbc ("regulator: rn5t618: Add RN5T567 PMIC support")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
---
RESEND: Correct subject line (remove double Fix)
drivers/regulator/rn5t618-regulator.c | 8 ++++----
include/linux/mfd/rn5t618.h | 1 -
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/regulator/rn5t618-regulator.c b/drivers/regulator/rn5t618-regulator.c
index 8d2819e..0c09143 100644
--- a/drivers/regulator/rn5t618-regulator.c
+++ b/drivers/regulator/rn5t618-regulator.c
@@ -85,14 +85,17 @@ static int rn5t618_regulator_probe(struct platform_device *pdev)
struct regulator_config config = { };
struct regulator_dev *rdev;
struct regulator_desc *regulators;
+ int num_regulators;
int i;
switch (rn5t618->variant) {
case RN5T567:
regulators = rn5t567_regulators;
+ num_regulators = ARRAY_SIZE(rn5t567_regulators);
break;
case RN5T618:
regulators = rn5t618_regulators;
+ num_regulators = ARRAY_SIZE(rn5t618_regulators);
break;
default:
return -EINVAL;
@@ -101,10 +104,7 @@ static int rn5t618_regulator_probe(struct platform_device *pdev)
config.dev = pdev->dev.parent;
config.regmap = rn5t618->regmap;
- for (i = 0; i < RN5T618_REG_NUM; i++) {
- if (!regulators[i].name)
- continue;
-
+ for (i = 0; i < num_regulators; i++) {
rdev = devm_regulator_register(&pdev->dev,
®ulators[i],
&config);
diff --git a/include/linux/mfd/rn5t618.h b/include/linux/mfd/rn5t618.h
index e5a6cde..d7b3155 100644
--- a/include/linux/mfd/rn5t618.h
+++ b/include/linux/mfd/rn5t618.h
@@ -233,7 +233,6 @@ enum {
RN5T618_LDO5,
RN5T618_LDORTC1,
RN5T618_LDORTC2,
- RN5T618_REG_NUM,
};
enum {
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access
2017-04-15 14:52 [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access Axel Lin
@ 2017-04-15 16:53 ` Stefan Agner
2017-04-16 1:12 ` Axel Lin
0 siblings, 1 reply; 5+ messages in thread
From: Stefan Agner @ 2017-04-15 16:53 UTC (permalink / raw)
To: Axel Lin
Cc: Lee Jones, Marcel Ziswiler, Mark Brown, Liam Girdwood, linux-kernel
On 2017-04-15 07:52, Axel Lin wrote:
> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
> So for rn5t618, there is out of bounds array access when checking
> regulators[i].name in the for loop.
I use designated initializers ([RN5T618_##rid] = {..), which guarantee
that the non initialized elements are zero. The highest element LDORTC2
is defined, hence the length of the array should be RN5T618_REG_NUM.
See also
https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html
--
Stefan
>
> The number of regulators is different for rn5t567 and rn5t618, so we had
> better remove RN5T618_REG_NUM and get the correct num_regulators during
> probe instead.
>
> Fixes: ed6d362d8dbc ("regulator: rn5t618: Add RN5T567 PMIC support")
> Signed-off-by: Axel Lin <axel.lin@ingics.com>
> ---
> RESEND: Correct subject line (remove double Fix)
>
> drivers/regulator/rn5t618-regulator.c | 8 ++++----
> include/linux/mfd/rn5t618.h | 1 -
> 2 files changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/regulator/rn5t618-regulator.c
> b/drivers/regulator/rn5t618-regulator.c
> index 8d2819e..0c09143 100644
> --- a/drivers/regulator/rn5t618-regulator.c
> +++ b/drivers/regulator/rn5t618-regulator.c
> @@ -85,14 +85,17 @@ static int rn5t618_regulator_probe(struct
> platform_device *pdev)
> struct regulator_config config = { };
> struct regulator_dev *rdev;
> struct regulator_desc *regulators;
> + int num_regulators;
> int i;
>
> switch (rn5t618->variant) {
> case RN5T567:
> regulators = rn5t567_regulators;
> + num_regulators = ARRAY_SIZE(rn5t567_regulators);
> break;
> case RN5T618:
> regulators = rn5t618_regulators;
> + num_regulators = ARRAY_SIZE(rn5t618_regulators);
> break;
> default:
> return -EINVAL;
> @@ -101,10 +104,7 @@ static int rn5t618_regulator_probe(struct
> platform_device *pdev)
> config.dev = pdev->dev.parent;
> config.regmap = rn5t618->regmap;
>
> - for (i = 0; i < RN5T618_REG_NUM; i++) {
> - if (!regulators[i].name)
> - continue;
> -
> + for (i = 0; i < num_regulators; i++) {
> rdev = devm_regulator_register(&pdev->dev,
> ®ulators[i],
> &config);
> diff --git a/include/linux/mfd/rn5t618.h b/include/linux/mfd/rn5t618.h
> index e5a6cde..d7b3155 100644
> --- a/include/linux/mfd/rn5t618.h
> +++ b/include/linux/mfd/rn5t618.h
> @@ -233,7 +233,6 @@ enum {
> RN5T618_LDO5,
> RN5T618_LDORTC1,
> RN5T618_LDORTC2,
> - RN5T618_REG_NUM,
> };
>
> enum {
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access
2017-04-15 16:53 ` Stefan Agner
@ 2017-04-16 1:12 ` Axel Lin
2017-04-16 3:30 ` Axel Lin
2017-04-16 5:30 ` Stefan Agner
0 siblings, 2 replies; 5+ messages in thread
From: Axel Lin @ 2017-04-16 1:12 UTC (permalink / raw)
To: Stefan Agner
Cc: Lee Jones, Marcel Ziswiler, Mark Brown, Liam Girdwood, linux-kernel
2017-04-16 0:53 GMT+08:00 Stefan Agner <stefan@agner.ch>:
> On 2017-04-15 07:52, Axel Lin wrote:
>> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
>> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
>> So for rn5t618, there is out of bounds array access when checking
>> regulators[i].name in the for loop.
>
> I use designated initializers ([RN5T618_##rid] = {..), which guarantee
> that the non initialized elements are zero. The highest element LDORTC2
> is defined, hence the length of the array should be RN5T618_REG_NUM.
ok, I missed that. Then current code is fine.
Though the meaing of RN5T618_REG_NUM seems misleading to me as different
variant has differnt number of regulators.
Thanks for the review,
Axel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access
2017-04-16 1:12 ` Axel Lin
@ 2017-04-16 3:30 ` Axel Lin
2017-04-16 5:30 ` Stefan Agner
1 sibling, 0 replies; 5+ messages in thread
From: Axel Lin @ 2017-04-16 3:30 UTC (permalink / raw)
To: Stefan Agner
Cc: Lee Jones, Marcel Ziswiler, Mark Brown, Liam Girdwood, linux-kernel
2017-04-16 9:12 GMT+08:00 Axel Lin <axel.lin@ingics.com>:
> 2017-04-16 0:53 GMT+08:00 Stefan Agner <stefan@agner.ch>:
>> On 2017-04-15 07:52, Axel Lin wrote:
>>> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
>>> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
>>> So for rn5t618, there is out of bounds array access when checking
>>> regulators[i].name in the for loop.
>>
>> I use designated initializers ([RN5T618_##rid] = {..), which guarantee
>> that the non initialized elements are zero. The highest element LDORTC2
>> is defined, hence the length of the array should be RN5T618_REG_NUM.
>
> ok, I missed that. Then current code is fine.
I just realize my patch is wrong due to the use of designated initializers.
Regards,
Axel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access
2017-04-16 1:12 ` Axel Lin
2017-04-16 3:30 ` Axel Lin
@ 2017-04-16 5:30 ` Stefan Agner
1 sibling, 0 replies; 5+ messages in thread
From: Stefan Agner @ 2017-04-16 5:30 UTC (permalink / raw)
To: Axel Lin
Cc: Lee Jones, Marcel Ziswiler, Mark Brown, Liam Girdwood, linux-kernel
On 2017-04-15 18:12, Axel Lin wrote:
> 2017-04-16 0:53 GMT+08:00 Stefan Agner <stefan@agner.ch>:
>> On 2017-04-15 07:52, Axel Lin wrote:
>>> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
>>> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
>>> So for rn5t618, there is out of bounds array access when checking
>>> regulators[i].name in the for loop.
>>
>> I use designated initializers ([RN5T618_##rid] = {..), which guarantee
>> that the non initialized elements are zero. The highest element LDORTC2
>> is defined, hence the length of the array should be RN5T618_REG_NUM.
>
> ok, I missed that. Then current code is fine.
> Though the meaing of RN5T618_REG_NUM seems misleading to me as different
> variant has differnt number of regulators.
Yeah I admit the code is somewhat unobvious as it is now. But it allowed
me to add RN5T567 support without changing the existing array and the
preprocessor macro.
--
Stefan
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-04-16 5:31 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-15 14:52 [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access Axel Lin
2017-04-15 16:53 ` Stefan Agner
2017-04-16 1:12 ` Axel Lin
2017-04-16 3:30 ` Axel Lin
2017-04-16 5:30 ` Stefan Agner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.