From: Dan Carpenter <dan.carpenter@oracle.com>
To: Michael Turquette <mturquette@baylibre.com>,
Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Cc: Stephen Boyd <sboyd@kernel.org>,
linux-clk@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] clk: visconti: prevent array overflow in visconti_clk_register_gates()
Date: Wed, 16 Mar 2022 11:35:33 +0300 [thread overview]
Message-ID: <20220316083533.GA30941@kili> (raw)
This code was using -1 to represent that there was no reset function.
Unfortunately, the -1 was stored in u8 so the if (clks[i].rs_id >= 0)
condition was always true. This lead to an out of bounds access in
visconti_clk_register_gates().
Fixes: b4cbe606dc36 ("clk: visconti: Add support common clock driver and reset driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/clk/visconti/clkc.h | 3 +++
drivers/clk/visconti/clkc-tmpv770x.c | 2 +-
drivers/clk/visconti/clkc.c | 2 +-
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/visconti/clkc.h b/drivers/clk/visconti/clkc.h
index 09ed82ff64e4..8756a1ec42ef 100644
--- a/drivers/clk/visconti/clkc.h
+++ b/drivers/clk/visconti/clkc.h
@@ -73,4 +73,7 @@ int visconti_clk_register_gates(struct visconti_clk_provider *data,
int num_gate,
const struct visconti_reset_data *reset,
spinlock_t *lock);
+
+#define NO_RESET 0xFF
+
#endif /* _VISCONTI_CLKC_H_ */
diff --git a/drivers/clk/visconti/clkc-tmpv770x.c b/drivers/clk/visconti/clkc-tmpv770x.c
index c2b2f41a85a4..6c753b2cb558 100644
--- a/drivers/clk/visconti/clkc-tmpv770x.c
+++ b/drivers/clk/visconti/clkc-tmpv770x.c
@@ -176,7 +176,7 @@ static const struct visconti_clk_gate_table clk_gate_tables[] = {
{ TMPV770X_CLK_WRCK, "wrck",
clks_parent_data, ARRAY_SIZE(clks_parent_data),
0, 0x68, 0x168, 9, 32,
- -1, }, /* No reset */
+ NO_RESET, },
{ TMPV770X_CLK_PICKMON, "pickmon",
clks_parent_data, ARRAY_SIZE(clks_parent_data),
0, 0x10, 0x110, 8, 4,
diff --git a/drivers/clk/visconti/clkc.c b/drivers/clk/visconti/clkc.c
index 56a8a4ffebca..d0b193b5d0b3 100644
--- a/drivers/clk/visconti/clkc.c
+++ b/drivers/clk/visconti/clkc.c
@@ -147,7 +147,7 @@ int visconti_clk_register_gates(struct visconti_clk_provider *ctx,
if (!dev_name)
return -ENOMEM;
- if (clks[i].rs_id >= 0) {
+ if (clks[i].rs_id != NO_RESET) {
rson_offset = reset[clks[i].rs_id].rson_offset;
rsoff_offset = reset[clks[i].rs_id].rsoff_offset;
rs_idx = reset[clks[i].rs_id].rs_idx;
--
2.20.1
next reply other threads:[~2022-03-16 8:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-16 8:35 Dan Carpenter [this message]
2022-03-17 5:19 ` [PATCH] clk: visconti: prevent array overflow in visconti_clk_register_gates() nobuhiro1.iwamatsu
2022-03-17 19:21 ` Stephen Boyd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220316083533.GA30941@kili \
--to=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-clk@vger.kernel.org \
--cc=mturquette@baylibre.com \
--cc=nobuhiro1.iwamatsu@toshiba.co.jp \
--cc=sboyd@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.