Input: ads7846 - Expand xfer array to match usage

Commit Message

Kees Cook Nov. 17, 2024, 3:34 a.m. UTC

Commit 781a07da9bb9 ("Input: ads7846 - add dummy command register
clearing cycle") added commands to struct ser_req::xfer without
expanding it to hold them. Expand the array to the correct size.

../drivers/input/touchscreen/ads7846.c: In function 'ads7846_read12_ser':
../drivers/input/touchscreen/ads7846.c:416:18: error: array subscript 7 is above array bounds of 'struct spi_transfer[6]' [-Werror=array-bounds=]
  416 |         req->xfer[7].rx_buf = &req->scratch;
      |         ~~~~~~~~~^~~
../drivers/input/touchscreen/ads7846.c:334:33: note: while referencing 'xfer'
  334 |         struct spi_transfer     xfer[6];
      |                                 ^~~~

Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle")
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Luca Ellero <l.ellero@asem.it>
Cc: linux-input@vger.kernel.org
---
 drivers/input/touchscreen/ads7846.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Marek Vasut Nov. 17, 2024, 10:06 p.m. UTC | #1

On 11/17/24 4:34 AM, Kees Cook wrote:
> Commit 781a07da9bb9 ("Input: ads7846 - add dummy command register
> clearing cycle") added commands to struct ser_req::xfer without
> expanding it to hold them. Expand the array to the correct size.
> 
> ../drivers/input/touchscreen/ads7846.c: In function 'ads7846_read12_ser':
> ../drivers/input/touchscreen/ads7846.c:416:18: error: array subscript 7 is above array bounds of 'struct spi_transfer[6]' [-Werror=array-bounds=]
>    416 |         req->xfer[7].rx_buf = &req->scratch;
>        |         ~~~~~~~~~^~~
> ../drivers/input/touchscreen/ads7846.c:334:33: note: while referencing 'xfer'
>    334 |         struct spi_transfer     xfer[6];
>        |                                 ^~~~
> 
> Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle")
> Signed-off-by: Kees Cook <kees@kernel.org>
I think Nathan already sent a fix too.

Thanks !

Kees Cook Nov. 18, 2024, 4:39 a.m. UTC | #2

On Sun, Nov 17, 2024 at 11:06:27PM +0100, Marek Vasut wrote:
> On 11/17/24 4:34 AM, Kees Cook wrote:
> > Commit 781a07da9bb9 ("Input: ads7846 - add dummy command register
> > clearing cycle") added commands to struct ser_req::xfer without
> > expanding it to hold them. Expand the array to the correct size.
> > 
> > ../drivers/input/touchscreen/ads7846.c: In function 'ads7846_read12_ser':
> > ../drivers/input/touchscreen/ads7846.c:416:18: error: array subscript 7 is above array bounds of 'struct spi_transfer[6]' [-Werror=array-bounds=]
> >    416 |         req->xfer[7].rx_buf = &req->scratch;
> >        |         ~~~~~~~~~^~~
> > ../drivers/input/touchscreen/ads7846.c:334:33: note: while referencing 'xfer'
> >    334 |         struct spi_transfer     xfer[6];
> >        |                                 ^~~~
> > 
> > Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle")
> > Signed-off-by: Kees Cook <kees@kernel.org>
> I think Nathan already sent a fix too.

Oh excellent! I did a search in lore before sending it but must have
failed to find it. Do you have a link to it?

-Kees

Dmitry Torokhov Nov. 18, 2024, 4:57 a.m. UTC | #3

On Sun, Nov 17, 2024 at 08:39:01PM -0800, Kees Cook wrote:
> On Sun, Nov 17, 2024 at 11:06:27PM +0100, Marek Vasut wrote:
> > On 11/17/24 4:34 AM, Kees Cook wrote:
> > > Commit 781a07da9bb9 ("Input: ads7846 - add dummy command register
> > > clearing cycle") added commands to struct ser_req::xfer without
> > > expanding it to hold them. Expand the array to the correct size.
> > > 
> > > ../drivers/input/touchscreen/ads7846.c: In function 'ads7846_read12_ser':
> > > ../drivers/input/touchscreen/ads7846.c:416:18: error: array subscript 7 is above array bounds of 'struct spi_transfer[6]' [-Werror=array-bounds=]
> > >    416 |         req->xfer[7].rx_buf = &req->scratch;
> > >        |         ~~~~~~~~~^~~
> > > ../drivers/input/touchscreen/ads7846.c:334:33: note: while referencing 'xfer'
> > >    334 |         struct spi_transfer     xfer[6];
> > >        |                                 ^~~~
> > > 
> > > Fixes: 781a07da9bb9 ("Input: ads7846 - add dummy command register clearing cycle")
> > > Signed-off-by: Kees Cook <kees@kernel.org>
> > I think Nathan already sent a fix too.
> 
> Oh excellent! I did a search in lore before sending it but must have
> failed to find it. Do you have a link to it?

I am pretty sure I applied the fix already, but I might have forgotten
to push it out. My workstation is offline at the moment, when it comes
back online I'll make sure the fix is there.

Thanks.

Patch

diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c
index 75e5b2e4368d..066dc04003fa 100644
--- a/drivers/input/touchscreen/ads7846.c
+++ b/drivers/input/touchscreen/ads7846.c
@@ -331,7 +331,7 @@  struct ser_req {
 	u8			ref_off;
 	u16			scratch;
 	struct spi_message	msg;
-	struct spi_transfer	xfer[6];
+	struct spi_transfer	xfer[8];
 	/*
 	 * DMA (thus cache coherency maintenance) requires the
 	 * transfer buffers to live in their own cache lines.