From patchwork Thu Feb 19 08:40:39 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Srinivas Kandagatla X-Patchwork-Id: 5850671 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 21992BF440 for ; Thu, 19 Feb 2015 08:43:37 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 321372027D for ; Thu, 19 Feb 2015 08:43:36 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 49F1A2017D for ; Thu, 19 Feb 2015 08:43:35 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1YOMfX-0003cj-07; Thu, 19 Feb 2015 08:41:11 +0000 Received: from mail-wi0-f175.google.com ([209.85.212.175]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1YOMfT-0003Ww-OW for linux-arm-kernel@lists.infradead.org; Thu, 19 Feb 2015 08:41:08 +0000 Received: by mail-wi0-f175.google.com with SMTP id r20so46427620wiv.2 for ; Thu, 19 Feb 2015 00:40:45 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=cCexYsYB1iYal2GCOPxGGY62YzgYTkZC/O9HzqtwIIA=; b=cUmfrrMfCxT7mvkCXIl9cq8FGQgI53uhbzx7N0IrWbZtiyUMKPC0oAv2xM6oA0ankM jGt38tjE5m6Odk/Df4wX/j1cZvBqvs/UOSK5IIL8y6MWHMX5bLHVWCrRfRRLUpr7Kvxv /EES/T8R6T33AMTP1ubFURkL7N/sIFBnr6GRT4/N6o9JbZlJCLRvPrVQbOrA6vTr2nKG sjXFwOTU3UpkgZQPV5jw6WWXK3BxHE7kOn33293Etai5HNNgiNJMTgkENfQvP0u/hjam Jly/kUWc/9jstAUev7Swk222+DxsbwKJ3ECWCGBw6kSLKQacSZzXMW945fRVjgAM1McZ QG1A== X-Gm-Message-State: ALoCoQlebGvsNgByfV25UXktpyd+6hXgae0tc5kEei1az0DeBrcRXXbJ1kPY4OuhRITWRypp+vg5 X-Received: by 10.180.38.76 with SMTP id e12mr12715685wik.76.1424335245729; Thu, 19 Feb 2015 00:40:45 -0800 (PST) Received: from srini-ThinkPad-X1-Carbon-2nd.dlink.com (host-2-98-213-113.as13285.net. [2.98.213.113]) by mx.google.com with ESMTPSA id v7sm36338884wju.22.2015.02.19.00.40.43 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 19 Feb 2015 00:40:45 -0800 (PST) From: Srinivas Kandagatla To: Mark Brown Subject: [PATCH 1/2] regmap: Add range check in _regmap_raw_read() Date: Thu, 19 Feb 2015 08:40:39 +0000 Message-Id: <1424335239-7475-1-git-send-email-srinivas.kandagatla@linaro.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1424335193-7431-1-git-send-email-srinivas.kandagatla@linaro.org> References: <1424335193-7431-1-git-send-email-srinivas.kandagatla@linaro.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20150219_004107_975302_8FAEC3F9 X-CRM114-Status: GOOD ( 18.28 ) X-Spam-Score: -0.7 (/) Cc: Greg Kroah-Hartman , Srinivas Kandagatla , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP regmap_bulk_read() ends up using the path that invokes _regmap_raw_read(), however _regmap_raw_read() never checks if the registers that are accessed are actually readable or within the accessible range. This results in kernel crashes when trying to access registers beyond max_registers. Without this patch I hit below kernel crash: Unable to handle kernel paging request at virtual address f0167000 pgd = ecea0000 [f0167000] *pgd=ad822811, *pte=00000000, *ppte=00000000 Internal error: Oops: 7 [#1] SMP ARM Modules linked in: CPU: 1 PID: 739 Comm: cat Tainted: G L 3.19.0-00008-g1efb3d7-dirty #915 Hardware name: Qualcomm (Flattened Device Tree) task: ecbbd0c0 ti: ec9fc000 task.ti: ec9fc000 PC is at regmap_mmio_read+0xf8/0x138 LR is at irq_work_queue+0x14/0x98 pc : [] lr : [] psr: 600f0093 sp : ec9fdd90 ip : 00000001 fp : ec9fddb4 r10: 00001000 r9 : c115a2a8 r8 : edae3940 r7 : edae38c0 r6 : ed9d5000 r5 : 00001000 r4 : 00001000 r3 : f0166000 r2 : 00000007 r1 : 00000000 r0 : 00000019 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5787d Table: acea006a DAC: 00000015 Process cat (pid: 739, stack limit = 0xec9fc248) Stack: (0xec9fdd90 to 0xec9fe000) dd80: ed9d5000 edacc400 00000000 eda0a210 dda0: 00001000 00001000 ec9fddfc ec9fddb8 c06854d4 c068aa28 00001000 c109f26c ddc0: c1160148 600f0013 ed9d5000 00001000 ec9fde3c edacc400 00002000 00001000 dde0: 00000001 00001000 00001002 00001000 ec9fde3c ec9fde00 c0685714 c068541c de00: 00000000 ed9d5000 00000000 00000000 ec9fde3c 00001000 edacc400 00000001 de20: ed9d5000 00001000 00000001 00001000 ec9fde7c ec9fde40 c06858b4 c06855ec de40: c0e12d3c ec9fde74 ec9fde6c ec9fde58 c0ade1a8 edacc608 00001000 ed9d5000 de60: 00001000 edacc400 00000000 ed9d6000 ec9fdeb4 ec9fde80 c0900ec8 c0685744 de80: 00001000 00000000 ed9d6000 ed9d5000 00000000 00000000 00001000 00000000 dea0: 00001000 00001000 ec9fdef4 ec9fdeb8 c03a9b60 c0900e58 00001000 00000000 dec0: 00001000 0000a46f ec9fdf44 edfb1900 ec9fdf78 ed9d6000 0001c000 00001000 dee0: 00000000 edfb190c ec9fdf2c ec9fdef8 c03a92c0 c03a9b04 00001000 00000000 df00: 00000000 c0b00d70 0001c000 00010000 ec9fdf78 00010000 ec9fc000 0001c000 df20: ec9fdf44 ec9fdf30 c0347024 c03a9230 ec9fdf78 ec823c00 ec9fdf74 ec9fdf48 df40: c03470e4 c0347008 c03624fc c036246c 00001000 00000000 ec823c00 ec823c00 df60: 00010000 0001c000 ec9fdfa4 ec9fdf78 c03471b4 c0347064 00001000 00000000 df80: 00010000 00001000 0001c000 00000003 c020f2e4 00000000 00000000 ec9fdfa8 dfa0: c020f140 c0347174 00010000 00001000 00000003 0001c000 00010000 0001c000 dfc0: 00010000 00001000 0001c000 00000003 7fffe000 00000001 00000000 00000000 dfe0: 00000000 bef1e5bc 0000b649 b6f29916 600f0030 00000003 00000000 00000000 [] (regmap_mmio_read) from [] (_regmap_raw_read+0xc4/0x1d0) [] (_regmap_raw_read) from [] (regmap_raw_read+0x134/0x158) [] (regmap_raw_read) from [] (regmap_bulk_read+0x17c/0x1c4) [] (regmap_bulk_read) from [] (bin_attr_eeprom_read+0x7c/0xb4) [] (bin_attr_eeprom_read) from [] (sysfs_kf_bin_read+0x68/0xa0) [] (sysfs_kf_bin_read) from [] (kernfs_fop_read+0x9c/0x16c) [] (kernfs_fop_read) from [] (__vfs_read+0x28/0x5c) [] (__vfs_read) from [] (vfs_read+0x8c/0x110) [] (vfs_read) from [] (SyS_read+0x4c/0x98) [] (SyS_read) from [] (ret_fast_syscall+0x0/0x34) Code: eb091d03 e3a00000 e89da9f8 e5973000 (e7d32004) Signed-off-by: Srinivas Kandagatla --- drivers/base/regmap/regmap.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c index d2f8a81..d480e49 100644 --- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -2036,10 +2036,15 @@ static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val, { struct regmap_range_node *range; u8 *u8 = map->work_buf; - int ret; + int ret, i, count = val_len/map->format.val_bytes; WARN_ON(!map->bus); + /* Check for readable registers before we start */ + for (i = 0; i < count; i++) + if (!regmap_readable(map, reg + (i * map->reg_stride))) + return -EINVAL; + range = _regmap_range_lookup(map, reg); if (range) { ret = _regmap_select_page(map, ®, range,