From patchwork Thu Feb 19 08:40:39 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Srinivas Kandagatla X-Patchwork-Id: 44804 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-wi0-f199.google.com (mail-wi0-f199.google.com [209.85.212.199]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id A97BC21553 for ; Thu, 19 Feb 2015 08:40:57 +0000 (UTC) Received: by mail-wi0-f199.google.com with SMTP id bs8sf4608166wib.2 for ; Thu, 19 Feb 2015 00:40:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:in-reply-to:references:sender:precedence:list-id :x-original-sender:x-original-authentication-results:mailing-list :list-post:list-help:list-archive:list-unsubscribe; bh=zN+u/YToOpiEGLHn6d67gfiSndfsBT0HvsblN4uZ/Z4=; b=mw16b7mR2NzjTo3tUnQp+Kw73PqxpYPji0F2X+g8wkXvRcXxera/sCIRaPPawBy6DF 10VfaYrhLp0s/WhuS2NL8tURm+O2mCD3GUOjaebWY4ti+B98As2JW+pnMQ6se4ySwolL DwnMx21H6MYyPO1z86azmnTF0cZOAemeLMg2WRIh+O64DSuUPhlScFfx1nEBoyAO2pG0 f4tDQZTJ7gbmOfe9U12Ee9XfBAUrwsoNpfOzVc/2+z1o/ALHi78dgJZlJ2cyB0wOMaFK D7iMztJvdlJKGTDemeBdlrYM8ZzvQhL4ECXDQmlJs8V0oPnHO6KkSrGRwkjMaA/dCmPs NIGw== X-Gm-Message-State: ALoCoQnDuGJGSFClJyZIZYzzzEbLapIxyqsPCs32NW5vIgEceti/5qjc1LR75UZfRlU6gdpamtvJ X-Received: by 10.112.162.135 with SMTP id ya7mr406438lbb.14.1424335256961; Thu, 19 Feb 2015 00:40:56 -0800 (PST) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.153.6.7 with SMTP id cq7ls131101lad.8.gmail; Thu, 19 Feb 2015 00:40:56 -0800 (PST) X-Received: by 10.112.225.137 with SMTP id rk9mr2845737lbc.11.1424335256787; Thu, 19 Feb 2015 00:40:56 -0800 (PST) Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com. [209.85.217.177]) by mx.google.com with ESMTPS id aw3si16717470lbc.151.2015.02.19.00.40.56 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Feb 2015 00:40:56 -0800 (PST) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.217.177 as permitted sender) client-ip=209.85.217.177; Received: by lbjb6 with SMTP id b6so6156073lbj.2 for ; Thu, 19 Feb 2015 00:40:56 -0800 (PST) X-Received: by 10.112.40.201 with SMTP id z9mr2764210lbk.117.1424335256505; Thu, 19 Feb 2015 00:40:56 -0800 (PST) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.35.133 with SMTP id h5csp355475lbj; Thu, 19 Feb 2015 00:40:55 -0800 (PST) X-Received: by 10.69.31.203 with SMTP id ko11mr5959267pbd.70.1424335254628; Thu, 19 Feb 2015 00:40:54 -0800 (PST) Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id tm10si27937436pac.213.2015.02.19.00.40.53; Thu, 19 Feb 2015 00:40:54 -0800 (PST) Received-SPF: none (google.com: linux-kernel-owner@vger.kernel.org does not designate permitted sender hosts) client-ip=209.132.180.67; Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752471AbbBSIks (ORCPT + 28 others); Thu, 19 Feb 2015 03:40:48 -0500 Received: from mail-wg0-f42.google.com ([74.125.82.42]:45985 "EHLO mail-wg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751961AbbBSIkr (ORCPT ); Thu, 19 Feb 2015 03:40:47 -0500 Received: by mail-wg0-f42.google.com with SMTP id n12so5851744wgh.1 for ; Thu, 19 Feb 2015 00:40:45 -0800 (PST) X-Received: by 10.180.38.76 with SMTP id e12mr12715685wik.76.1424335245729; Thu, 19 Feb 2015 00:40:45 -0800 (PST) Received: from srini-ThinkPad-X1-Carbon-2nd.dlink.com (host-2-98-213-113.as13285.net. [2.98.213.113]) by mx.google.com with ESMTPSA id v7sm36338884wju.22.2015.02.19.00.40.43 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 19 Feb 2015 00:40:45 -0800 (PST) From: Srinivas Kandagatla To: Mark Brown Cc: Greg Kroah-Hartman , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Srinivas Kandagatla Subject: [PATCH 1/2] regmap: Add range check in _regmap_raw_read() Date: Thu, 19 Feb 2015 08:40:39 +0000 Message-Id: <1424335239-7475-1-git-send-email-srinivas.kandagatla@linaro.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1424335193-7431-1-git-send-email-srinivas.kandagatla@linaro.org> References: <1424335193-7431-1-git-send-email-srinivas.kandagatla@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: list List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: srinivas.kandagatla@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.217.177 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , regmap_bulk_read() ends up using the path that invokes _regmap_raw_read(), however _regmap_raw_read() never checks if the registers that are accessed are actually readable or within the accessible range. This results in kernel crashes when trying to access registers beyond max_registers. Without this patch I hit below kernel crash: Unable to handle kernel paging request at virtual address f0167000 pgd = ecea0000 [f0167000] *pgd=ad822811, *pte=00000000, *ppte=00000000 Internal error: Oops: 7 [#1] SMP ARM Modules linked in: CPU: 1 PID: 739 Comm: cat Tainted: G L 3.19.0-00008-g1efb3d7-dirty #915 Hardware name: Qualcomm (Flattened Device Tree) task: ecbbd0c0 ti: ec9fc000 task.ti: ec9fc000 PC is at regmap_mmio_read+0xf8/0x138 LR is at irq_work_queue+0x14/0x98 pc : [] lr : [] psr: 600f0093 sp : ec9fdd90 ip : 00000001 fp : ec9fddb4 r10: 00001000 r9 : c115a2a8 r8 : edae3940 r7 : edae38c0 r6 : ed9d5000 r5 : 00001000 r4 : 00001000 r3 : f0166000 r2 : 00000007 r1 : 00000000 r0 : 00000019 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5787d Table: acea006a DAC: 00000015 Process cat (pid: 739, stack limit = 0xec9fc248) Stack: (0xec9fdd90 to 0xec9fe000) dd80: ed9d5000 edacc400 00000000 eda0a210 dda0: 00001000 00001000 ec9fddfc ec9fddb8 c06854d4 c068aa28 00001000 c109f26c ddc0: c1160148 600f0013 ed9d5000 00001000 ec9fde3c edacc400 00002000 00001000 dde0: 00000001 00001000 00001002 00001000 ec9fde3c ec9fde00 c0685714 c068541c de00: 00000000 ed9d5000 00000000 00000000 ec9fde3c 00001000 edacc400 00000001 de20: ed9d5000 00001000 00000001 00001000 ec9fde7c ec9fde40 c06858b4 c06855ec de40: c0e12d3c ec9fde74 ec9fde6c ec9fde58 c0ade1a8 edacc608 00001000 ed9d5000 de60: 00001000 edacc400 00000000 ed9d6000 ec9fdeb4 ec9fde80 c0900ec8 c0685744 de80: 00001000 00000000 ed9d6000 ed9d5000 00000000 00000000 00001000 00000000 dea0: 00001000 00001000 ec9fdef4 ec9fdeb8 c03a9b60 c0900e58 00001000 00000000 dec0: 00001000 0000a46f ec9fdf44 edfb1900 ec9fdf78 ed9d6000 0001c000 00001000 dee0: 00000000 edfb190c ec9fdf2c ec9fdef8 c03a92c0 c03a9b04 00001000 00000000 df00: 00000000 c0b00d70 0001c000 00010000 ec9fdf78 00010000 ec9fc000 0001c000 df20: ec9fdf44 ec9fdf30 c0347024 c03a9230 ec9fdf78 ec823c00 ec9fdf74 ec9fdf48 df40: c03470e4 c0347008 c03624fc c036246c 00001000 00000000 ec823c00 ec823c00 df60: 00010000 0001c000 ec9fdfa4 ec9fdf78 c03471b4 c0347064 00001000 00000000 df80: 00010000 00001000 0001c000 00000003 c020f2e4 00000000 00000000 ec9fdfa8 dfa0: c020f140 c0347174 00010000 00001000 00000003 0001c000 00010000 0001c000 dfc0: 00010000 00001000 0001c000 00000003 7fffe000 00000001 00000000 00000000 dfe0: 00000000 bef1e5bc 0000b649 b6f29916 600f0030 00000003 00000000 00000000 [] (regmap_mmio_read) from [] (_regmap_raw_read+0xc4/0x1d0) [] (_regmap_raw_read) from [] (regmap_raw_read+0x134/0x158) [] (regmap_raw_read) from [] (regmap_bulk_read+0x17c/0x1c4) [] (regmap_bulk_read) from [] (bin_attr_eeprom_read+0x7c/0xb4) [] (bin_attr_eeprom_read) from [] (sysfs_kf_bin_read+0x68/0xa0) [] (sysfs_kf_bin_read) from [] (kernfs_fop_read+0x9c/0x16c) [] (kernfs_fop_read) from [] (__vfs_read+0x28/0x5c) [] (__vfs_read) from [] (vfs_read+0x8c/0x110) [] (vfs_read) from [] (SyS_read+0x4c/0x98) [] (SyS_read) from [] (ret_fast_syscall+0x0/0x34) Code: eb091d03 e3a00000 e89da9f8 e5973000 (e7d32004) Signed-off-by: Srinivas Kandagatla --- drivers/base/regmap/regmap.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c index d2f8a81..d480e49 100644 --- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -2036,10 +2036,15 @@ static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val, { struct regmap_range_node *range; u8 *u8 = map->work_buf; - int ret; + int ret, i, count = val_len/map->format.val_bytes; WARN_ON(!map->bus); + /* Check for readable registers before we start */ + for (i = 0; i < count; i++) + if (!regmap_readable(map, reg + (i * map->reg_stride))) + return -EINVAL; + range = _regmap_range_lookup(map, reg); if (range) { ret = _regmap_select_page(map, ®, range,