[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 2/2] intel/pinctrl: check capability offset is between MMIO region

  • To: <linux-kernel@xxxxxxxxxxxxxxx>
  • From: Roger Pau Monne <roger.pau@xxxxxxxxxx>
  • Date: Wed, 24 Mar 2021 16:43:12 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ub0sbUt19Z455MEMout2SS1YkpeYLQCcmLvqKsToEuA=; b=MyDkuMZLSkGhDK06hHHTWn5cz3gGZ4b95y5N6B2Cwn1Cml1KmIfp5pe5oavF+gJ+J+j1QKE3ovtWnzugAHJPaGFajM5ljibwZ0Bu2KZDtoLRFuhvmE8yxnRKcv4fGetehFNe3Lbi33HpdRRHTp+y8gncVcQcfK39oo/56sMRBgQwhUUCJUWq+jGad180dgOcmy22qlfXk8mhmbkZXtNAZo6M8O1DmMBWa0HwM56RkVQgryynbknmZ/AAXVzPjD6QRhBojgvxLxGw/FQQx+9gMwssMLZ6TAFPOUsVMYeuJVkk7sfmOi/6x13z4kbAQTV217puHNGiPGIyyDfNB6KmLg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JvftgZFiTf8F2z9JvoYNbVzO8LCL3AFYEok7Yb23FH8KbpczKO76MYtBVQFpVlJSOkYC5Q/Z2ofeCYVj27QW53CrfmD7vz/QzB5IawQxyKA9RiY089Iz1eOsjougRKbnOQssRRmYqheOT4olJyobIUxpa8FiV+0vqLp48QK2LrNxbrAoE7TTDAVo26WKRcloogBoqwnalGH8lh+jvqtq4CaKAEMIlU939bXVbhVKoERPL3I1oO42VXlxdIt0lePiILI5/9xRfaZWiC6a7AeCmZwk924gbx5kxThRNlJt0K3fMtU9SJ42LyZ/e87nMNyUK7OZxO33dYggOnYgQ/XKSg==
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>, Andy Shevchenko <andy@xxxxxxxxxx>, Linus Walleij <linus.walleij@xxxxxxxxxx>, <linux-gpio@xxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 24 Mar 2021 15:43:54 +0000
  • Ironport-hdrordr: A9a23:XDgRN6zPgOrBtE6uKU/KKrPx/uskLtp033Aq2lEZdDV8btGYm8 eynP4SyB/zj3IrVGs9nM2bUZPsfVr3//dOgbU5F7GkQQXgpS+UPJhvhLGSpwHINg/f0qpm1a lme7VjE9GYNzJHpOvz/QXQKbkd6fad9qTAv4nj5lNMaS0vVK169Qd+DW+gYyhLbS1LH4AwGp bZxucvnUvCRV0tYs62BmYIUoH4zrWmqLvcbQMbHBli0QGSjFqTg4LSKQSS3RsVTlp0sNUf2F XC+jaZ2oyT98uV5zWZ/G/V4pRQlrLau6Z+Lf3JsOc5AHHBjg6pYa5oRrGNuiskydvflGoCoZ 33jDoLe+h19nPNbkG5yCGdpDXI4XIVxFLJjX+enHf5rsTySFsBerR8rLMcSDT1wQ4EnrhHoc V29lPcjbV7J1f8uR64wN7yWxRjhiOP0AEfuN9WtVNze88jcrNLxLZvmn99IdM7Mw/RzpsoK+ VqBNG03octTXqqK0rUuWRi27WXLw0ONybDRkADv/qc2CRNkEZ4yFMFxNcekm1ozuNEd6V5
  • Ironport-sdr: T2L+nUH0GVj4TT8m8wtOGnV8vZLqkRcN/TSm4y4PfQ4ZjqVvdavR16HW6mBzsmafsLUnyiA+ow 64bEwZ1Rl+2jnhaJiCY7djrDk8ysavXvq95v5CsLZi4LHZ/S6HUST+l7mjZY5pnzfLML2P982j hmNerLpJNyl8SCOyjVTmP2au3eYza3fBfdmGcMMAdZwaCL4jLpWCKDGcBBhxqywG64hnHpVI2R NWx3mEN4m26GvGWUNAoArM04uBGVeDlw/9QAesvImrfAbXyBsiIQr+pSn9mzhjVaMMxVcZ4m02 we8=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
When parsing the capability list make sure the offset is between the
MMIO region mapped in 'regs', or else the kernel hits a page fault.

Adding the check is harmless, and prevents buggy or broken systems
from crashing the kernel if the capability linked list is somehow
broken.

Fixes: 91d898e51e60 ('pinctrl: intel: Convert capability list to features')
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
Changes since v1:
 - Adjust commit message.
---
Cc: Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>
Cc: Andy Shevchenko <andy@xxxxxxxxxx>
Cc: Linus Walleij <linus.walleij@xxxxxxxxxx>
Cc: linux-gpio@xxxxxxxxxxxxxxx
---
 drivers/pinctrl/intel/pinctrl-intel.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/pinctrl/intel/pinctrl-intel.c 
b/drivers/pinctrl/intel/pinctrl-intel.c
index 59d13342caf6..d45a6994b2a3 100644
--- a/drivers/pinctrl/intel/pinctrl-intel.c
+++ b/drivers/pinctrl/intel/pinctrl-intel.c
@@ -1481,16 +1481,22 @@ static int intel_pinctrl_probe(struct platform_device 
*pdev,
 
        for (i = 0; i < pctrl->ncommunities; i++) {
                struct intel_community *community = &pctrl->communities[i];
+               struct resource *res;
                void __iomem *regs;
+               size_t size;
                u32 offset;
                u32 value;
 
                *community = pctrl->soc->communities[i];
 
-               regs = devm_platform_ioremap_resource(pdev, community->barno);
+               regs = devm_platform_get_and_ioremap_resource(pdev,
+                                                             community->barno,
+                                                             &res);
                if (IS_ERR(regs))
                        return PTR_ERR(regs);
 
+               size = res->end - res->start;
+
                /* Determine community features based on the revision */
                value = readl(regs + REVID);
                if (value == ~0u)
@@ -1521,6 +1527,12 @@ static int intel_pinctrl_probe(struct platform_device 
*pdev,
                                break;
                        }
                        offset = (value & CAPLIST_NEXT_MASK) >> 
CAPLIST_NEXT_SHIFT;
+                       if (offset >= size) {
+                               dev_err(&pdev->dev,
+                                       "wrong capability offset: %#x\n",
+                                       offset);
+                               return -ENOENT;
+                       }
                } while (offset);
 
                dev_dbg(&pdev->dev, "Community%d features: %#08x\n", i, 
community->features);
-- 
2.30.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.