tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

clk: visconti: prevent array overflow in visconti_clk_register_gates()

This code was using -1 to represent that there was no reset function.
Unfortunately, the -1 was stored in u8 so the if (clks[i].rs_id >= 0)
condition was always true. This lead to an out of bounds access in
visconti_clk_register_gates().

Fixes: b4cbe606dc36 ("clk: visconti: Add support common clock driver and reset driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220316083533.GA30941@kili
Acked-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>

authored by

Dan Carpenter and committed by
Stephen Boyd c5601e07 e783362e

+5 -2
+1 -1
drivers/clk/visconti/clkc-tmpv770x.c
··· 176 176 { TMPV770X_CLK_WRCK, "wrck", 177 177 clks_parent_data, ARRAY_SIZE(clks_parent_data), 178 178 0, 0x68, 0x168, 9, 32, 179 - -1, }, /* No reset */ 179 + NO_RESET, }, 180 180 { TMPV770X_CLK_PICKMON, "pickmon", 181 181 clks_parent_data, ARRAY_SIZE(clks_parent_data), 182 182 0, 0x10, 0x110, 8, 4,
+1 -1
drivers/clk/visconti/clkc.c
··· 147 147 if (!dev_name) 148 148 return -ENOMEM; 149 149 150 - if (clks[i].rs_id >= 0) { 150 + if (clks[i].rs_id != NO_RESET) { 151 151 rson_offset = reset[clks[i].rs_id].rson_offset; 152 152 rsoff_offset = reset[clks[i].rs_id].rsoff_offset; 153 153 rs_idx = reset[clks[i].rs_id].rs_idx;
+3
drivers/clk/visconti/clkc.h
··· 73 73 int num_gate, 74 74 const struct visconti_reset_data *reset, 75 75 spinlock_t *lock); 76 + 77 + #define NO_RESET 0xFF 78 + 76 79 #endif /* _VISCONTI_CLKC_H_ */