From patchwork Wed Dec 30 18:05:27 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Brown X-Patchwork-Id: 7934401 Return-Path: X-Original-To: patchwork-linux-spi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 2F2EABEEED for ; Wed, 30 Dec 2015 18:05:38 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3BEAB2015E for ; Wed, 30 Dec 2015 18:05:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3FD10202E6 for ; Wed, 30 Dec 2015 18:05:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751326AbbL3SFe (ORCPT ); Wed, 30 Dec 2015 13:05:34 -0500 Received: from mezzanine.sirena.org.uk ([106.187.55.193]:56218 "EHLO mezzanine.sirena.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751143AbbL3SFd (ORCPT ); Wed, 30 Dec 2015 13:05:33 -0500 Received: from cl-2057.lon-02.gb.sixxs.net ([2a01:348:6:808::2] helo=debutante) by mezzanine.sirena.org.uk with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1aEL7q-0000gM-Ph; Wed, 30 Dec 2015 18:05:31 +0000 Received: from broonie by debutante with local (Exim 4.86) (envelope-from ) id 1aEL7n-0007UR-Su; Wed, 30 Dec 2015 18:05:27 +0000 From: Mark Brown To: Nicolas Boichat , Mark Brown Cc: linux-spi@vger.kernel.org In-Reply-To: <1451211426-20436-1-git-send-email-drinkcat@chromium.org> Message-Id: Date: Wed, 30 Dec 2015 18:05:27 +0000 X-SA-Exim-Connect-IP: 2a01:348:6:808::2 X-SA-Exim-Mail-From: broonie@sirena.org.uk X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Subject: Applied "spi: mediatek: Prevent overflows in FIFO transfers" to the spi tree X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on mezzanine.sirena.org.uk) Sender: linux-spi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The patch spi: mediatek: Prevent overflows in FIFO transfers has been applied to the spi tree at git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark From de327e4966cdbad2b7053c84a6f591fbdc54f7cb Mon Sep 17 00:00:00 2001 From: Nicolas Boichat Date: Sun, 27 Dec 2015 18:17:06 +0800 Subject: [PATCH] spi: mediatek: Prevent overflows in FIFO transfers In the case where transfer length is not a multiple of 4, KASAN reports 2 out-of-bounds memory accesses: - mtk_spi_interrupt: ioread32_rep writes past the end of trans->rx_buf. - mtk_spi_fifo_transfer: iowrite32_rep reads past the end of xfer->tx_buf. Fix this by using memcpy on the remainder of the bytes. Signed-off-by: Nicolas Boichat Signed-off-by: Mark Brown --- drivers/spi/spi-mt65xx.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index 563954a61424..375d412dbf05 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -323,7 +323,8 @@ static int mtk_spi_fifo_transfer(struct spi_master *master, struct spi_device *spi, struct spi_transfer *xfer) { - int cnt; + int cnt, remainder; + u32 reg_val; struct mtk_spi *mdata = spi_master_get_devdata(master); mdata->cur_transfer = xfer; @@ -331,12 +332,16 @@ static int mtk_spi_fifo_transfer(struct spi_master *master, mtk_spi_prepare_transfer(master, xfer); mtk_spi_setup_packet(master); - if (xfer->len % 4) - cnt = xfer->len / 4 + 1; - else - cnt = xfer->len / 4; + cnt = xfer->len / 4; iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt); + remainder = xfer->len % 4; + if (remainder > 0) { + reg_val = 0; + memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder); + writel(reg_val, mdata->base + SPI_TX_DATA_REG); + } + mtk_spi_enable_transfer(master); return 1; @@ -418,7 +423,7 @@ static int mtk_spi_setup(struct spi_device *spi) static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) { - u32 cmd, reg_val, cnt; + u32 cmd, reg_val, cnt, remainder; struct spi_master *master = dev_id; struct mtk_spi *mdata = spi_master_get_devdata(master); struct spi_transfer *trans = mdata->cur_transfer; @@ -431,12 +436,15 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) if (!master->can_dma(master, master->cur_msg->spi, trans)) { if (trans->rx_buf) { - if (mdata->xfer_len % 4) - cnt = mdata->xfer_len / 4 + 1; - else - cnt = mdata->xfer_len / 4; + cnt = mdata->xfer_len / 4; ioread32_rep(mdata->base + SPI_RX_DATA_REG, trans->rx_buf, cnt); + remainder = mdata->xfer_len % 4; + if (remainder > 0) { + reg_val = readl(mdata->base + SPI_RX_DATA_REG); + memcpy(trans->rx_buf + (cnt * 4), + ®_val, remainder); + } } spi_finalize_current_transfer(master); return IRQ_HANDLED;