On Sun, 31 Dec 2023 22:56:44 +0800
zhouzhouyi@xxxxxxxxx wrote:
> From: "zhili.liu" <zhili.liu@xxxxxxxxxxx>
>
> Recently, we encounter kernel crash in function rm3100_common_probe
> caused by out of bound access of array rm3100_samp_rates (because of
> underlying hardware failures). Add boundary check to prevent out of
> bound access.
>
> Suggested-by: Zhouyi Zhou <zhouzhouyi@xxxxxxxxx>
> Signed-off-by: zhili.liu <zhili.liu@xxxxxxxxxxx>
Please provide a Fixes tag so we know how far back to backport this.
Seems like a reasonable bit of hardening against potential hardware issues.
However it would be cleaner with a local variable used for the index.
See inline.
Jonathan
> ---
> The format of the previous patch was a bit problematic,
> we are sending it again.
>
> Sorry for the trouble.
>
> Thank you very much.
> --
> drivers/iio/magnetometer/rm3100-core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/iio/magnetometer/rm3100-core.c b/drivers/iio/magnetometer/rm3100-core.c
> index 69938204456f..fc50b6d4a334 100644
> --- a/drivers/iio/magnetometer/rm3100-core.c
> +++ b/drivers/iio/magnetometer/rm3100-core.c
> @@ -586,6 +586,12 @@ int rm3100_common_probe(struct device *dev, struct regmap *regmap, int irq)
> ret = regmap_read(regmap, RM3100_REG_TMRC, &tmp);
> if (ret < 0)
> return ret;
> +
> + if (tmp < RM3100_SAMP_NUM || tmp - RM3100_TMRC_OFFSET >= RM3100_SAMP_NUM) {
Just a local variable of
int samp_rate_index = tmp - RM3100_TMRC_OFFSET;
Check that for negative or >= RM3100_SAMP_NUM
> + dev_err(dev, "The value read from RM3100_REG_TMRC is invalid!\n");
> + return -EINVAL;
> + }
> +
> /* Initializing max wait time, which is double conversion time. */
> data->conversion_time = rm3100_samp_rates[tmp - RM3100_TMRC_OFFSET][2]
> * 2;
