This is a note to let you know that I've just added the patch titled
platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call
to the 5.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
platform-mellanox-mlxreg-io-fix-argument-base-in-kstrtou32-call.patch
and it can be found in the queue-5.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 9b024201693e397441668cca0d2df7055fe572eb Mon Sep 17 00:00:00 2001
From: Vadim Pasternak <vadimp@xxxxxxxxxx>
Date: Mon, 27 Sep 2021 17:22:13 +0300
Subject: platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call
From: Vadim Pasternak <vadimp@xxxxxxxxxx>
commit 9b024201693e397441668cca0d2df7055fe572eb upstream.
Change kstrtou32() argument 'base' to be zero instead of 'len'.
It works by chance for setting one bit value, but it is not supposed to
work in case value passed to mlxreg_io_attr_store() is greater than 1.
It works for example, for:
echo 1 > /sys/devices/platform/mlxplat/mlxreg-io/hwmon/.../jtag_enable
But it will fail for:
echo n > /sys/devices/platform/mlxplat/mlxreg-io/hwmon/.../jtag_enable,
where n > 1.
The flow for input buffer conversion is as below:
_kstrtoull(const char *s, unsigned int base, unsigned long long *res)
calls:
rv = _parse_integer(s, base, &_res);
For the second case, where n > 1:
- _parse_integer() converts 's' to 'val'.
For n=2, 'len' is set to 2 (string buffer is 0x32 0x0a), for n=3
'len' is set to 3 (string buffer 0x33 0x0a), etcetera.
- 'base' is equal or greater then '2' (length of input buffer).
As a result, _parse_integer() exits with result zero (rv):
rv = 0;
while (1) {
...
if (val >= base)-> (2 >= 2)
break;
...
rv++;
...
}
And _kstrtoull() in their turn will fail:
if (rv == 0)
return -EINVAL;
Fixes: 5ec4a8ace06c ("platform/mellanox: Introduce support for Mellanox register access driver")
Signed-off-by: Vadim Pasternak <vadimp@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20210927142214.2613929-2-vadimp@xxxxxxxxxx
Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/platform/mellanox/mlxreg-io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/mellanox/mlxreg-io.c
+++ b/drivers/platform/mellanox/mlxreg-io.c
@@ -141,7 +141,7 @@ mlxreg_io_attr_store(struct device *dev,
return -EINVAL;
/* Convert buffer to input value. */
- ret = kstrtou32(buf, len, &input_val);
+ ret = kstrtou32(buf, 0, &input_val);
if (ret)
return ret;
Patches currently in stable-queue which might be from vadimp@xxxxxxxxxx are
queue-5.14/mlxsw-thermal-fix-out-of-bounds-memory-accesses.patch
queue-5.14/platform-mellanox-mlxreg-io-fix-argument-base-in-kstrtou32-call.patch
queue-5.14/platform-mellanox-mlxreg-io-fix-read-access-of-n-bytes-size-attributes.patch
