diff options
author | Bjorn Andersson <bjorn.andersson@linaro.org> | 2020-05-14 18:36:43 -0700 |
---|---|---|
committer | Kishon Vijay Abraham I <kishon@ti.com> | 2020-05-18 19:30:56 +0530 |
commit | 72f039db491e59396edbaa39595d0865aee055ee (patch) | |
tree | 3e156f6a5e9547393e50165406466a46e7ffcae1 | |
parent | 81530a38a36d411e01ea99116503901f75aa758b (diff) |
phy: qcom-qmp: Ensure register indirection arrays initialized
It's possible that struct qmp_phy_cfg->regs references an array that is
smaller than the possible register lookups that is going to be
performed, with the resulting out-of-bounds read resulting in undefined
behavior.
One such example is when during qcom_qmp_phy_com_init() performs a
qphy_setbits() on entry QPHY_PCS_POWER_DOWN_CONTROL (i.e. 17) with
msm8996_ufsphy_regs_layout only being 12 entries long.
Solve this by inflating all "regs_layout" arrays to ensure that any
remaining entries are zero-initialized, as expected by the code.
Fixes: e4d8b05ad5f9 ("phy: qcom-qmp: Use proper PWRDOWN offset for sm8150 USB")
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20200515013643.2081941-1-bjorn.andersson@linaro.org
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
-rw-r--r-- | drivers/phy/qualcomm/phy-qcom-qmp.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/drivers/phy/qualcomm/phy-qcom-qmp.c b/drivers/phy/qualcomm/phy-qcom-qmp.c index 5942167320a3..c4bf5fd26fa0 100644 --- a/drivers/phy/qualcomm/phy-qcom-qmp.c +++ b/drivers/phy/qualcomm/phy-qcom-qmp.c @@ -120,14 +120,16 @@ enum qphy_reg_layout { QPHY_PCS_LFPS_RXTERM_IRQ_CLEAR, QPHY_PCS_LFPS_RXTERM_IRQ_STATUS, QPHY_PCS_POWER_DOWN_CONTROL, + /* Keep last to ensure regs_layout arrays are properly initialized */ + QPHY_LAYOUT_SIZE }; -static const unsigned int msm8996_ufsphy_regs_layout[] = { +static const unsigned int msm8996_ufsphy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_START_CTRL] = 0x00, [QPHY_PCS_READY_STATUS] = 0x168, }; -static const unsigned int pciephy_regs_layout[] = { +static const unsigned int pciephy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_COM_SW_RESET] = 0x400, [QPHY_COM_POWER_DOWN_CONTROL] = 0x404, [QPHY_COM_START_CONTROL] = 0x408, @@ -143,7 +145,7 @@ static const unsigned int pciephy_regs_layout[] = { [QPHY_PCS_STATUS] = 0x174, }; -static const unsigned int usb3phy_regs_layout[] = { +static const unsigned int usb3phy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_FLL_CNTRL1] = 0xc0, [QPHY_FLL_CNTRL2] = 0xc4, [QPHY_FLL_CNT_VAL_L] = 0xc8, @@ -157,7 +159,7 @@ static const unsigned int usb3phy_regs_layout[] = { [QPHY_PCS_LFPS_RXTERM_IRQ_STATUS] = 0x178, }; -static const unsigned int qmp_v3_usb3phy_regs_layout[] = { +static const unsigned int qmp_v3_usb3phy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_SW_RESET] = 0x00, [QPHY_START_CTRL] = 0x08, [QPHY_PCS_STATUS] = 0x174, @@ -166,31 +168,31 @@ static const unsigned int qmp_v3_usb3phy_regs_layout[] = { [QPHY_PCS_LFPS_RXTERM_IRQ_STATUS] = 0x170, }; -static const unsigned int sdm845_qmp_pciephy_regs_layout[] = { +static const unsigned int sdm845_qmp_pciephy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_SW_RESET] = 0x00, [QPHY_START_CTRL] = 0x08, [QPHY_PCS_STATUS] = 0x174, }; -static const unsigned int sdm845_qhp_pciephy_regs_layout[] = { +static const unsigned int sdm845_qhp_pciephy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_SW_RESET] = 0x00, [QPHY_START_CTRL] = 0x08, [QPHY_PCS_STATUS] = 0x2ac, }; -static const unsigned int qmp_v4_usb3phy_regs_layout[] = { +static const unsigned int qmp_v4_usb3phy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_SW_RESET] = 0x00, [QPHY_START_CTRL] = 0x44, [QPHY_PCS_STATUS] = 0x14, [QPHY_PCS_POWER_DOWN_CONTROL] = 0x40, }; -static const unsigned int sdm845_ufsphy_regs_layout[] = { +static const unsigned int sdm845_ufsphy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_START_CTRL] = 0x00, [QPHY_PCS_READY_STATUS] = 0x160, }; -static const unsigned int sm8150_ufsphy_regs_layout[] = { +static const unsigned int sm8150_ufsphy_regs_layout[QPHY_LAYOUT_SIZE] = { [QPHY_START_CTRL] = QPHY_V4_PCS_UFS_PHY_START, [QPHY_PCS_READY_STATUS] = QPHY_V4_PCS_UFS_READY_STATUS, [QPHY_SW_RESET] = QPHY_V4_PCS_UFS_SW_RESET, |