linux-stable.git/drivers/base/regmap, branch linux-3.4.y Linux kernel stable tree regmap: debugfs: Don't bother actually printing when calculating max length 2016-04-27T10:55:23+00:00 Mark Brown broonie@kernel.org 2015-09-19T14:12:34+00:00 42bffe1abdfe0543b54c0d29550e9a2bcd9edd34 commit 176fc2d5770a0990eebff903ba680d2edd32e718 upstream. The in kernel snprintf() will conveniently return the actual length of the printed string even if not given an output beffer at all so just do that rather than relying on the user to pass in a suitable buffer, ensuring that we don't need to worry if the buffer was truncated due to the size of the buffer passed in. Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Zefan Li <lizefan@huawei.com> 
commit 176fc2d5770a0990eebff903ba680d2edd32e718 upstream.

The in kernel snprintf() will conveniently return the actual length of
the printed string even if not given an output beffer at all so just do
that rather than relying on the user to pass in a suitable buffer,
ensuring that we don't need to worry if the buffer was truncated due to
the size of the buffer passed in.

Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Zefan Li <lizefan@huawei.com>
regmap: debugfs: Ensure we don't underflow when printing access masks 2016-04-27T10:55:22+00:00 Mark Brown broonie@kernel.org 2015-09-19T14:00:18+00:00 f4524d728fa32ea451c6034a6dccba0159ecc153 commit b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 upstream. If a read is attempted which is smaller than the line length then we may underflow the subtraction we're doing with the unsigned size_t type so move some of the calculation to be additions on the right hand side instead in order to avoid this. Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Zefan Li <lizefan@huawei.com> 
commit b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 upstream.

If a read is attempted which is smaller than the line length then we may
underflow the subtraction we're doing with the unsigned size_t type so
move some of the calculation to be additions on the right hand side
instead in order to avoid this.

Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Zefan Li <lizefan@huawei.com>
regmap: Fix regmap_bulk_read in BE mode 2015-10-22T01:20:04+00:00 Arun Chandran achandran@mvista.com 2015-06-15T10:29:02+00:00 2cd65577af5bb06910596361166f8eb1b5bbc491 commit 15b8d2c41fe5839582029f65c5f7004db451cc2b upstream. In big endian mode regmap_bulk_read gives incorrect data for byte reads. This is because memcpy of a single byte from an address after full word read gives different results when endianness differs. ie. we get little-end in LE and big-end in BE. Signed-off-by: Arun Chandran <achandran@mvista.com> Signed-off-by: Mark Brown <broonie@kernel.org> [lizf: Backported to 3.4: format_val() takes only two arguments] Signed-off-by: Zefan Li <lizefan@huawei.com> 
commit 15b8d2c41fe5839582029f65c5f7004db451cc2b upstream.

In big endian mode regmap_bulk_read gives incorrect data
for byte reads.

This is because memcpy of a single byte from an address
after full word read gives different results when
endianness differs. ie. we get little-end in LE and big-end in BE.

Signed-off-by: Arun Chandran <achandran@mvista.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[lizf: Backported to 3.4: format_val() takes only two arguments]
Signed-off-by: Zefan Li <lizefan@huawei.com>
regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error. 2015-02-02T09:04:44+00:00 Xiubo Li Li.Xiubo@freescale.com 2014-09-28T09:09:54+00:00 65b412cc6708ed1c5ce325a790a31f12f80ef6ba commit d6b41cb06044a7d895db82bdd54f6e4219970510 upstream. Since we cannot make sure the 'val_count' will always be none zero here, and then if it equals to zero, the kmemdup() will return ZERO_SIZE_PTR, which equals to ((void *)16). So this patch fix this with just doing the zero check before calling kmemdup(). Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com> Signed-off-by: Mark Brown <broonie@kernel.org> [lizf: Backported to 3.4: release mutex before returning EINVAL] Signed-off-by: Zefan Li <lizefan@huawei.com> 
commit d6b41cb06044a7d895db82bdd54f6e4219970510 upstream.

Since we cannot make sure the 'val_count' will always be none zero
here, and then if it equals to zero, the kmemdup() will return
ZERO_SIZE_PTR, which equals to ((void *)16).

So this patch fix this with just doing the zero check before calling
kmemdup().

Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[lizf: Backported to 3.4: release mutex before returning EINVAL]
Signed-off-by: Zefan Li <lizefan@huawei.com>
regmap: debugfs: fix possbile NULL pointer dereference 2015-02-02T09:04:44+00:00 Xiubo Li Li.Xiubo@freescale.com 2014-09-28T03:35:25+00:00 a3f3ff3879234e3dc92f4a5b3e08500b0e483b2e commit 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 upstream. If 'map->dev' is NULL and there will lead dev_name() to be NULL pointer dereference. So before dev_name(), we need to have check of the map->dev pionter. We also should make sure that the 'name' pointer shouldn't be NULL for debugfs_create_dir(). So here using one default "dummy" debugfs name when the 'name' pointer and 'map->dev' are both NULL. Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com> Signed-off-by: Mark Brown <broonie@kernel.org> [lizf: Backported to 3.4: dev_name() is passed to debugfs_create_dir() in 3.4] Signed-off-by: Zefan Li <lizefan@huawei.com> 
commit 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 upstream.

If 'map->dev' is NULL and there will lead dev_name() to be NULL pointer
dereference. So before dev_name(), we need to have check of the map->dev
pionter.

We also should make sure that the 'name' pointer shouldn't be NULL for
debugfs_create_dir(). So here using one default "dummy" debugfs name when
the 'name' pointer and 'map->dev' are both NULL.

Signed-off-by: Xiubo Li <Li.Xiubo@freescale.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[lizf: Backported to 3.4: dev_name() is passed to debugfs_create_dir() in 3.4]
Signed-off-by: Zefan Li <lizefan@huawei.com>
regmap: Fix handling of volatile registers for format_write() chips 2014-12-01T10:02:20+00:00 Mark Brown broonie@linaro.org 2014-08-26T11:12:17+00:00 219fb6410b9e4ba3a3a28c12c73579eef921cb31 commit 5844a8b9d98ec11ce1d77610daacf3f0a0e14715 upstream. A previous over-zealous factorisation of code means that we only treat registers as volatile if they are readable. For most devices this is fine since normally most registers can be read and volatility implies readability but for format_write() devices where there is no readback from the hardware and we use volatility to mean simply uncacheability this means that we end up treating all registers as cacheble. A bigger refactoring of the code to clarify this is in order but as a fix make a minimal change and only check readability when checking volatility if there is no format_write() operation defined for the device. Signed-off-by: Mark Brown <broonie@linaro.org> Tested-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Zefan Li <lizefan@huawei.com> 
commit 5844a8b9d98ec11ce1d77610daacf3f0a0e14715 upstream.

A previous over-zealous factorisation of code means that we only treat
registers as volatile if they are readable. For most devices this is fine
since normally most registers can be read and volatility implies
readability but for format_write() devices where there is no readback from
the hardware and we use volatility to mean simply uncacheability this means
that we end up treating all registers as cacheble.

A bigger refactoring of the code to clarify this is in order but as a fix
make a minimal change and only check readability when checking volatility
if there is no format_write() operation defined for the device.

Signed-off-by: Mark Brown <broonie@linaro.org>
Tested-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Zefan Li <lizefan@huawei.com>
regmap: silence GCC warning 2013-09-08T04:58:14+00:00 Paul Bolle pebolle@tiscali.nl 2012-10-08T20:06:30+00:00 ff289c1fa9e4ca50d0ec0197678fa565f7b65d1b commit a8f28cfad8cd44d7c34b166d0e5ace1125dbee1f upstream. Building regmap.o triggers this GCC warning: drivers/base/regmap/regmap.c: In function ‘regmap_raw_read’: drivers/base/regmap/regmap.c:1172:6: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized] Long story short: Jakub Jelinek pointed out that there is a type mismatch between 'num' in regmap_volatile_range() and 'val_count' in regmap_raw_read(). And indeed, converting 'num' to the type of 'val_count' (ie, size_t) makes this warning go away. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit a8f28cfad8cd44d7c34b166d0e5ace1125dbee1f upstream.

Building regmap.o triggers this GCC warning:
    drivers/base/regmap/regmap.c: In function ‘regmap_raw_read’:
    drivers/base/regmap/regmap.c:1172:6: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]

Long story short: Jakub Jelinek pointed out that there is a type
mismatch between 'num' in regmap_volatile_range() and 'val_count' in
regmap_raw_read(). And indeed, converting 'num' to the type of
'val_count' (ie, size_t) makes this warning go away.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
regmap: cache Fix regcache-rbtree sync 2013-04-12T16:38:43+00:00 Lars-Peter Clausen lars@metafoo.de 2013-03-13T15:38:33+00:00 6ec0e8e15ecc310464185db7820c5d30be409d1e commit 8abac3ba51b5525354e9b2ec0eed1c9e95c905d9 upstream. The last register block, which falls into the specified range, is not handled correctly. The formula which calculates the number of register which should be synced is inverse (and off by one). E.g. if all registers in that block should be synced only one is synced, and if only one should be synced all (but one) are synced. To calculate the number of registers that need to be synced we need to subtract the number of the first register in the block from the max register number and add one. This patch updates the code accordingly. The issue was introduced in commit ac8d91c ("regmap: Supply ranges to the sync operations"). Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 8abac3ba51b5525354e9b2ec0eed1c9e95c905d9 upstream.

The last register block, which falls into the specified range, is not handled
correctly. The formula which calculates the number of register which should be
synced is inverse (and off by one). E.g. if all registers in that block should
be synced only one is synced, and if only one should be synced all (but one) are
synced. To calculate the number of registers that need to be synced we need to
subtract the number of the first register in the block from the max register
number and add one. This patch updates the code accordingly.

The issue was introduced in commit ac8d91c ("regmap: Supply ranges to the sync
operations").

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
regmap: debugfs: Avoid overflows for very small reads 2013-01-17T16:50:54+00:00 Mark Brown broonie@opensource.wolfsonmicro.com 2012-12-10T16:14:11+00:00 ba1de754297ed6756f0a6281f3e41a0ef9ff0d77 commit db04328c167ff8e7c57f4a3532214aeada3a82fd upstream. If count is less than the size of a register then we may hit integer wraparound when trying to move backwards to check if we're still in the buffer. Instead move the position forwards to check if it's still in the buffer, we are unlikely to be able to allocate a buffer sufficiently big to overflow here. Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit db04328c167ff8e7c57f4a3532214aeada3a82fd upstream.

If count is less than the size of a register then we may hit integer
wraparound when trying to move backwards to check if we're still in
the buffer. Instead move the position forwards to check if it's still
in the buffer, we are unlikely to be able to allocate a buffer
sufficiently big to overflow here.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
regmap: fix possible memory corruption in regmap_bulk_read() 2012-05-09T14:44:11+00:00 Laxman Dewangan ldewangan@nvidia.com 2012-05-09T12:13:12+00:00 6560ffd1ccd688152393dc7c35dbdcc33140633b The function regmap_bulk_read() calls the regmap_read() for each register if set of register has volatile and cache is enabled. In this case, last few register read makes the memory corruption if the register size is not the size of unsigned int. The regam_read() takes argument as unsigned int for returning value and it update the value as *val = map->format.parse_val(map->work_buf); This causes complete 4 bytes (size of unsigned int) to get written. Now if client pass the memory pointer for value which is equal to the required size of register count in regmap_bulk_read() then last few register read actually update the memory beyond passed pointer size. Avoid this by using local variable for read and then do memcpy() for actual byte copy to passed pointer based on register size. I allocated one pointer ptr and take first 16 bytes dump of that pointer then call regmap_bulk_read() with pointer which is just on top of this allocated pointer and register count of 128. Here register size is 1 byte. The memory trace of last 5 register read are as follows: [ 5.438589] regmap_bulk_read after regamp_read() for register 122 [ 5.447421] 0xef993c20 0xef993c00 0x00000000 0x00000001 [ 5.467535] regmap_bulk_read after regamp_read() for register 123 [ 5.476374] 0xef993c20 0xef993c00 0x00000000 0x00000001 [ 5.496425] regmap_bulk_read after regamp_read() for register 124 [ 5.505260] 0xef993c20 0xef993c00 0x00000000 0x00000001 [ 5.525372] regmap_bulk_read after regamp_read() for register 125 [ 5.534205] 0xef993c00 0xef993c00 0x00000000 0x00000001 [ 5.554258] regmap_bulk_read after regamp_read() for register 126 [ 5.563100] 0xef990000 0xef993c00 0x00000000 0x00000001 [ 5.554258] regmap_bulk_read after regamp_read() for register 127 [ 5.587108] 0xef000000 0xef993c00 0x00000000 0x00000001 Here it is observed that the memory content at first word started changing on last 3 regmap_read() and so corruption happened. Signed-off-by: Laxman Dewangan <ldewangan@nvidia.com> Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> 
The function regmap_bulk_read() calls the regmap_read() for
each register if set of register has volatile and cache is
enabled. In this case, last few register read makes the memory
corruption if the register size is not the size of unsigned int.
The regam_read() takes argument as unsigned int for returning
value and it update the value as
	*val = map->format.parse_val(map->work_buf);
This causes complete 4 bytes (size of unsigned int) to get written.
Now if client pass the memory pointer for value which is equal to the
required size of register count in regmap_bulk_read() then last few
register read actually update the memory beyond passed pointer size.

Avoid this by using local variable for read and then do memcpy()
for actual byte copy to passed pointer based on register size.

I allocated one pointer ptr and take first 16 bytes dump of that
pointer then call regmap_bulk_read() with pointer which is just
on top of this allocated pointer and register count of 128. Here
register size is 1 byte.
The memory trace of last 5 register read are as follows:

[    5.438589] regmap_bulk_read after regamp_read() for register 122
[    5.447421] 0xef993c20 0xef993c00 0x00000000 0x00000001
[    5.467535] regmap_bulk_read after regamp_read() for register 123
[    5.476374] 0xef993c20 0xef993c00 0x00000000 0x00000001
[    5.496425] regmap_bulk_read after regamp_read() for register 124
[    5.505260] 0xef993c20 0xef993c00 0x00000000 0x00000001
[    5.525372] regmap_bulk_read after regamp_read() for register 125
[    5.534205] 0xef993c00 0xef993c00 0x00000000 0x00000001
[    5.554258] regmap_bulk_read after regamp_read() for register 126
[    5.563100] 0xef990000 0xef993c00 0x00000000 0x00000001
[    5.554258] regmap_bulk_read after regamp_read() for register 127
[    5.587108] 0xef000000 0xef993c00 0x00000000 0x00000001

Here it is observed that the memory content at first word started changing
on last 3 regmap_read() and so corruption happened.

Signed-off-by: Laxman Dewangan <ldewangan@nvidia.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>