kernel_optimize_test/drivers/nvmem
Stephen Boyd 57e4888640 nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
commit 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 upstream.

If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic

 *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);

will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we
subtract one from that making a large number that is then shifted more than the
number of bits that fit into an unsigned long.

UBSAN reports this problem:

 UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8
 shift exponent 64 is too large for 64-bit type 'unsigned long'
 CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9
 Hardware name: Google Lazor (rev3+) with KB Backlight (DT)
 Workqueue: events_unbound deferred_probe_work_func
 Call trace:
  dump_backtrace+0x0/0x170
  show_stack+0x24/0x30
  dump_stack_lvl+0x64/0x7c
  dump_stack+0x18/0x38
  ubsan_epilogue+0x10/0x54
  __ubsan_handle_shift_out_of_bounds+0x180/0x194
  __nvmem_cell_read+0x1ec/0x21c
  nvmem_cell_read+0x58/0x94
  nvmem_cell_read_variable_common+0x4c/0xb0
  nvmem_cell_read_variable_le_u32+0x40/0x100
  a6xx_gpu_init+0x170/0x2f4
  adreno_bind+0x174/0x284
  component_bind_all+0xf0/0x264
  msm_drm_bind+0x1d8/0x7a0
  try_to_bring_up_master+0x164/0x1ac
  __component_add+0xbc/0x13c
  component_add+0x20/0x2c
  dp_display_probe+0x340/0x384
  platform_probe+0xc0/0x100
  really_probe+0x110/0x304
  __driver_probe_device+0xb8/0x120
  driver_probe_device+0x4c/0xfc
  __device_attach_driver+0xb0/0x128
  bus_for_each_drv+0x90/0xdc
  __device_attach+0xc8/0x174
  device_initial_probe+0x20/0x2c
  bus_probe_device+0x40/0xa4
  deferred_probe_work_func+0x7c/0xb8
  process_one_work+0x128/0x21c
  process_scheduled_works+0x40/0x54
  worker_thread+0x1ec/0x2a8
  kthread+0x138/0x158
  ret_from_fork+0x10/0x20

Fix it by making sure there are any bits to mask out.

Fixes: 69aba7948c ("nvmem: Add a simple NVMEM framework for consumers")
Cc: Douglas Anderson <dianders@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20211013124511.18726-1-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-20 11:45:01 +02:00
..
bcm-ocotp.c
core.c nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells 2021-10-20 11:45:01 +02:00
imx-iim.c
imx-ocotp-scu.c nvmem: imx: scu: correct the fuse word index 2020-01-10 13:52:12 +01:00
imx-ocotp.c nvmem: imx-ocotp: Improve logic to save many code lines 2020-05-15 16:20:02 +02:00
jz4780-efuse.c nvmem: jz4780-efuse: Use PTR_ERR_OR_ZERO() to simplify code 2020-05-15 16:20:02 +02:00
Kconfig nvmem: update Kconfig description 2020-07-29 17:12:09 +02:00
lpc18xx_eeprom.c
lpc18xx_otp.c
Makefile nvmem: core: remove nvmem_sysfs_get_groups() 2020-03-25 19:23:49 +01:00
meson-efuse.c firmware: meson_sm: Rework driver as a proper platform driver 2019-10-03 08:43:33 -07:00
meson-mx-efuse.c nvmem: meson-mx-efuse: allow reading data smaller than word_size 2019-08-18 12:56:52 +02:00
mtk-efuse.c nvmem: mtk-efuse: Remove EFUSE register write support 2020-09-17 18:48:23 +02:00
mxs-ocotp.c nvmem: mxs-ocotp: Use devm_add_action_or_reset() for cleanup 2020-03-23 20:05:23 +01:00
qcom-spmi-sdam.c nvmem: qcom-spmi-sdam: Fix uninitialized pdev pointer 2021-03-04 11:38:39 +01:00
qfprom.c nvmem: qfprom: Fix up qfprom_disable_fuse_blowing() ordering 2021-09-18 13:40:26 +02:00
rave-sp-eeprom.c
rockchip-efuse.c
rockchip-otp.c nvmem: add Rockchip OTP driver 2019-11-05 18:35:33 +01:00
sc27xx-efuse.c nvmem: sc27xx: add sc2730 efuse support 2020-07-29 17:12:08 +02:00
snvs_lpgpr.c
sprd-efuse.c nvmem: sprd: Fix return value of sprd_efuse_probe() 2020-07-29 17:12:08 +02:00
stm32-romem.c
sunxi_sid.c nvmem: sunxi_sid: fix A64 SID controller support 2019-08-18 12:56:52 +02:00
uniphier-efuse.c
vf610-ocotp.c
zynqmp_nvmem.c firmware: xilinx: Remove eemi ops for get_chipid 2020-04-28 15:45:06 +02:00