From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@lists.01.org, Tyrone Ting <kfting@nuvoton.com>
Cc: lkp@intel.com, kbuild-all@lists.01.org,
Linux Memory Management List <linux-mm@kvack.org>,
Wolfram Sang <wsa-dev@sang-engineering.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Subject: [linux-next:master 1342/8914] drivers/i2c/busses/i2c-npcm7xx.c:639 npcm_i2c_slave_enable() error: buffer overflow 'npcm_i2caddr' 2 <= 9
Date: Tue, 12 Jul 2022 17:01:21 +0300 [thread overview]
Message-ID: <202207110811.lWIJpo4l-lkp@intel.com> (raw)
Hi Tyrone,
First bad commit (maybe != root cause):
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: f2528c29385819a84480cacef4886b049761e2c5
commit: bbc38ed53a02a759d8e5c01e834eca49304a2315 [1342/8914] i2c: npcm: Support NPCM845
config: microblaze-randconfig-m031-20220706 (https://download.01.org/0day-ci/archive/20220711/202207110811.lWIJpo4l-lkp@intel.com/config)
compiler: microblaze-linux-gcc (GCC) 11.3.0
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
drivers/i2c/busses/i2c-npcm7xx.c:639 npcm_i2c_slave_enable() error: buffer overflow 'npcm_i2caddr' 2 <= 9
vim +/npcm_i2caddr +639 drivers/i2c/busses/i2c-npcm7xx.c
f54736925a4f83 Tali Perry 2020-05-27 607 static int npcm_i2c_slave_enable(struct npcm_i2c *bus, enum i2c_addr addr_type,
f54736925a4f83 Tali Perry 2020-05-27 608 u8 addr, bool enable)
f54736925a4f83 Tali Perry 2020-05-27 609 {
f54736925a4f83 Tali Perry 2020-05-27 610 u8 i2cctl1;
f54736925a4f83 Tali Perry 2020-05-27 611 u8 i2cctl3;
f54736925a4f83 Tali Perry 2020-05-27 612 u8 sa_reg;
f54736925a4f83 Tali Perry 2020-05-27 613
f54736925a4f83 Tali Perry 2020-05-27 614 sa_reg = (addr & 0x7F) | FIELD_PREP(NPCM_I2CADDR_SAEN, enable);
f54736925a4f83 Tali Perry 2020-05-27 615 if (addr_type == I2C_GC_ADDR) {
f54736925a4f83 Tali Perry 2020-05-27 616 i2cctl1 = ioread8(bus->reg + NPCM_I2CCTL1);
f54736925a4f83 Tali Perry 2020-05-27 617 if (enable)
f54736925a4f83 Tali Perry 2020-05-27 618 i2cctl1 |= NPCM_I2CCTL1_GCMEN;
f54736925a4f83 Tali Perry 2020-05-27 619 else
f54736925a4f83 Tali Perry 2020-05-27 620 i2cctl1 &= ~NPCM_I2CCTL1_GCMEN;
f54736925a4f83 Tali Perry 2020-05-27 621 iowrite8(i2cctl1, bus->reg + NPCM_I2CCTL1);
f54736925a4f83 Tali Perry 2020-05-27 622 return 0;
47d506d1a28fd1 Tali Perry 2022-05-25 623 } else if (addr_type == I2C_ARP_ADDR) {
f54736925a4f83 Tali Perry 2020-05-27 624 i2cctl3 = ioread8(bus->reg + NPCM_I2CCTL3);
f54736925a4f83 Tali Perry 2020-05-27 625 if (enable)
f54736925a4f83 Tali Perry 2020-05-27 626 i2cctl3 |= I2CCTL3_ARPMEN;
f54736925a4f83 Tali Perry 2020-05-27 627 else
f54736925a4f83 Tali Perry 2020-05-27 628 i2cctl3 &= ~I2CCTL3_ARPMEN;
f54736925a4f83 Tali Perry 2020-05-27 629 iowrite8(i2cctl3, bus->reg + NPCM_I2CCTL3);
f54736925a4f83 Tali Perry 2020-05-27 630 return 0;
f54736925a4f83 Tali Perry 2020-05-27 631 }
47d506d1a28fd1 Tali Perry 2022-05-25 632 if (addr_type > I2C_SLAVE_ADDR2 && addr_type <= I2C_SLAVE_ADDR10)
47d506d1a28fd1 Tali Perry 2022-05-25 633 dev_err(bus->dev, "try to enable more than 2 SA not supported\n");
This prints an error message for values 2-10, but allows 0-1,11,12.
Maybe the intention here was to return -EINVAL? It seldom makes sense
to print an error and then go forward with an out of bounds access.
47d506d1a28fd1 Tali Perry 2022-05-25 634
f54736925a4f83 Tali Perry 2020-05-27 635 if (addr_type >= I2C_ARP_ADDR)
^^^^^^^^^^^^
This is addr_type >= 11 so Smatch complains that npcm_i2caddr[] only has
two elements. My personal Smatch run with the cross function DB says
that addr_type is always 0 so it doesn't complain.
However, one rule of kernel style is that we do not allow stub code and
also to a human reader this code really does look buggy... :/
f54736925a4f83 Tali Perry 2020-05-27 636 return -EFAULT;
47d506d1a28fd1 Tali Perry 2022-05-25 637
f54736925a4f83 Tali Perry 2020-05-27 638 /* Set and enable the address */
f54736925a4f83 Tali Perry 2020-05-27 @639 iowrite8(sa_reg, bus->reg + npcm_i2caddr[addr_type]);
f54736925a4f83 Tali Perry 2020-05-27 640 npcm_i2c_slave_int_enable(bus, enable);
47d506d1a28fd1 Tali Perry 2022-05-25 641
f54736925a4f83 Tali Perry 2020-05-27 642 return 0;
f54736925a4f83 Tali Perry 2020-05-27 643 }
--
0-DAY CI Kernel Test Service
https://01.org/lkp
next reply other threads:[~2022-07-12 16:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-12 14:01 Dan Carpenter [this message]
2022-07-13 7:34 ` KFTING
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202207110811.lWIJpo4l-lkp@intel.com \
--to=dan.carpenter@oracle.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=kfting@nuvoton.com \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=wsa-dev@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox