lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160614185108.GF28218@codeaurora.org>
Date:	Tue, 14 Jun 2016 11:51:08 -0700
From:	Stephen Boyd <sboyd@...eaurora.org>
To:	Linus Walleij <linus.walleij@...aro.org>
Cc:	lee.jones@...aro.org, linux-kernel@...r.kernel.org,
	Bjorn Andersson <bjorn.andersson@...aro.org>,
	stable@...r.kernel.org
Subject: Re: [PATCH] mfd: qcom_rpm: fix offset error for msm8660

On 06/14, Linus Walleij wrote:
> The RPM in MSM8660/APQ8060 has different offsets to the selector
> ACK and request context ACK registers. Make all these register
> offsets part of the per-SoC data and assign the right values.
> 
> The bug was found by verifying backwards to the vendor tree in
> the out-of-tree files <mach/rpm-[8660|8064|8960]>: all were using
> offsets 3,11,15,23 except the MSM8660/APQ8060 which was using
> offsets 3,11,19,27.
> 
> Cc: stable@...r.kernel.org
> Fixes: 58e214382bdd ("mfd: qcom-rpm: Driver for the Qualcomm RPM")
> Cc: Björn Andersson <bjorn.andersson@...aro.org>
> Cc: Stephen Boyd <sboyd@...eaurora.org>
> Signed-off-by: Linus Walleij <linus.walleij@...aro.org>

Good catch! That macro maze is fun.

> ---
>  drivers/mfd/qcom_rpm.c | 37 +++++++++++++++++++++++++++----------
>  1 file changed, 27 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/mfd/qcom_rpm.c b/drivers/mfd/qcom_rpm.c
> index 4f589cf75549..82cc7986e1ca 100644
> --- a/drivers/mfd/qcom_rpm.c
> +++ b/drivers/mfd/qcom_rpm.c
> @@ -34,7 +34,11 @@ struct qcom_rpm_resource {
>  struct qcom_rpm_data {
>  	u32 version;
>  	const struct qcom_rpm_resource *resource_table;
> -	unsigned n_resources;
> +	unsigned int n_resources;
> +	unsigned int req_ctx_off;
> +	unsigned int req_sel_off;
> +	unsigned int ack_ctx_off;
> +	unsigned int ack_sel_off;
>  };
>  
>  struct qcom_rpm {
> @@ -61,10 +65,6 @@ struct qcom_rpm {
>  
>  #define RPM_REQUEST_TIMEOUT	(5 * HZ)
>  
> -#define RPM_REQUEST_CONTEXT	3
> -#define RPM_REQ_SELECT		11
> -#define RPM_ACK_CONTEXT		15
> -#define RPM_ACK_SELECTOR	23
>  #define RPM_SELECT_SIZE		7

The RPM_SELECT_SIZE is 7 on 8660, but now you've pointed out that
otherwise the size is 4. I think you've uncovered another bug.

>  
>  #define RPM_NOTIFICATION	BIT(30)
> @@ -398,10 +414,10 @@ int qcom_rpm_write(struct qcom_rpm *rpm,
>  	bitmap_set((unsigned long *)sel_mask, res->select_id, 1);
>  	for (i = 0; i < ARRAY_SIZE(sel_mask); i++) {
>  		writel_relaxed(sel_mask[i],
> -			       RPM_CTRL_REG(rpm, RPM_REQ_SELECT + i));
> +			       RPM_CTRL_REG(rpm, rpm->data->req_sel_off + i));

Here we write from 0 to ARRAY_SIZE(sel_mask) which is 7. That
would mean we write into the ack context that starts at 15 (we
start writing at req_sel_off which is always 11). Oops.

-- 
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ