lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZJfB9zXhizbqmIrm@yilunxu-OptiPlex-7050>
Date:   Sun, 25 Jun 2023 12:26:31 +0800
From:   Xu Yilun <yilun.xu@...el.com>
To:     Russ Weight <russell.h.weight@...el.com>
Cc:     broonie@...nel.org, gregkh@...uxfoundation.org, rafael@...nel.org,
        linux-kernel@...r.kernel.org, matthew.gerlach@...ux.intel.com
Subject: Re: [PATCH 1/1] regmap: spi-avmm: Fix regmap_bus max_raw_write

On 2023-06-20 at 13:28:24 -0700, Russ Weight wrote:
> The max_raw_write member of the regmap_spi_avmm_bus structure is defined
> as:
> 	.max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT
> 
> SPI_AVMM_VAL_SIZE == 4 and MAX_WRITE_CNT == 1 so this results in a
> maximum write transfer size of 4 bytes which provides only enough space to
> transfer the address of the target register. It provides no space for the
> value to be transferred. This bug became an issue (divide-by-zero in
> _regmap_raw_write()) after the following was accepted into mainline:
> 
> commit 3981514180c9 ("regmap: Account for register length when chunking")

Sorry for late reply.

IIUC, max_raw_write/read is the max batch *DATA* size that could be
handled by the receiver. reg addr bytes are not counted in. I'm not 100%
sure this is obeyed by all drivers. But see several examples:

static const struct regmap_config ar9331_mdio_regmap_config = {
	.reg_bits = 32,
	.val_bits = 32,
	.reg_stride = 4,
	[...]
};

static struct regmap_bus ar9331_sw_bus = {
	[...]
	.max_raw_read = 4,
	.max_raw_write = 4,
};

Another one:

static struct regmap_config qca8k_regmap_config = {
	.reg_bits = 16,
	.val_bits = 32,
	.reg_stride = 4,
	[...]
	.max_raw_read = 32, /* mgmt eth can read/write up to 8 registers at time */
	.max_raw_write = 32,
}

And regmap-spi.c:

static const struct regmap_bus *regmap_get_spi_bus(struct spi_device *spi,
						   const struct regmap_config *config)
{
	size_t max_size = spi_max_transfer_size(spi);
	size_t max_msg_size, reg_reserve_size;
	struct regmap_bus *bus;

	if (max_size != SIZE_MAX) {
		bus = kmemdup(&regmap_spi, sizeof(*bus), GFP_KERNEL);
		if (!bus)
			return ERR_PTR(-ENOMEM);

		max_msg_size = spi_max_message_size(spi);
		reg_reserve_size = config->reg_bits / BITS_PER_BYTE
				 + config->pad_bits / BITS_PER_BYTE;
		if (max_size + reg_reserve_size > max_msg_size)
			max_size -= reg_reserve_size;

		bus->free_on_exit = true;
		bus->max_raw_read = max_size;
		bus->max_raw_write = max_size;

		return bus;
	}

	return &regmap_spi;
}

So I'm not sure if commit 3981514180c9 is actually necessary.

Thanks,
Yilun

> 
> Change max_raw_write to include space (4 additional bytes) for both the
> register address and value:
> 
> 	.max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT


> 
> Fixes: 7f9fb67358a2 ("regmap: add Intel SPI Slave to AVMM Bus Bridge support")
> Reviewed-by: Matthew Gerlach <matthew.gerlach@...ux.intel.com>
> Signed-off-by: Russ Weight <russell.h.weight@...el.com>
> ---
>  drivers/base/regmap/regmap-spi-avmm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/base/regmap/regmap-spi-avmm.c b/drivers/base/regmap/regmap-spi-avmm.c
> index 4c2b94b3e30b..6af692844c19 100644
> --- a/drivers/base/regmap/regmap-spi-avmm.c
> +++ b/drivers/base/regmap/regmap-spi-avmm.c
> @@ -660,7 +660,7 @@ static const struct regmap_bus regmap_spi_avmm_bus = {
>  	.reg_format_endian_default = REGMAP_ENDIAN_NATIVE,
>  	.val_format_endian_default = REGMAP_ENDIAN_NATIVE,
>  	.max_raw_read = SPI_AVMM_VAL_SIZE * MAX_READ_CNT,
> -	.max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT,
> +	.max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT,
>  	.free_context = spi_avmm_bridge_ctx_free,
>  };
>  
> -- 
> 2.25.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ