[u-boot-dm,03/39] regmap: fix a serious pointer casting bug

Message ID	20210307042538.21229-4-marek.behun@nic.cz
State	Superseded
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: =?utf-8?q?Marek_Beh=C3=BAn?= <marek.behun@nic.cz> To: u-boot@lists.denx.de, Simon Glass <sjg@chromium.org>, Heiko Schocher <hs@denx.de>, Patrick Delaunay <patrick.delaunay@st.com>, Patrice CHOTARD <patrice.chotard@foss.st.com>, Miquel Raynal <miquel.raynal@bootlin.com>, Tom Rini <trini@konsulko.com>, =?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org>, Stefan Roese <sr@denx.de>, Heinrich Schuchardt <xypron.glpk@gmx.de>, Alexander Graf <agraf@csgraf.de>, Marek Vasut <marex@denx.de>, Neil Armstrong <narmstrong@baylibre.com>, Ryder Lee <ryder.lee@mediatek.com>, Adam Ford <aford173@gmail.com>, Bin Meng <bmeng.cn@gmail.com> Cc: =?utf-8?q?Marek_Beh=C3=BAn?= <marek.behun@nic.cz> Subject: [PATCH u-boot-dm 03/39] regmap: fix a serious pointer casting bug Date: Sun, 7 Mar 2021 05:25:02 +0100 Message-Id: <20210307042538.21229-4-marek.behun@nic.cz> In-Reply-To: <20210307042538.21229-1-marek.behun@nic.cz> References: <20210307042538.21229-1-marek.behun@nic.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	U-Boot LTO (Sandbox + Some ARM boards) \| expand [u-boot,00/39] U-Boot LTO (Sandbox + Some ARM boards) [u-boot-marvell,01/39] ddr: marvell: axp: align signature of mv_xor_mem_init() with a38x [u-boot-marvell,02/39] ddr: marvell: axp: fix array types have different bounds warning [u-boot-dm,03/39] regmap: fix a serious pointer casting bug [u-boot,04/39] api: fix a potential serious bug caused by undef CONFIG_SYS_64BIT_LBA [u-boot,05/39] checkpatch: require quotes around section name in the __section() macro [u-boot,06/39] treewide: Convert macro and uses of __section(foo) to __section("foo") [u-boot,07/39] compiler.h: align the __ADDRESSABLE macro with Linux' version [u-boot,08/39] linker_lists: prepare macros to avoid code repetition [u-boot,09/39] test/py: improve regular expression for ut subtest symbol matcher [u-boot,10/39] linker_lists: declare lists and entries as __ADDRESSABLE for LTO [u-boot,11/39] binman: declare symbols externally visible [u-boot,12/39] string: make memcpy() and memset() visible to fix LTO linking errors [u-boot,13/39] efi_loader: fix warning when linking with LTO [u-boot,14/39] lib: crc32: make the crc_table variable non-const [u-boot,15/39] Makefile, Makefile.spl: cosmetic change [u-boot,16/39] build: use thin archives instead of incremental linking [u-boot,17/39] build: support building with Link Time Optimizations [u-boot,18/39] build: LTO: move platform libs into --start-group list [u-boot,19/39] sandbox: errno: avoid conflict with libc's errno [u-boot,20/39] sandbox: use sections instead of symbols for getopt array boundaries [u-boot,21/39] sandbox: make LTO available [u-boot,22/39] sandbox: enable LTO by default [u-boot,23/39] ARM: global_data: make set_gd() work for armv5 and armv6 [u-boot,24/39] ARM: make gd a function call for LTO and set via set_gd() [u-boot,25/39] ARM: fix LTO build for some thumb-interwork cases [u-boot,26/39] ARM: fix LTO for imx28_xea [u-boot,27/39] ARM: fix LTO for apf27 [u-boot,28/39] ARM: fix LTO for keystone [u-boot,29/39] ARM: kona: fix clk_bsc_enable() type mismatch for LTO [u-boot,30/39] ARM: imx6m: fix imx_eqos_txclk_set_rate() type mismatch for LTO [u-boot,31/39] ARM: fix LTO for seaboard [u-boot,32/39] ARM: fix LTO for rockchip and samsung [u-boot,33/39] ARM: omap3: fix LTO for DM3730 (and possibly other omap3 boards) [u-boot,34/39] armv8: SPL: discard relocation information [u-boot,35/39] ata: ahci: fix ahci_link_up() type mismatch for LTO [u-boot,36/39] ARM: make LTO available [u-boot,37/39] ARM: don't use -ffunction-sections/-fdata-sections with LTO build [u-boot,38/39] ARM: enable LTO for some boards [u-boot,39/39] DO NOT MERGE! ARM: enable LTO by default

Message ID

20210307042538.21229-4-marek.behun@nic.cz

State

Superseded

Delegated to:

Tom Rini

Headers

From: =?utf-8?q?Marek_Beh=C3=BAn?= <marek.behun@nic.cz>
To: u-boot@lists.denx.de, Simon Glass <sjg@chromium.org>,
 Heiko Schocher <hs@denx.de>, Patrick Delaunay <patrick.delaunay@st.com>,
 Patrice CHOTARD <patrice.chotard@foss.st.com>,
 Miquel Raynal <miquel.raynal@bootlin.com>, Tom Rini <trini@konsulko.com>,
	=?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org>, Stefan Roese <sr@denx.de>,
 Heinrich Schuchardt <xypron.glpk@gmx.de>, Alexander Graf <agraf@csgraf.de>,
 Marek Vasut <marex@denx.de>, Neil Armstrong <narmstrong@baylibre.com>,
 Ryder Lee <ryder.lee@mediatek.com>, Adam Ford <aford173@gmail.com>,
 Bin Meng <bmeng.cn@gmail.com>
Cc: =?utf-8?q?Marek_Beh=C3=BAn?= <marek.behun@nic.cz>
Subject: [PATCH u-boot-dm 03/39] regmap: fix a serious pointer casting bug
Date: Sun,  7 Mar 2021 05:25:02 +0100
Message-Id: <20210307042538.21229-4-marek.behun@nic.cz>
In-Reply-To: <20210307042538.21229-1-marek.behun@nic.cz>
References: <20210307042538.21229-1-marek.behun@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

U-Boot LTO (Sandbox + Some ARM boards) | expand

Commit Message

Marek Behún March 7, 2021, 4:25 a.m. UTC

There is a serious bug in regmap_read() and regmap_write() functions
where an uint pointer is cast to (void *) which is then cast to (u8 *),
(u16 *), (u32 *) or (u64 *), depending on register width of the map.

For example given a regmap with 16-bit register width the code
	int val = 0x12340000;
	regmap_read(map, 0, &val);
only changes the lower 16 bits of val on little-endian machines.
The upper 16 bits will remain 0x1234.

Nobody noticed this probably because this bug can be triggered with
regmap_write() only on big-endian architectures (which are not used by
many people anymore), and on little endian this bug has consequences
only if register width is 8 or 16 bits and also the memory place to
which regmap_read() should store it's result has non-zero upper bits,
which it seems doesn't happen anywhere in U-Boot normally. CI managed to
trigger this bug in unit test of dm_test_devm_regmap_field when compiled
for sandbox_defconfig using LTO.

Fix this simply by taking into account that regmap_raw_read() and
regmap_raw_write() behave as if the data given to these functions were
in little-endian format, i.e. use cpu_to_le32() / le32_to_cpu(). In
regmap_read() also zero out the space so that we don't get invalid
result if regmap_raw_read() does not fill the whole object.

Signed-off-by: Marek Behún <marek.behun@nic.cz>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heiko Schocher <hs@denx.de>
---
 drivers/core/regmap.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

Comments

Bin Meng March 8, 2021, 7:10 a.m. UTC | #1

On Sun, Mar 7, 2021 at 12:26 PM Marek Behún <marek.behun@nic.cz> wrote:
>
> There is a serious bug in regmap_read() and regmap_write() functions
> where an uint pointer is cast to (void *) which is then cast to (u8 *),
> (u16 *), (u32 *) or (u64 *), depending on register width of the map.
>
> For example given a regmap with 16-bit register width the code
>         int val = 0x12340000;
>         regmap_read(map, 0, &val);
> only changes the lower 16 bits of val on little-endian machines.
> The upper 16 bits will remain 0x1234.
>
> Nobody noticed this probably because this bug can be triggered with
> regmap_write() only on big-endian architectures (which are not used by
> many people anymore), and on little endian this bug has consequences
> only if register width is 8 or 16 bits and also the memory place to
> which regmap_read() should store it's result has non-zero upper bits,
> which it seems doesn't happen anywhere in U-Boot normally. CI managed to
> trigger this bug in unit test of dm_test_devm_regmap_field when compiled
> for sandbox_defconfig using LTO.
>
> Fix this simply by taking into account that regmap_raw_read() and
> regmap_raw_write() behave as if the data given to these functions were
> in little-endian format, i.e. use cpu_to_le32() / le32_to_cpu(). In
> regmap_read() also zero out the space so that we don't get invalid
> result if regmap_raw_read() does not fill the whole object.
>
> Signed-off-by: Marek Behún <marek.behun@nic.cz>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Reviewed-by: Heiko Schocher <hs@denx.de>
> ---
>  drivers/core/regmap.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
>

Reviewed-by: Bin Meng <bmeng.cn@gmail.com>

Maybe we can create a test case on QEMU PPC to cover the big endian targets?

Regards,
Bin

diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index b51ce108c1..5d37006fff 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -435,7 +435,16 @@  int regmap_raw_read(struct regmap *map, uint offset, void *valp, size_t val_len)
 
 int regmap_read(struct regmap *map, uint offset, uint *valp)
 {
-	return regmap_raw_read(map, offset, valp, map->width);
+	int res;
+
+	*valp = 0;
+	res = regmap_raw_read(map, offset, valp, map->width);
+	if (res)
+		return res;
+
+	*valp = le32_to_cpu(*valp);
+
+	return 0;
 }
 
 static inline void __write_8(u8 *addr, const u8 *val,
@@ -546,6 +555,8 @@  int regmap_raw_write(struct regmap *map, uint offset, const void *val,
 
 int regmap_write(struct regmap *map, uint offset, uint val)
 {
+	val = cpu_to_le32(val);
+
 	return regmap_raw_write(map, offset, &val, map->width);
 }

[u-boot-dm,03/39] regmap: fix a serious pointer casting bug

Commit Message

Comments

Patch