From patchwork Fri Jul 12 13:26:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lucas Stach X-Patchwork-Id: 1131365 X-Patchwork-Delegate: lorenzo.pieralisi@arm.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-pci-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45lYbZ1Vzfz9s4Y for ; Fri, 12 Jul 2019 23:26:17 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727027AbfGLN0Q (ORCPT ); Fri, 12 Jul 2019 09:26:16 -0400 Received: from metis.ext.pengutronix.de ([85.220.165.71]:33957 "EHLO metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726466AbfGLN0Q (ORCPT ); Fri, 12 Jul 2019 09:26:16 -0400 Received: from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28] helo=dude02.pengutronix.de.) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1hlvYz-00024H-6f; Fri, 12 Jul 2019 15:26:13 +0200 From: Lucas Stach To: Jingoo Han , Gustavo Pimentel , Lorenzo Pieralisi Cc: linux-pci@vger.kernel.org, patchwork-lst@pengutronix.de, kernel@pengutronix.de Subject: [PATCH] PCI: dwc: avoid OOB read in find_next_bit Date: Fri, 12 Jul 2019 15:26:11 +0200 Message-Id: <20190712132611.3374-1-l.stach@pengutronix.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:67c:670:100:1d::28 X-SA-Exim-Mail-From: l.stach@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-pci@vger.kernel.org Sender: linux-pci-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pci@vger.kernel.org Find_next_bit works on a long type, which causes a OOB read on the u32 input when used on ARM64. Signed-off-by: Lucas Stach --- drivers/pci/controller/dwc/pcie-designware-host.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 77db32529319..81a2139d68d6 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -78,15 +78,16 @@ static struct msi_domain_info dw_pcie_msi_domain_info = { irqreturn_t dw_handle_msi_irq(struct pcie_port *pp) { int i, pos, irq; - u32 val, num_ctrls; + u32 num_ctrls; irqreturn_t ret = IRQ_NONE; + unsigned long val; num_ctrls = pp->num_vectors / MAX_MSI_IRQS_PER_CTRL; for (i = 0; i < num_ctrls; i++) { dw_pcie_rd_own_conf(pp, PCIE_MSI_INTR0_STATUS + (i * MSI_REG_CTRL_BLOCK_SIZE), - 4, &val); + 4, (u32 *)&val); if (!val) continue;