From patchwork Fri Mar 25 04:34:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: baihaowen X-Patchwork-Id: 554206 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE498C433F5 for ; Fri, 25 Mar 2022 04:34:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356765AbiCYEfy (ORCPT ); Fri, 25 Mar 2022 00:35:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231523AbiCYEfx (ORCPT ); Fri, 25 Mar 2022 00:35:53 -0400 Received: from mail.meizu.com (edge07.meizu.com [112.91.151.210]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BFD7C680B; Thu, 24 Mar 2022 21:34:18 -0700 (PDT) Received: from IT-EXMB-1-125.meizu.com (172.16.1.125) by mz-mail11.meizu.com (172.16.1.15) with Microsoft SMTP Server (TLS) id 14.3.487.0; Fri, 25 Mar 2022 12:34:11 +0800 Received: from meizu.meizu.com (172.16.137.70) by IT-EXMB-1-125.meizu.com (172.16.1.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14; Fri, 25 Mar 2022 12:34:10 +0800 From: Haowen Bai To: , , CC: , , Haowen Bai Subject: [PATCH] usb: typec: tcpm: testing array offset 'port->logbuffer_head' before use Date: Fri, 25 Mar 2022 12:34:09 +0800 Message-ID: <1648182849-9209-1-git-send-email-baihaowen@meizu.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [172.16.137.70] X-ClientProxiedBy: IT-EXMB-1-125.meizu.com (172.16.1.125) To IT-EXMB-1-125.meizu.com (172.16.1.125) Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Fix possible indexing array of bound for port->logbuffer[port->logbuffer_head], where port->logbuffer_head boundary check happens later. so we do it before. Signed-off-by: Haowen Bai --- drivers/usb/typec/tcpm/tcpm.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index 5fce795..541e9e4 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -591,6 +591,14 @@ static void _tcpm_log(struct tcpm_port *port, const char *fmt, va_list args) unsigned long rem_nsec; mutex_lock(&port->logbuffer_lock); + + if (port->logbuffer_head < 0 || + port->logbuffer_head >= LOG_BUFFER_ENTRIES) { + dev_warn(port->dev, + "Bad log buffer index %d\n", port->logbuffer_head); + goto abort; + } + if (!port->logbuffer[port->logbuffer_head]) { port->logbuffer[port->logbuffer_head] = kzalloc(LOG_BUFFER_ENTRY_SIZE, GFP_KERNEL); @@ -607,13 +615,6 @@ static void _tcpm_log(struct tcpm_port *port, const char *fmt, va_list args) strcpy(tmpbuffer, "overflow"); } - if (port->logbuffer_head < 0 || - port->logbuffer_head >= LOG_BUFFER_ENTRIES) { - dev_warn(port->dev, - "Bad log buffer index %d\n", port->logbuffer_head); - goto abort; - } - if (!port->logbuffer[port->logbuffer_head]) { dev_warn(port->dev, "Log buffer index %d is NULL\n", port->logbuffer_head);