Linux 6.1.85

[thirdparty/kernel/stable-queue.git] / releases / 6.6.26 / regmap-maple-fix-cache-corruption-in-regcache_maple_.patch

From 36a80e0fd2a330ce0cb25f16c52156087805b22f Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Wed, 27 Mar 2024 11:44:06 +0000
Subject: regmap: maple: Fix cache corruption in regcache_maple_drop()

From: Richard Fitzgerald <rf@opensource.cirrus.com>

[ Upstream commit 00bb549d7d63a21532e76e4a334d7807a54d9f31 ]

When keeping the upper end of a cache block entry, the entry[] array
must be indexed by the offset from the base register of the block,
i.e. max - mas.index.

The code was indexing entry[] by only the register address, leading
to an out-of-bounds access that copied some part of the kernel
memory over the cache contents.

This bug was not detected by the regmap KUnit test because it only
tests with a block of registers starting at 0, so mas.index == 0.

Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: f033c26de5a5 ("regmap: Add maple tree based register cache")
Link: https://msgid.link/r/20240327114406.976986-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/base/regmap/regcache-maple.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/regmap/regcache-maple.c b/drivers/base/regmap/regcache-maple.c
index 41edd6a430eb4..c1776127a5724 100644
--- a/drivers/base/regmap/regcache-maple.c
+++ b/drivers/base/regmap/regcache-maple.c
@@ -145,7 +145,7 @@ static int regcache_maple_drop(struct regmap *map, unsigned int min,
                        upper_index = max + 1;
                        upper_last = mas.last;
 
-                       upper = kmemdup(&entry[max + 1],
+                       upper = kmemdup(&entry[max - mas.index + 1],
                                        ((mas.last - max) *
                                         sizeof(unsigned long)),
                                        map->alloc_flags);
-- 
2.43.0