ptp: ocp: Limit signal/freq counts in summary output functions

The debugfs summary output could access uninitialized elements in
the freq_in[] and signal_out[] arrays, causing NULL pointer
dereferences and triggering a kernel Oops (page_fault_oops).
This patch adds u8 fields (nr_freq_in, nr_signal_out) to track the
number of initialized elements, with a maximum of 4 per array.
The summary output functions are updated to respect these limits,
preventing out-of-bounds access and ensuring safe array handling.

Widen the label variables because the change confuses GCC about
max length of the strings.

Fixes: ef61f5528fca ("ptp: ocp: add Adva timecard support")
Signed-off-by: Sagi Maimon <maimon.sagi@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20250514073541.35817-1-maimon.sagi@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c
index 2ccdca4f69604bfe44f0f853a5643b7e1717839e..e63481f24238da6ecb71b0e4d11f99c895002438 100644 (file)
--- a/drivers/ptp/ptp_ocp.c
+++ b/drivers/ptp/ptp_ocp.c
@@ -315,6 +315,8 @@ struct ptp_ocp_serial_port {
 #define OCP_BOARD_ID_LEN               13
 #define OCP_SERIAL_LEN                 6
 #define OCP_SMA_NUM                    4
+#define OCP_SIGNAL_NUM                 4
+#define OCP_FREQ_NUM                   4
 
 enum {
        PORT_GNSS,
@@ -342,8 +344,8 @@ struct ptp_ocp {
        struct dcf_master_reg   __iomem *dcf_out;
        struct dcf_slave_reg    __iomem *dcf_in;
        struct tod_reg          __iomem *nmea_out;
-       struct frequency_reg    __iomem *freq_in[4];
-       struct ptp_ocp_ext_src  *signal_out[4];
+       struct frequency_reg    __iomem *freq_in[OCP_FREQ_NUM];
+       struct ptp_ocp_ext_src  *signal_out[OCP_SIGNAL_NUM];
        struct ptp_ocp_ext_src  *pps;
        struct ptp_ocp_ext_src  *ts0;
        struct ptp_ocp_ext_src  *ts1;
@@ -378,10 +380,12 @@ struct ptp_ocp {
        u32                     utc_tai_offset;
        u32                     ts_window_adjust;
        u64                     fw_cap;
-       struct ptp_ocp_signal   signal[4];
+       struct ptp_ocp_signal   signal[OCP_SIGNAL_NUM];
        struct ptp_ocp_sma_connector sma[OCP_SMA_NUM];
        const struct ocp_sma_op *sma_op;
        struct dpll_device *dpll;
+       int signals_nr;
+       int freq_in_nr;
 };
 
 #define OCP_REQ_TIMESTAMP      BIT(0)
@@ -2697,6 +2701,8 @@ ptp_ocp_fb_board_init(struct ptp_ocp *bp, struct ocp_resource *r)
        bp->eeprom_map = fb_eeprom_map;
        bp->fw_version = ioread32(&bp->image->version);
        bp->sma_op = &ocp_fb_sma_op;
+       bp->signals_nr = 4;
+       bp->freq_in_nr = 4;
 
        ptp_ocp_fb_set_version(bp);
 
@@ -2862,6 +2868,8 @@ ptp_ocp_art_board_init(struct ptp_ocp *bp, struct ocp_resource *r)
        bp->fw_version = ioread32(&bp->reg->version);
        bp->fw_tag = 2;
        bp->sma_op = &ocp_art_sma_op;
+       bp->signals_nr = 4;
+       bp->freq_in_nr = 4;
 
        /* Enable MAC serial port during initialisation */
        iowrite32(1, &bp->board_config->mro50_serial_activate);
@@ -2888,6 +2896,8 @@ ptp_ocp_adva_board_init(struct ptp_ocp *bp, struct ocp_resource *r)
        bp->flash_start = 0xA00000;
        bp->eeprom_map = fb_eeprom_map;
        bp->sma_op = &ocp_adva_sma_op;
+       bp->signals_nr = 2;
+       bp->freq_in_nr = 2;
 
        version = ioread32(&bp->image->version);
        /* if lower 16 bits are empty, this is the fw loader. */
@@ -4008,7 +4018,7 @@ _signal_summary_show(struct seq_file *s, struct ptp_ocp *bp, int nr)
 {
        struct signal_reg __iomem *reg = bp->signal_out[nr]->mem;
        struct ptp_ocp_signal *signal = &bp->signal[nr];
-       char label[8];
+       char label[16];
        bool on;
        u32 val;
 
@@ -4031,7 +4041,7 @@ static void
 _frequency_summary_show(struct seq_file *s, int nr,
                        struct frequency_reg __iomem *reg)
 {
-       char label[8];
+       char label[16];
        bool on;
        u32 val;
 
@@ -4175,11 +4185,11 @@ ptp_ocp_summary_show(struct seq_file *s, void *data)
        }
 
        if (bp->fw_cap & OCP_CAP_SIGNAL)
-               for (i = 0; i < 4; i++)
+               for (i = 0; i < bp->signals_nr; i++)
                        _signal_summary_show(s, bp, i);
 
        if (bp->fw_cap & OCP_CAP_FREQ)
-               for (i = 0; i < 4; i++)
+               for (i = 0; i < bp->freq_in_nr; i++)
                        _frequency_summary_show(s, i, bp->freq_in[i]);
 
        if (bp->irig_out) {