[PATCH 1/6] phy: qcom-qmp-combo: fix out-of-bounds clock access
Dmitry Baryshkov
dmitry.baryshkov at linaro.org
Fri Nov 11 22:10:58 PST 2022
On 11/11/2022 11:42, Johan Hovold wrote:
> The SM8250 only uses three clocks but the DP configuration erroneously
> described four clocks.
>
> In case the DP part of the PHY is initialised before the USB part, this
> would lead to uninitialised memory beyond the bulk-clocks array to be
> treated as a clock pointer as the clocks are requested based on the USB
> configuration.
... because the num_clks comes from the struct qmp_phy_cfg, not from the
struct qcom_qmp.
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov at linaro.org>
>
> Fixes: aff188feb5e1 ("phy: qcom-qmp: add support for sm8250-usb3-dp phy")
> Cc: stable at vger.kernel.org # 5.13
> Signed-off-by: Johan Hovold <johan+linaro at kernel.org>
> ---
> drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
> index 5e11b6a1d189..bb38b18258ca 100644
> --- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
> +++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
> @@ -1270,8 +1270,8 @@ static const struct qmp_phy_cfg sm8250_dpphy_cfg = {
> .swing_hbr3_hbr2 = &qmp_dp_v3_voltage_swing_hbr3_hbr2,
> .pre_emphasis_hbr3_hbr2 = &qmp_dp_v3_pre_emphasis_hbr3_hbr2,
>
> - .clk_list = qmp_v4_phy_clk_l,
> - .num_clks = ARRAY_SIZE(qmp_v4_phy_clk_l),
> + .clk_list = qmp_v4_sm8250_usbphy_clk_l,
> + .num_clks = ARRAY_SIZE(qmp_v4_sm8250_usbphy_clk_l),
> .reset_list = msm8996_usb3phy_reset_l,
> .num_resets = ARRAY_SIZE(msm8996_usb3phy_reset_l),
> .vreg_list = qmp_phy_vreg_l,
--
With best wishes
Dmitry
More information about the linux-phy
mailing list