summaryrefslogtreecommitdiff
path: root/drivers/core
diff options
context:
space:
mode:
authorMarek BehĂșn <marek.behun@nic.cz>2021-05-20 13:23:50 +0200
committerTom Rini <trini@konsulko.com>2021-05-24 14:21:30 -0400
commit364bef150d9f2a03aebb427363031d56b244bf84 (patch)
treeba8e203cb126f31fc7fb0e5f2f1d62020f68d0ca /drivers/core
parent2177f924bf585d083fdbb3c1ff1479794ee8ccac (diff)
downloadu-boot-364bef150d9f2a03aebb427363031d56b244bf84.tar.gz
u-boot-364bef150d9f2a03aebb427363031d56b244bf84.tar.bz2
u-boot-364bef150d9f2a03aebb427363031d56b244bf84.zip
regmap: fix a serious pointer casting bug
There is a serious bug in regmap_read() and regmap_write() functions where an uint pointer is cast to (void *) which is then cast to (u8 *), (u16 *), (u32 *) or (u64 *), depending on register width of the map. For example given a regmap with 16-bit register width the code int val = 0x12340000; regmap_read(map, 0, &val); only changes the lower 16 bits of val on little-endian machines. The upper 16 bits will remain 0x1234. Nobody noticed this probably because this bug can be triggered with regmap_write() only on big-endian architectures (which are not used by many people anymore), and on little endian this bug has consequences only if register width is 8 or 16 bits and also the memory place to which regmap_read() should store it's result has non-zero upper bits, which it seems doesn't happen anywhere in U-Boot normally. CI managed to trigger this bug in unit test of dm_test_devm_regmap_field when compiled for sandbox_defconfig using LTO. Fix this by utilizing an union { u8; u16; u32; u64; } and reading data into this union / writing data from this union. Signed-off-by: Marek BehĂșn <marek.behun@nic.cz> Cc: Simon Glass <sjg@chromium.org> Cc: Heiko Schocher <hs@denx.de> Cc: Bin Meng <bmeng.cn@gmail.com> Cc: Pratyush Yadav <p.yadav@ti.com>
Diffstat (limited to 'drivers/core')
-rw-r--r--drivers/core/regmap.c59
1 files changed, 57 insertions, 2 deletions
diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index b51ce108c1..3206f3d112 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -435,7 +435,36 @@ int regmap_raw_read(struct regmap *map, uint offset, void *valp, size_t val_len)
int regmap_read(struct regmap *map, uint offset, uint *valp)
{
- return regmap_raw_read(map, offset, valp, map->width);
+ union {
+ u8 v8;
+ u16 v16;
+ u32 v32;
+ u64 v64;
+ } u;
+ int res;
+
+ res = regmap_raw_read(map, offset, &u, map->width);
+ if (res)
+ return res;
+
+ switch (map->width) {
+ case REGMAP_SIZE_8:
+ *valp = u.v8;
+ break;
+ case REGMAP_SIZE_16:
+ *valp = u.v16;
+ break;
+ case REGMAP_SIZE_32:
+ *valp = u.v32;
+ break;
+ case REGMAP_SIZE_64:
+ *valp = u.v64;
+ break;
+ default:
+ unreachable();
+ }
+
+ return 0;
}
static inline void __write_8(u8 *addr, const u8 *val,
@@ -546,7 +575,33 @@ int regmap_raw_write(struct regmap *map, uint offset, const void *val,
int regmap_write(struct regmap *map, uint offset, uint val)
{
- return regmap_raw_write(map, offset, &val, map->width);
+ union {
+ u8 v8;
+ u16 v16;
+ u32 v32;
+ u64 v64;
+ } u;
+
+ switch (map->width) {
+ case REGMAP_SIZE_8:
+ u.v8 = val;
+ break;
+ case REGMAP_SIZE_16:
+ u.v16 = val;
+ break;
+ case REGMAP_SIZE_32:
+ u.v32 = val;
+ break;
+ case REGMAP_SIZE_64:
+ u.v64 = val;
+ break;
+ default:
+ debug("%s: regmap size %zu unknown\n", __func__,
+ (size_t)map->width);
+ return -EINVAL;
+ }
+
+ return regmap_raw_write(map, offset, &u, map->width);
}
int regmap_update_bits(struct regmap *map, uint offset, uint mask, uint val)