Commit e22e18f8 authored Jan 06, 2025 by Dan Carpenter Committed by Lin Yujun Jan 06, 2025

soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()

stable inclusion
from stable-v6.6.64
commit c24e019ca12d9ec814af04b30a64dd7173fb20fe
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGZ
CVE: CVE-2024-53158

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c24e019ca12d9ec814af04b30a64dd7173fb20fe



--------------------------------

[ Upstream commit 78261cb08f06c93d362cab5c5034bf5899bc7552 ]

This loop is supposed to break if the frequency returned from
clk_round_rate() is the same as on the previous iteration.  However,
that check doesn't make sense on the first iteration through the loop.
It leads to reading before the start of these->clk_perf_tbl[] array.

Fixes: eddac5af ("soc: qcom: Add GENI based QUP Wrapper driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/8cd12678-f44a-4b16-a579-c8f11175ee8c@stanley.mountain


Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lin Yujun <linyujun809@huawei.com>

parent ebae66c4

drivers/soc/qcom/qcom-geni-se.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -553,7 +553,8 @@ int geni_se_clk_tbl_get(struct geni_se se, unsigned long *tbl)

		for (i = 0; i < MAX_CLK_PERF_LEVEL; i++) {
		freq = clk_round_rate(se->clk, freq + 1);
		if (freq <= 0 \|\| freq == se->clk_perf_tbl[i - 1])
		if (freq <= 0 \|\|
		(i > 0 && freq == se->clk_perf_tbl[i - 1]))
		break;
		se->clk_perf_tbl[i] = freq;
		}