[PATCH] power: supply: bq25980: Fix uninitialized wd_reg_val and overrun

From: Dan Murphy
Date: Fri Oct 09 2020 - 08:12:11 EST

Next message: Matthew Wilcox: "Re: KASAN: use-after-free Read in __io_uring_files_cancel"
Previous message: Thierry Reding: "Re: [PATCH 1/5] memory: tegra: Correct la.reg address of seswr"
Next in thread: Dan Murphy: "Re: [PATCH] power: supply: bq25980: Fix uninitialized wd_reg_val and overrun"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fix the issue when 'i' is equal to array size then array index over
runs the array when checking for the watch dog value.

This also fixes the uninitialized wd_reg_val if the for..loop was not
successful in finding an appropriate match.

Fixes: 5069185fc18e ("power: supply: bq25980: Add support for the BQ259xx family")
Signed-off-by: Dan Murphy <dmurphy@xxxxxx>
---
drivers/power/supply/bq25980_charger.c | 29 +++++++++++++-------------
1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/drivers/power/supply/bq25980_charger.c b/drivers/power/supply/bq25980_charger.c
index 3995fb7cf060..e6a91e43ae5b 100644
--- a/drivers/power/supply/bq25980_charger.c
+++ b/drivers/power/supply/bq25980_charger.c
@@ -1099,28 +1099,29 @@ static int bq25980_power_supply_init(struct bq25980_device *bq,
static int bq25980_hw_init(struct bq25980_device *bq)
{
struct power_supply_battery_info bat_info = { };
- int wd_reg_val;
+ int wd_reg_val = BQ25980_WATCHDOG_DIS;
+ int wd_max_val = BQ25980_NUM_WD_VAL - 1;
int ret = 0;
int curr_val;
int volt_val;
int i;

- if (!bq->watchdog_timer) {
- ret = regmap_update_bits(bq->regmap, BQ25980_CHRGR_CTRL_3,
- BQ25980_WATCHDOG_DIS,
- BQ25980_WATCHDOG_DIS);
- } else {
- for (i = 0; i < BQ25980_NUM_WD_VAL; i++) {
- if (bq->watchdog_timer > bq25980_watchdog_time[i] &&
- bq->watchdog_timer < bq25980_watchdog_time[i + 1]) {
- wd_reg_val = i;
- break;
+ if (bq->watchdog_timer) {
+ if (bq->watchdog_timer >= bq25980_watchdog_time[wd_max_val])
+ wd_reg_val = wd_max_val;
+ else {
+ for (i = 0; i < wd_max_val; i++) {
+ if (bq->watchdog_timer > bq25980_watchdog_time[i] &&
+ bq->watchdog_timer < bq25980_watchdog_time[i + 1]) {
+ wd_reg_val = i;
+ break;
+ }
}
}
-
- ret = regmap_update_bits(bq->regmap, BQ25980_CHRGR_CTRL_3,
- BQ25980_WATCHDOG_MASK, wd_reg_val);
}
+
+ ret = regmap_update_bits(bq->regmap, BQ25980_CHRGR_CTRL_3,
+ BQ25980_WATCHDOG_MASK, wd_reg_val);
if (ret)
return ret;

--
2.28.0.585.ge1cfff676549

Next message: Matthew Wilcox: "Re: KASAN: use-after-free Read in __io_uring_files_cancel"
Previous message: Thierry Reding: "Re: [PATCH 1/5] memory: tegra: Correct la.reg address of seswr"
Next in thread: Dan Murphy: "Re: [PATCH] power: supply: bq25980: Fix uninitialized wd_reg_val and overrun"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]