-
Michal Kazior authored
It was possible to force an out of bounds MMIO read/write via debugfs. E.g. on QCA988X this could be triggered with: echo 0x2080e0 | tee /sys/kernel/debug/ieee80211/*/ath10k/reg_addr cat /sys/kernel/debug/ieee80211/*/ath10k/reg_value BUG: unable to handle kernel paging request at ffffc90001e080e0 IP: [<ffffffff8135c860>] ioread32+0x40/0x50 ... Call Trace: [<ffffffffa00d0c7f>] ? ath10k_pci_read32+0x4f/0x70 [ath10k_pci] [<ffffffffa0080f50>] ath10k_reg_value_read+0x90/0xf0 [ath10k_core] [<ffffffff8115c2c1>] ? handle_mm_fault+0xa91/0x1050 [<ffffffff81189758>] __vfs_read+0x28/0xe0 [<ffffffff812e4694>] ? security_file_permission+0x84/0xa0 [<ffffffff81189ce3>] ? rw_verify_area+0x53/0x100 [<ffffffff81189e1a>] vfs_read+0x8a/0x140 [<ffffffff8118acb9>] SyS_read+0x49/0xb0 [<ffffffff8104e39c>] ? trace_do_page_fault+0x3c/0xc0 [<ffffffff8196596e>] system_call_fastpath+0x12/0x71 Reported-by:
Ben Greear <greearb@candelatech.com> Signed-off-by:
Michal Kazior <michal.kazior@tieto.com> Signed-off-by:
Kalle Valo <kvalo@qca.qualcomm.com>
aeae5b4c
