From ad6584e66edc5a662a61dfed2c402f1f09ae89ba Mon Sep 17 00:00:00 2001
From: Hang Cheng <hang.cheng@amlogic.com>
Date: Thu, 6 Sep 2018 17:38:24 +0800
Subject: [PATCH] hdmirx: fix kasan bug in rx_get_edid

PD#172927: hdmirx: fix KASAN bug in rx_get_edid

BUG: KASAN: global-out-of-bounds in rx_get_edid+0x74/0xa0
Read of size 8 at addr ffffff900bda5cb8 by task swapper/0/1

CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.9.113 #3
Hardware name: Amlogic (DT)
Call trace:
[<ffffff900908ecc0>] dump_backtrace+0x0/0x368
[<ffffff900908f0cc>] show_stack+0x24/0x30
[<ffffff900963bdb0>] dump_stack+0xa0/0xc8
[<ffffff90092ba21c>] print_address_description+0x144/0x258
[<ffffff90092ba694>] kasan_report+0x264/0x338
[<ffffff90092b8cd4>] __asan_load8+0x84/0x98
[<ffffff9009cdd394>] rx_get_edid+0x74/0xa0
[<ffffff9009cde2ec>] hdmi_rx_top_edid_update+0xb4/0x1d8
[<ffffff9009ccf524>] hdmirx_hw_probe+0x10c/0x168
[<ffffff9009cd3eb0>] hdmirx_probe+0x9d8/0x10f8
[<ffffff9009762b60>] platform_drv_probe+0x78/0xf8
[<ffffff900975f93c>] driver_probe_device+0x134/0x380
[<ffffff900975fc74>] __driver_attach+0xec/0xf0
[<ffffff900975c71c>] bus_for_each_dev+0xf4/0x160
[<ffffff900975eec8>] driver_attach+0x38/0x48
[<ffffff900975e748>] bus_add_driver+0x1b0/0x308
[<ffffff9009760d34>] driver_register+0xbc/0x1a0
[<ffffff9009762a4c>] __platform_driver_register+0x84/0x90
[<ffffff900ac1752c>] hdmirx_init+0xa0/0xfc
[<ffffff900908421c>] do_one_initcall+0xac/0x1f8
[<ffffff900abc10bc>] kernel_init_freeable+0x254/0x2f4
[<ffffff900a2929b0>] kernel_init+0x18/0x118
[<ffffff9009083e80>] ret_from_fork+0x10/0x50

The buggy address belongs to the variable:
 edid_list+0x38/0x60

Memory state around the buggy address:
 ffffff900bda5b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffff900bda5c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffff900bda5c80: 00 00 00 00 00 00 fa fa fa fa fa fa 04 fa fa fa
                                        ^
 ffffff900bda5d00: fa fa fa fa 01 fa fa fa fa fa fa fa 00 00 00 00
 ffffff900bda5d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Change-Id: Ie0bdc00195732b4bc6f317c33dcc34ace3dc4051
Signed-off-by: Hang Cheng <hang.cheng@amlogic.com>
---
 drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_drv.h  | 2 +-
 drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_edid.c | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_drv.h b/drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_drv.h
index 862a525ca85f..c560a1cc0d8e 100644
--- a/drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_drv.h
+++ b/drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_drv.h
@@ -46,7 +46,7 @@
  *
  *
  */
-#define RX_VER2 "ver.2018/09/04"
+#define RX_VER2 "ver.2018/09/06"
 
 /*print type*/
 #define	LOG_EN		0x01
diff --git a/drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_edid.c b/drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_edid.c
index 866642c181d4..f689ee34a604 100644
--- a/drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_edid.c
+++ b/drivers/amlogic/media/vin/tvin/hdmirx/hdmi_rx_edid.c
@@ -1163,6 +1163,8 @@ unsigned int hdmi_rx_top_edid_update(void)
 	u_int phy_addr[E_PORT_NUM] = {0, 0, 0, 0};
 	u_char checksum[E_PORT_NUM] = {0, 0, 0, 0};
 
+	if (edid_index >= EDID_LIST_NUM)
+		return 0;
 	/* get edid from buffer, return buffer addr */
 	pedid_data = rx_get_edid(edid_index);
 
@@ -1195,7 +1197,7 @@ unsigned int hdmi_rx_top_edid_update(void)
 		/* update physical and checksum */
 	rx_edid_update_overlay(phy_addr_offset, phy_addr, checksum);
 	}
-	return true;
+	return 1;
 }
 
 void rx_edid_print_vic_fmt(unsigned char i,