regmap: Check for out-of-range offsets before mapping them

In regmap_raw_{read,write}_range(), offsets are checked to make sure
they aren't out of range. But this check happens _after_ the address is
mapped from physical memory. Input should be sanity-checked before using
it. Mapping the address before validating it leaves the door open to
passing an invalid address to map_physmem(). So check for out of range
offsets _before_ mapping them.

This fixes a segmentation fault in sandbox when -1 is used as an offset
to regmap_{read,write}().

Signed-off-by: Pratyush Yadav <p.yadav@ti.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index 4a214eff7c..a67a237b88 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -310,13 +310,13 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset,
 	}
 	range = &map->ranges[range_num];
 
-	ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE);
-
 	if (offset + val_len > range->size) {
 		debug("%s: offset/size combination invalid\n", __func__);
 		return -ERANGE;
 	}
 
+	ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE);
+
 	switch (val_len) {
 	case REGMAP_SIZE_8:
 		*((u8 *)valp) = __read_8(ptr, map->endianness);
@@ -419,13 +419,13 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset,
 	}
 	range = &map->ranges[range_num];
 
-	ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE);
-
 	if (offset + val_len > range->size) {
 		debug("%s: offset/size combination invalid\n", __func__);
 		return -ERANGE;
 	}
 
+	ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE);
+
 	switch (val_len) {
 	case REGMAP_SIZE_8:
 		__write_8(ptr, val, map->endianness);