rs9_of_clk_get() does not validate the clock index in the passed
DT clock specifier.  If DT specifies an incorrect and out-of-range
index, this will access memory beyond the end of the clk_dif[] array.

Fix by this adding a range check to rs9_of_clk_get().

Fixes: 892e0ddea1aa6f70 ("clk: rs9: Add Renesas 9-series PCIe clock generator driver")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
This is v2 of "[PATCH] clk: rs9: Convert to clk_hw_onecell_data and
of_clk_hw_onecell_get()"
(https://lore.kernel.org/a6dce17b15d29a257d09fe0edc199a14c297f1a8.1768836042.git.geert+renesas@glider.be)

v2:
  - Just add the missing range check; the conversion to
    of_clk_hw_onecell_get() can be done later.
---
 drivers/clk/clk-renesas-pcie.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/clk/clk-renesas-pcie.c b/drivers/clk/clk-renesas-pcie.c
index aa108df12e44fb9f..1adc5365ba1a3d59 100644
--- a/drivers/clk/clk-renesas-pcie.c
+++ b/drivers/clk/clk-renesas-pcie.c
@@ -277,6 +277,9 @@ rs9_of_clk_get(struct of_phandle_args *clkspec, void *data)
 	struct rs9_driver_data *rs9 = data;
 	unsigned int idx = clkspec->args[0];
 
+	if (idx >= rs9->chip_info->num_clks)
+		return ERR_PTR(-EINVAL);
+
 	return rs9->clk_dif[idx];
 }
 
-- 
2.43.0

On 1/20/26 10:05 AM, Geert Uytterhoeven wrote:
> rs9_of_clk_get() does not validate the clock index in the passed
> DT clock specifier.  If DT specifies an incorrect and out-of-range
> index, this will access memory beyond the end of the clk_dif[] array.
> 
> Fix by this adding a range check to rs9_of_clk_get().
> 
> Fixes: 892e0ddea1aa6f70 ("clk: rs9: Add Renesas 9-series PCIe clock generator driver")
> Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
> ---
> This is v2 of "[PATCH] clk: rs9: Convert to clk_hw_onecell_data and
> of_clk_hw_onecell_get()"
> (https://lore.kernel.org/a6dce17b15d29a257d09fe0edc199a14c297f1a8.1768836042.git.geert+renesas@glider.be)
> 
> v2:
>    - Just add the missing range check; the conversion to
>      of_clk_hw_onecell_get() can be done later.
> ---
>   drivers/clk/clk-renesas-pcie.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/clk/clk-renesas-pcie.c b/drivers/clk/clk-renesas-pcie.c
> index aa108df12e44fb9f..1adc5365ba1a3d59 100644
> --- a/drivers/clk/clk-renesas-pcie.c
> +++ b/drivers/clk/clk-renesas-pcie.c
> @@ -277,6 +277,9 @@ rs9_of_clk_get(struct of_phandle_args *clkspec, void *data)
>   	struct rs9_driver_data *rs9 = data;
>   	unsigned int idx = clkspec->args[0];
>   
> +	if (idx >= rs9->chip_info->num_clks)

of_clk_src_onecell_get() does a pr_err("%s: invalid clock index %u\n", 
__func__, idx); on error, should this function do the same ?

> +		return ERR_PTR(-EINVAL);
> +

Thanks !

Hi Marek,

On Wed, 21 Jan 2026 at 03:24, Marek Vasut <marek.vasut@mailbox.org> wrote:
> On 1/20/26 10:05 AM, Geert Uytterhoeven wrote:
> > rs9_of_clk_get() does not validate the clock index in the passed
> > DT clock specifier.  If DT specifies an incorrect and out-of-range
> > index, this will access memory beyond the end of the clk_dif[] array.
> >
> > Fix by this adding a range check to rs9_of_clk_get().
> >
> > Fixes: 892e0ddea1aa6f70 ("clk: rs9: Add Renesas 9-series PCIe clock generator driver")
> > Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
> > ---
> > This is v2 of "[PATCH] clk: rs9: Convert to clk_hw_onecell_data and
> > of_clk_hw_onecell_get()"
> > (https://lore.kernel.org/a6dce17b15d29a257d09fe0edc199a14c297f1a8.1768836042.git.geert+renesas@glider.be)
> >
> > v2:
> >    - Just add the missing range check; the conversion to
> >      of_clk_hw_onecell_get() can be done later.
> > ---
> >   drivers/clk/clk-renesas-pcie.c | 3 +++
> >   1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/clk/clk-renesas-pcie.c b/drivers/clk/clk-renesas-pcie.c
> > index aa108df12e44fb9f..1adc5365ba1a3d59 100644
> > --- a/drivers/clk/clk-renesas-pcie.c
> > +++ b/drivers/clk/clk-renesas-pcie.c
> > @@ -277,6 +277,9 @@ rs9_of_clk_get(struct of_phandle_args *clkspec, void *data)
> >       struct rs9_driver_data *rs9 = data;
> >       unsigned int idx = clkspec->args[0];
> >
> > +     if (idx >= rs9->chip_info->num_clks)
>
> of_clk_src_onecell_get() does a pr_err("%s: invalid clock index %u\n",
> __func__, idx); on error, should this function do the same ?

I can add it if you want. But this function will (hopefully) be
short-lived anyway.
>
> > +             return ERR_PTR(-EINVAL);
> > +

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

On 1/21/26 10:34 AM, Geert Uytterhoeven wrote:

Hello Geert,

>>> diff --git a/drivers/clk/clk-renesas-pcie.c b/drivers/clk/clk-renesas-pcie.c
>>> index aa108df12e44fb9f..1adc5365ba1a3d59 100644
>>> --- a/drivers/clk/clk-renesas-pcie.c
>>> +++ b/drivers/clk/clk-renesas-pcie.c
>>> @@ -277,6 +277,9 @@ rs9_of_clk_get(struct of_phandle_args *clkspec, void *data)
>>>        struct rs9_driver_data *rs9 = data;
>>>        unsigned int idx = clkspec->args[0];
>>>
>>> +     if (idx >= rs9->chip_info->num_clks)
>>
>> of_clk_src_onecell_get() does a pr_err("%s: invalid clock index %u\n",
>> __func__, idx); on error, should this function do the same ?
> 
> I can add it if you want. But this function will (hopefully) be
> short-lived anyway.
This will be backported to stable, the rewrite to onecell won't, so this 
will be long lived in stable backports. Please add it. Thank you !