The ceiling value isn't checked before writing it into registers. The user
could write a value higher than the counter resolution (e.g. 16 or 32 bits
indicated by max_arr). This makes most significant bits to be truncated.
Fix it by checking the max_arr to report a range error [1] to the user.
Fixes: ad29937e206f ("counter: Add STM32 Timer quadrature encoder")
[1] https://lkml.org/lkml/2021/2/12/358
Signed-off-by: Fabrice Gasnier <fabrice.gasn...@foss.st.com>
---
drivers/counter/stm32-timer-cnt.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/counter/stm32-timer-cnt.c
b/drivers/counter/stm32-timer-cnt.c
index ef2a974..2cf0c05 100644
--- a/drivers/counter/stm32-timer-cnt.c
+++ b/drivers/counter/stm32-timer-cnt.c
@@ -32,6 +32,7 @@ struct stm32_timer_cnt {
struct regmap *regmap;
struct clk *clk;
u32 ceiling;
+ u32 max_arr;
bool enabled;
struct stm32_timer_regs bak;
};
@@ -185,6 +186,9 @@ static ssize_t stm32_count_ceiling_write(struct
counter_device *counter,
if (ret)
return ret;
+ if (ceiling > priv->max_arr)
+ return -ERANGE;
+
/* TIMx_ARR register shouldn't be buffered (ARPE=0) */
regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_ARPE, 0);
regmap_write(priv->regmap, TIM_ARR, ceiling);
@@ -360,6 +364,7 @@ static int stm32_timer_cnt_probe(struct platform_device
*pdev)
priv->regmap = ddata->regmap;
priv->clk = ddata->clk;
priv->ceiling = ddata->max_arr;
+ priv->max_arr = ddata->max_arr;
priv->counter.name = dev_name(dev);
priv->counter.parent = dev;
--
2.7.4
