From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jerome Blin <jerome.blin@intel.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Mark Brown <broonie@linaro.org>
Subject: [ 95/95] spi/pxa2xx: fix memory corruption due to wrong size used in devm_kzalloc()
Date: Tue, 25 Jun 2013 11:33:22 -0700 [thread overview]
Message-ID: <20130625182204.390799090@linuxfoundation.org> (raw)
In-Reply-To: <20130625182153.605455184@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mika Westerberg <mika.westerberg@linux.intel.com>
commit cc0ee9873c6afafb387379ca1df25da78a08c603 upstream.
ACPI part of the driver accidentally used sizeof(*ssp) instead of the
correct sizeof(*pdata). This leads to nasty memory corruptions like the one
below:
BUG: unable to handle kernel paging request at 0000000749fd30b8
IP: [<ffffffff813fe8a1>] __list_del_entry+0x31/0xd0
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 30 Comm: kworker/0:1 Not tainted 3.10.0-rc6v3.10-rc6_sdhci_modprobe+ #443
task: ffff8801483a0940 ti: ffff88014839e000 task.ti: ffff88014839e000
RIP: 0010:[<ffffffff813fe8a1>] [<ffffffff813fe8a1>] __list_del_entry+0x31/0xd0
RSP: 0000:ffff88014839fde8 EFLAGS: 00010046
RAX: ffff880149fd30b0 RBX: ffff880149fd3040 RCX: dead000000200200
RDX: 0000000749fd30b0 RSI: ffff880149fd3058 RDI: ffff88014834d640
RBP: ffff88014839fde8 R08: ffff88014834d640 R09: 0000000000000001
R10: ffff8801483a0940 R11: 0000000000000001 R12: ffff880149fd3040
R13: ffffffff810e0b30 R14: ffff8801483a0940 R15: ffff88014834d640
FS: 0000000000000000(0000) GS:ffff880149e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000168 CR3: 0000000001e0b000 CR4: 00000000001407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
ffff88014839fe48 ffffffff810e0baf ffffffff81120abd ffff88014839fe20
ffff8801483a0940 ffff8801483a0940 ffff8801483a0940 ffff8801486b1c90
ffff88014834d640 ffffffff810e0b30 0000000000000000 0000000000000000
Call Trace:
[<ffffffff810e0baf>] worker_thread+0x7f/0x390
[<ffffffff81120abd>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff810e0b30>] ? manage_workers.isra.22+0x2b0/0x2b0
[<ffffffff810e6c09>] kthread+0xd9/0xe0
[<ffffffff810f93df>] ? local_clock+0x3f/0x50
[<ffffffff810e6b30>] ? kthread_create_on_node+0x110/0x110
[<ffffffff818c5dec>] ret_from_fork+0x7c/0xb0
[<ffffffff810e6b30>] ? kthread_create_on_node+0x110/0x110
Fix this by using the right structure size in devm_kzalloc().
Reported-by: Jerome Blin <jerome.blin@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-pxa2xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -1069,7 +1069,7 @@ pxa2xx_spi_acpi_get_pdata(struct platfor
acpi_bus_get_device(ACPI_HANDLE(&pdev->dev), &adev))
return NULL;
- pdata = devm_kzalloc(&pdev->dev, sizeof(*ssp), GFP_KERNEL);
+ pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata), GFP_KERNEL);
if (!pdata) {
dev_err(&pdev->dev,
"failed to allocate memory for platform data\n");
next prev parent reply other threads:[~2013-06-25 18:51 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-25 18:31 [ 00/95] 3.9.8-stable review Greg Kroah-Hartman
2013-06-25 18:31 ` [ 01/95] ARM: 7752/1: errata: LoUIS bit field in CLIDR register is incorrect Greg Kroah-Hartman
2013-06-25 18:31 ` [ 02/95] ARM: 7754/1: Fix the CPU ID and the mask associated to the PJ4B Greg Kroah-Hartman
2013-06-25 18:31 ` [ 03/95] perf: arm64: Record the user-mode PC in the call chain Greg Kroah-Hartman
2013-06-25 18:31 ` [ 04/95] ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 05/95] ALSA: hda - Fix pin configurations for MacBook Air 4,2 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 06/95] ALSA: usb-audio: work around Android accessory firmware bug Greg Kroah-Hartman
2013-06-25 18:31 ` [ 07/95] clk: remove notifier from list before freeing it Greg Kroah-Hartman
2013-06-25 18:31 ` [ 08/95] tilepro: work around module link error with gcc 4.7 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 09/95] rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks Greg Kroah-Hartman
2013-06-25 18:31 ` [ 10/95] brcmfmac: Turn off ARP offloading when configured for AP Greg Kroah-Hartman
2013-06-25 18:31 ` [ 11/95] parisc: add kernel stack overflow check Greg Kroah-Hartman
2013-06-25 18:31 ` [ 12/95] parisc: implement irq stacks Greg Kroah-Hartman
2013-06-25 18:32 ` [ 13/95] parisc: more irq statistics in /proc/interrupts Greg Kroah-Hartman
2013-06-25 18:32 ` [ 14/95] parisc: tlb flush counting fix for SMP and UP Greg Kroah-Hartman
2013-06-25 18:32 ` [ 15/95] parisc: remove the second argument of kmap_atomic() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 16/95] parisc: implement irq stacks - part 2 (v2) Greg Kroah-Hartman
2013-06-25 18:32 ` [ 17/95] parisc: add rp5470 entry to machine database Greg Kroah-Hartman
2013-06-25 18:32 ` [ 18/95] parisc: show number of FPE and unaligned access handler calls in /proc/interrupts Greg Kroah-Hartman
2013-06-25 18:32 ` [ 19/95] parisc: make interrupt and interruption stack allocation reentrant Greg Kroah-Hartman
2013-06-25 18:32 ` [ 20/95] parisc: fix irq stack on UP and SMP Greg Kroah-Hartman
2013-06-25 18:32 ` [ 21/95] parisc: memory overflow, name length is too short for using Greg Kroah-Hartman
2013-06-25 18:32 ` [ 22/95] parisc: fix kernel BUG at arch/parisc/include/asm/mmzone.h:50 Greg Kroah-Hartman
2013-06-25 18:32 ` [ 23/95] parisc: rename "CONFIG_PA7100" to "CONFIG_PA7000" Greg Kroah-Hartman
2013-06-25 18:32 ` [ 24/95] parisc: kernel: using strlcpy() instead of strcpy() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 25/95] parisc: parport0: fix this legacy no-device port driver! Greg Kroah-Hartman
2013-06-25 18:32 ` [ 26/95] parisc: fix kernel BUG at arch/parisc/include/asm/mmzone.h:50 (part 2) Greg Kroah-Hartman
2013-06-25 18:32 ` [ 27/95] parisc: fix serial ports on C8000 workstation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 28/95] parisc: provide pci_mmap_page_range() for parisc Greg Kroah-Hartman
2013-06-25 18:32 ` [ 29/95] carl9170: fix frame drop and WARN due to minstrel_ht change Greg Kroah-Hartman
2013-06-25 18:32 ` [ 30/95] x86/efi: Fix dummy variable buffer allocation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 31/95] x86: kvmclock: zero initialize pvclock shared memory area Greg Kroah-Hartman
2013-06-25 18:32 ` [ 32/95] KVM: x86: remove vcpus CPL check in host-invoked XCR set Greg Kroah-Hartman
2013-06-25 18:32 ` [ 33/95] ACPI / resources: call acpi_get_override_irq() only for legacy IRQ resources Greg Kroah-Hartman
2013-06-25 18:32 ` [ 34/95] ACPI / dock: Take ACPI scan lock in write_undock() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 35/95] ACPI / PM: Fix error code path for power resources initialization Greg Kroah-Hartman
2013-06-25 18:32 ` [ 36/95] drm/prime: Honor requested file flags when exporting a buffer Greg Kroah-Hartman
2013-06-25 18:32 ` [ 37/95] drm/radeon: do not try to uselessly update virtual memory pagetable Greg Kroah-Hartman
2013-06-25 18:32 ` [ 38/95] drm/radeon: update lockup tracking when scheduling in empty ring Greg Kroah-Hartman
2013-06-25 18:32 ` [ 39/95] range: Do not add new blank slot with add_range_with_merge Greg Kroah-Hartman
2013-06-25 18:32 ` [ 40/95] x86, mtrr: Fix original mtrr range get for mtrr_cleanup Greg Kroah-Hartman
2013-06-25 18:32 ` [ 41/95] x86: fix build error and kconfig for ia32_emulation and binfmt Greg Kroah-Hartman
2013-06-25 18:32 ` [ 42/95] x86: Fix section mismatch on load_ucode_ap Greg Kroah-Hartman
2013-06-25 18:32 ` [ 43/95] net: fec: fix kernel oops when plug/unplug cable many times Greg Kroah-Hartman
2013-06-25 18:32 ` [ 44/95] tcp: fix tcp_md5_hash_skb_data() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 45/95] net/802/mrp: fix lockdep splat Greg Kroah-Hartman
2013-06-25 18:32 ` [ 46/95] gianfar: add missing iounmap() on error in gianfar_ptp_probe() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 47/95] vxlan: Update vxlan fdb used field after each usage Greg Kroah-Hartman
2013-06-25 18:32 ` [ 48/95] ipv6: fix possible crashes in ip6_cork_release() Greg Kroah-Hartman
2013-06-25 18:32 ` Greg Kroah-Hartman
2013-06-25 18:32 ` [ 49/95] netlabel: improve domain mapping validation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 50/95] r8169: fix offloaded tx checksum for small packets Greg Kroah-Hartman
2013-06-25 18:32 ` [ 51/95] 8139cp: reset BQL when ring tx ring cleared Greg Kroah-Hartman
2013-06-25 18:32 ` [ 52/95] tcp: bug fix in proportional rate reduction Greg Kroah-Hartman
2013-06-25 18:32 ` [ 53/95] xfrm: properly handle invalid states as an error Greg Kroah-Hartman
2013-06-25 18:32 ` [ 54/95] tcp: xps: fix reordering issues Greg Kroah-Hartman
2013-06-25 18:32 ` [ 55/95] ip_tunnel: fix kernel panic with icmp_dest_unreach Greg Kroah-Hartman
2013-06-25 18:32 ` [ 56/95] net: phy: fix a bug when verify the EEE support Greg Kroah-Hartman
2013-06-25 18:32 ` [ 57/95] ipv4: fix redirect handling for TCP packets Greg Kroah-Hartman
2013-06-25 18:32 ` [ 58/95] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg Greg Kroah-Hartman
2013-06-25 18:32 ` [ 59/95] net/core/sock.c: add missing VSOCK string in af_family_*_key_strings Greg Kroah-Hartman
2013-06-25 18:32 ` [ 60/95] tuntap: forbid changing mq flag for persistent device Greg Kroah-Hartman
2013-06-25 18:32 ` [ 61/95] udp6: Fix udp fragmentation for tunnel traffic Greg Kroah-Hartman
2013-06-25 18:32 ` [ 62/95] net: force a reload of first item in hlist_nulls_for_each_entry_rcu Greg Kroah-Hartman
2013-06-25 18:32 ` [ 63/95] net_sched: restore "overhead xxx" handling Greg Kroah-Hartman
2013-06-25 18:32 ` [ 64/95] ipv6: assign rt6_info to inet6_ifaddr in init_loopback Greg Kroah-Hartman
2013-06-25 18:32 ` [ 65/95] net_sched: htb: do not mix 1ns and 64ns time units Greg Kroah-Hartman
2013-06-25 18:32 ` [ 66/95] vhost_net: clear msg.control for non-zerocopy case during tx Greg Kroah-Hartman
2013-06-25 18:32 ` [ 67/95] net: sctp: fix NULL pointer dereference in socket destruction Greg Kroah-Hartman
2013-06-25 18:32 ` [ 68/95] tuntap: set SOCK_ZEROCOPY flag during open Greg Kroah-Hartman
2013-06-25 18:32 ` [ 69/95] team: check return value of team_get_port_by_index_rcu() for NULL Greg Kroah-Hartman
2013-06-25 18:32 ` [ 70/95] team: move add to port list before port enablement Greg Kroah-Hartman
2013-06-25 18:32 ` [ 71/95] packet: packet_getname_spkt: make sure string is always 0-terminated Greg Kroah-Hartman
2013-06-25 18:32 ` [ 72/95] l2tp: Fix PPP header erasure and memory leak Greg Kroah-Hartman
2013-06-25 18:33 ` [ 73/95] l2tp: Fix sendmsg() return value Greg Kroah-Hartman
2013-06-25 18:33 ` [ 74/95] sctp: fully initialize sctp_outq in sctp_outq_init Greg Kroah-Hartman
2013-06-25 18:33 ` [ 75/95] net: sh_eth: fix incorrect RX length error if R8A7740 Greg Kroah-Hartman
2013-06-25 18:33 ` [ 76/95] tuntap: correct the return value in tun_set_iff() Greg Kroah-Hartman
2013-06-25 18:33 ` [ 77/95] macvtap: set transport header before passing skb to lower device Greg Kroah-Hartman
2013-06-25 18:33 ` [ 78/95] tuntap: set transport header before passing it to kernel Greg Kroah-Hartman
2013-06-25 18:33 ` [ 79/95] packet: set transport header before doing xmit Greg Kroah-Hartman
2013-06-25 18:33 ` [ 80/95] netback: set transport header before passing it to kernel Greg Kroah-Hartman
2013-06-25 18:33 ` [ 81/95] net_sched: better precise estimation on packet length for untrusted packets Greg Kroah-Hartman
2013-06-25 18:33 ` [ 82/95] Input: cyttsp - fix memcpy size param Greg Kroah-Hartman
2013-06-25 18:33 ` [ 83/95] Input: add missing dependencies on CONFIG_HAS_IOMEM Greg Kroah-Hartman
2013-06-25 18:33 ` [ 84/95] Input: xpad - fix for "Mad Catz Street Fighter IV FightPad" controllers Greg Kroah-Hartman
2013-06-25 18:33 ` [ 85/95] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable Greg Kroah-Hartman
2013-06-25 18:33 ` [ 86/95] firmware loader: fix use-after-free by double abort Greg Kroah-Hartman
2013-06-25 18:33 ` [ 87/95] tcm_qla2xxx: Fix residual for underrun commands that fail Greg Kroah-Hartman
2013-06-25 18:33 ` [ 88/95] tty: Fix transient pty write() EIO Greg Kroah-Hartman
2013-06-25 18:33 ` [ 89/95] target/iscsi: dont corrupt bh_count in iscsit_stop_time2retain_timer() Greg Kroah-Hartman
2013-06-25 18:33 ` [ 90/95] rbd: use the correct length for format 2 object names Greg Kroah-Hartman
2013-06-25 18:33 ` [ 91/95] perf: Fix perf mmap bugs Greg Kroah-Hartman
2013-06-25 18:33 ` [ 92/95] perf: Fix mmap() accounting hole Greg Kroah-Hartman
2013-06-25 18:33 ` [ 93/95] drivers: uio: Fix UIO device registration failure Greg Kroah-Hartman
2013-06-25 18:33 ` [ 94/95] spi/pxa2xx: use GFP_ATOMIC in sg table allocation Greg Kroah-Hartman
2013-06-25 18:33 ` Greg Kroah-Hartman [this message]
2013-06-26 2:58 ` [ 00/95] 3.9.8-stable review Guenter Roeck
2013-06-26 3:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130625182204.390799090@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=broonie@linaro.org \
--cc=jerome.blin@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.