From: Salvatore Bonaccorso <carnil@debian.org>
To: Nathan Chancellor <nathan@kernel.org>,
1121211@bugs.debian.org, Jochen Sprickerhof <jspricke@debian.org>
Cc: Krzysztof Kozlowski <krzk@kernel.org>,
Sylwester Nawrocki <s.nawrocki@samsung.com>,
Chanwoo Choi <cw00.choi@samsung.com>,
Alim Akhtar <alim.akhtar@samsung.com>,
Michael Turquette <mturquette@baylibre.com>,
Stephen Boyd <sboyd@kernel.org>,
linux-samsung-soc@vger.kernel.org, linux-clk@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
Kees Cook <kees@kernel.org>
Subject: Re: Bug#1121211: UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/drivers/clk/samsung/clk-exynos-clkout.c:178:18
Date: Sun, 23 Nov 2025 08:57:09 +0100 [thread overview]
Message-ID: <aSK-VbbaGL4fAfkh@eldamar.lan> (raw)
In-Reply-To: <20251122203856.GA1099833@ax162>
Hi Nathan,
On Sat, Nov 22, 2025 at 01:38:56PM -0700, Nathan Chancellor wrote:
> On Sat, Nov 22, 2025 at 09:07:40PM +0100, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > Jochen reported the folowing while booting 6.17.8 based kernel in
> > Debian:
> >
> > On Sat, Nov 22, 2025 at 07:19:06PM +0100, Jochen Sprickerhof wrote:
> > > Package: src:linux
> > > Version: 6.17.8-1
> > > Severity: normal
> > >
> > > First time booting into 6.17.8-1 and first time I see UBSAN in my logs:
> > >
> > > [Nov21 08:31] Booting Linux on physical CPU 0x100
> > > [ +0,012977] ------------[ cut here ]------------
> > > [ +0,000017] UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/drivers/clk/samsung/clk-exynos-clkout.c:178:18
> > > [ +0,000038] index 0 is out of range for type 'clk_hw *[*]'
> > > [ +0,000025] CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.8+deb14-armmp #1 NONE Debian 6.17.8-1
> > > [ +0,000018] Hardware name: Samsung Exynos (Flattened Device Tree)
> > > [ +0,000007] Call trace:
> > > [ +0,000009] unwind_backtrace from show_stack+0x18/0x1c
> > > [ +0,000042] show_stack from dump_stack_lvl+0x54/0x68
> > > [ +0,000036] dump_stack_lvl from ubsan_epilogue+0x8/0x34
> > > [ +0,000025] ubsan_epilogue from __ubsan_handle_out_of_bounds+0x88/0x8c
> > > [ +0,000024] __ubsan_handle_out_of_bounds from exynos_clkout_probe+0x38c/0x428
> > > [ +0,000029] exynos_clkout_probe from platform_probe+0x64/0x98
> > > [ +0,000034] platform_probe from really_probe+0xd8/0x3ac
> > > [ +0,000031] really_probe from __driver_probe_device+0x94/0x1dc
> > > [ +0,000027] __driver_probe_device from driver_probe_device+0x3c/0xd8
> > > [ +0,000027] driver_probe_device from __driver_attach+0xd8/0x1d8
> > > [ +0,000028] __driver_attach from bus_for_each_dev+0x84/0xd4
> > > [ +0,000026] bus_for_each_dev from bus_add_driver+0xf4/0x218
> > > [ +0,000023] bus_add_driver from driver_register+0x8c/0x140
> > > [ +0,000027] driver_register from do_one_initcall+0x50/0x24c
> > > [ +0,000023] do_one_initcall from kernel_init_freeable+0x288/0x2fc
> > > [ +0,000022] kernel_init_freeable from kernel_init+0x24/0x140
> > > [ +0,000022] kernel_init from ret_from_fork+0x14/0x28
> > > [ +0,000015] Exception stack(0xf0835fb0 to 0xf0835ff8)
> > > [ +0,000012] 5fa0: 00000000 00000000 00000000 00000000
> > > [ +0,000011] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> > > [ +0,000009] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> > > [ +0,000007] ---[ end trace ]---
> > > [ +0,000226] ------------[ cut here ]------------
> > > [ +0,000012] UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/drivers/clk/samsung/clk-exynos-clkout.c:183:29
> > > [ +0,000032] index 0 is out of range for type 'clk_hw *[*]'
> > > [ +0,000021] CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.8+deb14-armmp #1 NONE Debian 6.17.8-1
> > > [ +0,000014] Hardware name: Samsung Exynos (Flattened Device Tree)
> > > [ +0,000006] Call trace:
> > > [ +0,000006] unwind_backtrace from show_stack+0x18/0x1c
> > > [ +0,000032] show_stack from dump_stack_lvl+0x54/0x68
> > > [ +0,000033] dump_stack_lvl from ubsan_epilogue+0x8/0x34
> > > [ +0,000023] ubsan_epilogue from __ubsan_handle_out_of_bounds+0x88/0x8c
> > > [ +0,000020] __ubsan_handle_out_of_bounds from exynos_clkout_probe+0x354/0x428
> > > [ +0,000024] exynos_clkout_probe from platform_probe+0x64/0x98
> > > [ +0,000031] platform_probe from really_probe+0xd8/0x3ac
> > > [ +0,000031] really_probe from __driver_probe_device+0x94/0x1dc
> > > [ +0,000031] __driver_probe_device from driver_probe_device+0x3c/0xd8
> > > [ +0,000028] driver_probe_device from __driver_attach+0xd8/0x1d8
> > > [ +0,000027] __driver_attach from bus_for_each_dev+0x84/0xd4
> > > [ +0,000025] bus_for_each_dev from bus_add_driver+0xf4/0x218
> > > [ +0,000023] bus_add_driver from driver_register+0x8c/0x140
> > > [ +0,000027] driver_register from do_one_initcall+0x50/0x24c
> > > [ +0,000022] do_one_initcall from kernel_init_freeable+0x288/0x2fc
> > > [ +0,000019] kernel_init_freeable from kernel_init+0x24/0x140
> > > [ +0,000020] kernel_init from ret_from_fork+0x14/0x28
> > > [ +0,000016] Exception stack(0xf0835fb0 to 0xf0835ff8)
> > > [ +0,000010] 5fa0: 00000000 00000000 00000000 00000000
> > > [ +0,000009] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> > > [ +0,000009] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> > > [ +0,000098] ---[ end trace ]---
> >
> > Can you have a look into it? The downstream report is at
> > https://bugs.debian.org/1121211
>
> I bet it is the same problem as the ones I fixed in
>
> 6dc445c19050 ("clk: bcm: rpi: Assign ->num before accessing ->hws")
> 9368cdf90f52 ("clk: bcm: dvp: Assign ->num before accessing ->hws")
>
> So something like this?
>
> Cheers,
> Nathan
>
> diff --git a/drivers/clk/samsung/clk-exynos-clkout.c b/drivers/clk/samsung/clk-exynos-clkout.c
> index 5f1a4f5e2e59..5b21025338bd 100644
> --- a/drivers/clk/samsung/clk-exynos-clkout.c
> +++ b/drivers/clk/samsung/clk-exynos-clkout.c
> @@ -175,6 +175,7 @@ static int exynos_clkout_probe(struct platform_device *pdev)
> clkout->mux.shift = EXYNOS_CLKOUT_MUX_SHIFT;
> clkout->mux.lock = &clkout->slock;
>
> + clkout->data.num = EXYNOS_CLKOUT_NR_CLKS;
> clkout->data.hws[0] = clk_hw_register_composite(NULL, "clkout",
> parent_names, parent_count, &clkout->mux.hw,
> &clk_mux_ops, NULL, NULL, &clkout->gate.hw,
> @@ -185,7 +186,6 @@ static int exynos_clkout_probe(struct platform_device *pdev)
> goto err_unmap;
> }
>
> - clkout->data.num = EXYNOS_CLKOUT_NR_CLKS;
> ret = of_clk_add_hw_provider(clkout->np, of_clk_hw_onecell_get, &clkout->data);
> if (ret)
> goto err_clk_unreg;
Thank you very much. Jochen, can you test the patch and report back?
Regards,
Salvatore
next prev parent reply other threads:[~2025-11-23 7:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <176383554642.17713.6408785381758213911.reportbug@vis>
2025-11-22 20:07 ` Bug#1121211: UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/drivers/clk/samsung/clk-exynos-clkout.c:178:18 Salvatore Bonaccorso
2025-11-22 20:38 ` Nathan Chancellor
2025-11-23 7:57 ` Salvatore Bonaccorso [this message]
2025-11-23 20:33 ` Jochen Sprickerhof
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aSK-VbbaGL4fAfkh@eldamar.lan \
--to=carnil@debian.org \
--cc=1121211@bugs.debian.org \
--cc=alim.akhtar@samsung.com \
--cc=cw00.choi@samsung.com \
--cc=jspricke@debian.org \
--cc=kees@kernel.org \
--cc=krzk@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-clk@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=mturquette@baylibre.com \
--cc=nathan@kernel.org \
--cc=s.nawrocki@samsung.com \
--cc=sboyd@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.