From mboxrd@z Thu Jan 1 00:00:00 1970 From: mark.rutland@arm.com (Mark Rutland) Date: Mon, 7 Nov 2016 15:47:20 +0000 Subject: [PATCH] iommu/arm-smmu: Fix out-of-bounds dereference In-Reply-To: References: Message-ID: <20161107154719.GK19796@leverpostej> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Mon, Nov 07, 2016 at 03:39:02PM +0000, Robin Murphy wrote: > When we iterate a master's config entries, what we generally care > about is the entry's stream map index, rather than the entry index > itself, so it's nice to have the iterator automatically assign the > former from the latter. Unfortunately, booting with KASAN reveals > the oversight that using a simple comma operator results in the > entry index being dereferenced before being checked for validity, > so we always access one element past the end of the fwspec array. > > Flip things around so that the check always happens before the index > may be dereferenced. > > Fixes: adfec2e709d2 ("iommu/arm-smmu: Convert to iommu_fwspec") > Reported-by: Mark Rutland > Signed-off-by: Robin Murphy This patch fixes the KASAN splats as I saw (example below). With this patch applied, my dmesg is free of errors. So feel free to add: Tested-by: Mark Rutland Thanks, Mark. ================================================================== BUG: KASAN: slab-out-of-bounds in arm_smmu_add_device+0x510/0x960 at addr ffff800935c6e72c Read of size 2 by task swapper/0/1 CPU: 4 PID: 1 Comm: swapper/0 Not tainted 4.9.0-rc3-00005-g8cc374c #79 Hardware name: ARM Juno development board (r1) (DT) Call trace: [] dump_backtrace+0x0/0x278 [] show_stack+0x14/0x20 [] dump_stack+0xa4/0xc8 [] kasan_object_err+0x24/0x80 [] kasan_report_error+0x208/0x4d0 [] kasan_report+0x40/0x48 [] __asan_load2+0x84/0x98 [] arm_smmu_add_device+0x510/0x960 [] iommu_bus_notifier+0x120/0x160 [] notifier_call_chain+0x6c/0xb8 [] __blocking_notifier_call_chain+0x5c/0xa0 [] blocking_notifier_call_chain+0x14/0x20 [] device_add+0x5c8/0x840 [] amba_device_try_add+0x1cc/0x298 [] amba_device_add+0x20/0x148 [] of_platform_bus_create+0x34c/0x428 [] of_platform_populate+0x4c/0xb8 [] of_platform_default_populate_init+0x78/0x8c [] do_one_initcall+0x90/0x1c8 [] kernel_init_freeable+0x280/0x324 [] kernel_init+0x10/0x110 [] ret_from_fork+0x10/0x50 Object at ffff800935c6e700, in cache kmalloc-128 size: 128 Allocated: PID = 1 [] save_stack_trace_tsk+0x0/0x180 [] save_stack_trace+0x28/0x38 [] kasan_kmalloc+0xdc/0x188 [] __kmalloc+0x148/0x238 [] arm_smmu_add_device+0x1c8/0x960 [] iommu_bus_notifier+0x120/0x160 [] notifier_call_chain+0x6c/0xb8 [] __blocking_notifier_call_chain+0x5c/0xa0 [] blocking_notifier_call_chain+0x14/0x20 [] device_add+0x5c8/0x840 [] amba_device_try_add+0x1cc/0x298 [] amba_device_add+0x20/0x148 [] of_platform_bus_create+0x34c/0x428 [] of_platform_populate+0x4c/0xb8 [] of_platform_default_populate_init+0x78/0x8c [] do_one_initcall+0x90/0x1c8 [] kernel_init_freeable+0x280/0x324 [] kernel_init+0x10/0x110 [] ret_from_fork+0x10/0x50 Freed: PID = 0 (stack is not available) Memory state around the buggy address: ffff800935c6e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff800935c6e680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff800935c6e700: 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc ^ ffff800935c6e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff800935c6e800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================