From: Xiaolei Wang <xiaolei.wang@windriver.com>
To: aisheng.dong@nxp.com, festevam@gmail.com, shawnguo@kernel.org,
ping.bai@nxp.com, kernel@pengutronix.de,
linus.walleij@linaro.org, shenwei.wang@nxp.com,
bartosz.golaszewski@linaro.org, peng.fan@nxp.com
Cc: linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [v2][PATCH] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1
Date: Wed, 3 May 2023 09:21:27 +0800 [thread overview]
Message-ID: <20230503012127.4157304-1-xiaolei.wang@windriver.com> (raw)
The config passed in by pad wakeup is 1, When num_configs is 1,
configs[1] should not be obtained, which will generate the
following memory out-of-bounds situation:
BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160
Read size 8 at address ffff8000104c7558 by task sh/664
CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1
Hardware name: Freescale i.MX8QM MEK (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0
show stack+0x18/0x30
dump_stack_lvl+0x64/0x80
print report +0x154/0x458
kasan_report+0xb8/0x100
__asan_load8+0x80/0xac
imx_pinconf_set_scu+0x9c/0x160
imx_pinconf_set+0x6c/0x214
pinconf_set_config+0x68/0x90
pinctrl_gpio_set_config+0x138/0x170
gpiochip_generic_config+0x44/0x60
mxc_gpio_set_pad_wakeup+0x100/0x140
mxc_gpio_noirq_suspend+0x50/0x74
pm_generic_suspend_noirq+0x4c/0x70
genpd_finish_suspend+0x174/0x260
genpd_suspend_noirq+0x14/0x20
dpm_run_callback.constprop.0+0x48/0xec
__device_suspend_noirq+0x1a8/0x370
dpm_noirq_suspend_devices+0x1cc/0x320
dpm_suspend_noirq+0x7c/0x11c
suspend_devices_and_enter+0x27c/0x760
pm_suspend+0x36c/0x3e0
Fixes: f60c9eac54af ("gpio: mxc: enable pad wakeup on i.MX8x platforms")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
---
drivers/pinctrl/freescale/pinctrl-scu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/freescale/pinctrl-scu.c b/drivers/pinctrl/freescale/pinctrl-scu.c
index ea261b6e7458..3b252d684d72 100644
--- a/drivers/pinctrl/freescale/pinctrl-scu.c
+++ b/drivers/pinctrl/freescale/pinctrl-scu.c
@@ -90,7 +90,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id,
struct imx_sc_msg_req_pad_set msg;
struct imx_sc_rpc_msg *hdr = &msg.hdr;
unsigned int mux = configs[0];
- unsigned int conf = configs[1];
+ unsigned int conf;
unsigned int val;
int ret;
@@ -115,6 +115,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id,
* Set mux and conf together in one IPC call
*/
WARN_ON(num_configs != 2);
+ conf = configs[1];
val = conf | BM_PAD_CTL_IFMUX_ENABLE | BM_PAD_CTL_GP_ENABLE;
val |= mux << BP_PAD_CTL_IFMUX;
--
2.25.1
next reply other threads:[~2023-05-03 1:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-03 1:21 Xiaolei Wang [this message]
2023-05-03 19:14 ` [v2][PATCH] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 andy.shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230503012127.4157304-1-xiaolei.wang@windriver.com \
--to=xiaolei.wang@windriver.com \
--cc=aisheng.dong@nxp.com \
--cc=bartosz.golaszewski@linaro.org \
--cc=festevam@gmail.com \
--cc=kernel@pengutronix.de \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peng.fan@nxp.com \
--cc=ping.bai@nxp.com \
--cc=shawnguo@kernel.org \
--cc=shenwei.wang@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).