[PATCH v3 0/1] pinctrl: freescale: Fix a memory out of bounds when num

linux-gpio.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v3 0/1] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1
@ 2023-05-04  0:33 Xiaolei Wang
  2023-05-04  0:33 ` [PATCH v3 1/1] " Xiaolei Wang
  0 siblings, 1 reply; 3+ messages in thread
From: Xiaolei Wang @ 2023-05-04  0:33 UTC (permalink / raw)
  To: aisheng.dong, festevam, shawnguo, ping.bai, kernel, linus.walleij,
	shenwei.wang, peng.fan, bartosz.golaszewski
  Cc: linux-gpio, linux-kernel

Compared with v2, v3 simplifies the call trace log and only keeps the real
problem part.

Xiaolei Wang (1):
  pinctrl: freescale: Fix a memory out of bounds when num_configs is 1

 drivers/pinctrl/freescale/pinctrl-scu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH v3 1/1] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1
  2023-05-04  0:33 [PATCH v3 0/1] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 Xiaolei Wang
@ 2023-05-04  0:33 ` Xiaolei Wang
  2023-05-04 15:02   ` andy.shevchenko
  0 siblings, 1 reply; 3+ messages in thread
From: Xiaolei Wang @ 2023-05-04  0:33 UTC (permalink / raw)
  To: aisheng.dong, festevam, shawnguo, ping.bai, kernel, linus.walleij,
	shenwei.wang, peng.fan, bartosz.golaszewski
  Cc: linux-gpio, linux-kernel

The config passed in by pad wakeup is 1, When num_configs is 1,
configs[1] should not be obtained, which will generate the
following memory out-of-bounds situation:

BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160
  Read size 8 at address ffff8000104c7558 by task sh/664
  CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1
     Hardware name: Freescale i.MX8QM MEK (DT)
  Call trace:
    dump_backtrace.part.0+0xe0/0xf0
    show stack+0x18/0x30
    dump_stack_lvl+0x64/0x80
    print report +0x154/0x458
    kasan_report+0xb8/0x100
    __asan_load8+0x80/0xac
    imx_pinconf_set_scu+0x9c/0x160
    imx_pinconf_set+0x6c/0x214
    pinconf_set_config+0x68/0x90
    pinctrl_gpio_set_config+0x138/0x170
    gpiochip_generic_config+0x44/0x60
    mxc_gpio_set_pad_wakeup+0x100/0x140

Fixes: f60c9eac54af ("gpio: mxc: enable pad wakeup on i.MX8x platforms")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
---
 drivers/pinctrl/freescale/pinctrl-scu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/pinctrl/freescale/pinctrl-scu.c b/drivers/pinctrl/freescale/pinctrl-scu.c
index ea261b6e7458..3b252d684d72 100644
--- a/drivers/pinctrl/freescale/pinctrl-scu.c
+++ b/drivers/pinctrl/freescale/pinctrl-scu.c
@@ -90,7 +90,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id,
 	struct imx_sc_msg_req_pad_set msg;
 	struct imx_sc_rpc_msg *hdr = &msg.hdr;
 	unsigned int mux = configs[0];
-	unsigned int conf = configs[1];
+	unsigned int conf;
 	unsigned int val;
 	int ret;
 
@@ -115,6 +115,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id,
 	 * Set mux and conf together in one IPC call
 	 */
 	WARN_ON(num_configs != 2);
+	conf = configs[1];
 
 	val = conf | BM_PAD_CTL_IFMUX_ENABLE | BM_PAD_CTL_GP_ENABLE;
 	val |= mux << BP_PAD_CTL_IFMUX;
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v3 1/1] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1
  2023-05-04  0:33 ` [PATCH v3 1/1] " Xiaolei Wang
@ 2023-05-04 15:02   ` andy.shevchenko
  0 siblings, 0 replies; 3+ messages in thread
From: andy.shevchenko @ 2023-05-04 15:02 UTC (permalink / raw)
  To: Xiaolei Wang
  Cc: aisheng.dong, festevam, shawnguo, ping.bai, kernel, linus.walleij,
	shenwei.wang, peng.fan, bartosz.golaszewski, linux-gpio,
	linux-kernel

Thu, May 04, 2023 at 08:33:30AM +0800, Xiaolei Wang kirjoitti:

...

The link to the documentation I have added into reply to your v1 was about
backtraces in the commit messages. For a single patch there is no need to have
a cover letter.

> BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160
>   Read size 8 at address ffff8000104c7558 by task sh/664
>   CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1
>      Hardware name: Freescale i.MX8QM MEK (DT)
>   Call trace:
>     dump_backtrace.part.0+0xe0/0xf0
>     show stack+0x18/0x30
>     dump_stack_lvl+0x64/0x80
>     print report +0x154/0x458
>     kasan_report+0xb8/0x100
>     __asan_load8+0x80/0xac
>     imx_pinconf_set_scu+0x9c/0x160
>     imx_pinconf_set+0x6c/0x214
>     pinconf_set_config+0x68/0x90
>     pinctrl_gpio_set_config+0x138/0x170
>     gpiochip_generic_config+0x44/0x60
>     mxc_gpio_set_pad_wakeup+0x100/0x140

This is too long backtrace. The documentation tells you to shrink it to the
important lines only, which in this case something like less than 10 and not
17. Hence, remove _at least_ 8 lines from the backtrace.

Codewise the proposed change is good, though.

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-05-04 15:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-04  0:33 [PATCH v3 0/1] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 Xiaolei Wang
2023-05-04  0:33 ` [PATCH v3 1/1] " Xiaolei Wang
2023-05-04 15:02   ` andy.shevchenko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).