Re: [PATCH] i2c: mpc: Avoid out of bounds memory access

linux-i2c.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Wolfram Sang <wsa@kernel.org>
To: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: mbizon@freebox.fr, linux-i2c@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] i2c: mpc: Avoid out of bounds memory access
Date: Thu, 6 Jan 2022 14:44:56 +0100	[thread overview]
Message-ID: <YdbyWBujbFNde6K6@ninjato> (raw)
In-Reply-To: <20220105015304.1368234-1-chris.packham@alliedtelesis.co.nz>

[-- Attachment #1: Type: text/plain, Size: 2765 bytes --]

On Wed, Jan 05, 2022 at 02:53:04PM +1300, Chris Packham wrote:
> When performing an I2C transfer where the last message was a write KASAN
> would complain:
> 
>   BUG: KASAN: slab-out-of-bounds in mpc_i2c_do_action+0x154/0x630
>   Read of size 2 at addr c814e310 by task swapper/2/0
> 
>   CPU: 2 PID: 0 Comm: swapper/2 Tainted: G    B             5.16.0-rc8 #1
>   Call Trace:
>   [e5ee9d50] [c08418e8] dump_stack_lvl+0x4c/0x6c (unreliable)
>   [e5ee9d70] [c02f8a14] print_address_description.constprop.13+0x64/0x3b0
>   [e5ee9da0] [c02f9030] kasan_report+0x1f0/0x204
>   [e5ee9de0] [c0c76ee4] mpc_i2c_do_action+0x154/0x630
>   [e5ee9e30] [c0c782c4] mpc_i2c_isr+0x164/0x240
>   [e5ee9e60] [c00f3a04] __handle_irq_event_percpu+0xf4/0x3b0
>   [e5ee9ec0] [c00f3d40] handle_irq_event_percpu+0x80/0x110
>   [e5ee9f40] [c00f3e48] handle_irq_event+0x78/0xd0
>   [e5ee9f60] [c00fcfec] handle_fasteoi_irq+0x19c/0x370
>   [e5ee9fa0] [c00f1d84] generic_handle_irq+0x54/0x80
>   [e5ee9fc0] [c0006b54] __do_irq+0x64/0x200
>   [e5ee9ff0] [c0007958] __do_IRQ+0xe8/0x1c0
>   [c812dd50] [e3eaab20] 0xe3eaab20
>   [c812dd90] [c0007a4c] do_IRQ+0x1c/0x30
>   [c812dda0] [c0000c04] ExternalInput+0x144/0x160
>   --- interrupt: 500 at arch_cpu_idle+0x34/0x60
>   NIP:  c000b684 LR: c000b684 CTR: c0019688
>   REGS: c812ddb0 TRAP: 0500   Tainted: G    B              (5.16.0-rc8)
>   MSR:  00029002 <CE,EE,ME>  CR: 22000488  XER: 20000000
> 
>   GPR00: c10ef7fc c812de90 c80ff200 c2394718 00000001 00000001 c10e3f90 00000003
>   GPR08: 00000000 c0019688 c2394718 fc7d625b 22000484 00000000 21e17000 c208228c
>   GPR16: e3e99284 00000000 ffffffff c2390000 c001bac0 c2082288 c812df60 c001ba60
>   GPR24: c23949c0 00000018 00080000 00000004 c80ff200 00000002 c2348ee4 c2394718
>   NIP [c000b684] arch_cpu_idle+0x34/0x60
>   LR [c000b684] arch_cpu_idle+0x34/0x60
>   --- interrupt: 500
>   [c812de90] [c10e3f90] rcu_eqs_enter.isra.60+0xc0/0x110 (unreliable)
>   [c812deb0] [c10ef7fc] default_idle_call+0xbc/0x230
>   [c812dee0] [c00af0e8] do_idle+0x1c8/0x200
>   [c812df10] [c00af3c0] cpu_startup_entry+0x20/0x30
>   [c812df20] [c001e010] start_secondary+0x5d0/0xba0
>   [c812dff0] [c00028a0] __secondary_start+0x90/0xdc
> 
> This happened because we would overrun the i2c->msgs array on the final
> interrupt for the I2C STOP. This didn't happen if the last message was a
> read because there is no interrupt in that case. Ensure that we only
> access the current message if we are not processing a I2C STOP
> condition.
> 
> Fixes: 1538d82f4647 ("i2c: mpc: Interrupt driven transfer")
> Reported-by: Maxime Bizon <mbizon@freebox.fr>
> Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>

Applied to for-current, thanks!


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

     prev parent reply	other threads:[~2022-01-06 13:45 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-05  1:53 [PATCH] i2c: mpc: Avoid out of bounds memory access Chris Packham
2022-01-06 13:44 ` Wolfram Sang [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YdbyWBujbFNde6K6@ninjato \
    --to=wsa@kernel.org \
    --cc=chris.packham@alliedtelesis.co.nz \
    --cc=linux-i2c@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mbizon@freebox.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).