* [PATCH v2] regulator: tps65219: Fix devm_kmalloc size allocation
@ 2025-06-20 15:45 Shree Ramamoorthy
2025-06-27 19:31 ` Nishanth Menon
2025-06-30 11:40 ` Mark Brown
0 siblings, 2 replies; 4+ messages in thread
From: Shree Ramamoorthy @ 2025-06-20 15:45 UTC (permalink / raw)
To: aaro.koskinen, andreas, khilman, rogerq, tony, lee, d-gole,
robertcnelson, jkridner, linux-omap, linux-kernel
Cc: m-leonard, praneeth, afd
In probe(), two arrays of structs are allocated with the devm_kmalloc()
function, but the memory size of the allocations were given as the arrays'
length (pmic->common_irq_size for the first call and pmic->dev_irq_size for
the second devm_kmalloc call). The memory size should have been the total
memory needed.
This led to a heap overflow when the struct array was used. The issue was
first discovered with the PocketBeagle2 and BeaglePlay. The common and
device-specific structs are now allocated one at a time within the loop.
Fixes: 38c9f98db20a ("regulator: tps65219: Add support for TPS65215 Regulator IRQs")
Reported-by: Dhruva Gole <d-gole@ti.com>
Closes: https://lore.kernel.org/all/20250619153526.297398-1-d-gole@ti.com/
Tested-by: Robert Nelson <robertcnelson@gmail.com>
Acked-by: Andrew Davis <afd@ti.com>
Signed-off-by: Shree Ramamoorthy <s-ramamoorthy@ti.com>
---
v2: Update commit message explanation & tags.
---
drivers/regulator/tps65219-regulator.c | 28 +++++++++++++-------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/drivers/regulator/tps65219-regulator.c b/drivers/regulator/tps65219-regulator.c
index b16b300d7f45..5e67fdc88f49 100644
--- a/drivers/regulator/tps65219-regulator.c
+++ b/drivers/regulator/tps65219-regulator.c
@@ -436,46 +436,46 @@ static int tps65219_regulator_probe(struct platform_device *pdev)
pmic->rdesc[i].name);
}
- irq_data = devm_kmalloc(tps->dev, pmic->common_irq_size, GFP_KERNEL);
- if (!irq_data)
- return -ENOMEM;
-
for (i = 0; i < pmic->common_irq_size; ++i) {
irq_type = &pmic->common_irq_types[i];
irq = platform_get_irq_byname(pdev, irq_type->irq_name);
if (irq < 0)
return -EINVAL;
- irq_data[i].dev = tps->dev;
- irq_data[i].type = irq_type;
+ irq_data = devm_kmalloc(tps->dev, sizeof(*irq_data), GFP_KERNEL);
+ if (!irq_data)
+ return -ENOMEM;
+
+ irq_data->dev = tps->dev;
+ irq_data->type = irq_type;
error = devm_request_threaded_irq(tps->dev, irq, NULL,
tps65219_regulator_irq_handler,
IRQF_ONESHOT,
irq_type->irq_name,
- &irq_data[i]);
+ irq_data);
if (error)
return dev_err_probe(tps->dev, PTR_ERR(rdev),
"Failed to request %s IRQ %d: %d\n",
irq_type->irq_name, irq, error);
}
- irq_data = devm_kmalloc(tps->dev, pmic->dev_irq_size, GFP_KERNEL);
- if (!irq_data)
- return -ENOMEM;
-
for (i = 0; i < pmic->dev_irq_size; ++i) {
irq_type = &pmic->irq_types[i];
irq = platform_get_irq_byname(pdev, irq_type->irq_name);
if (irq < 0)
return -EINVAL;
- irq_data[i].dev = tps->dev;
- irq_data[i].type = irq_type;
+ irq_data = devm_kmalloc(tps->dev, sizeof(*irq_data), GFP_KERNEL);
+ if (!irq_data)
+ return -ENOMEM;
+
+ irq_data->dev = tps->dev;
+ irq_data->type = irq_type;
error = devm_request_threaded_irq(tps->dev, irq, NULL,
tps65219_regulator_irq_handler,
IRQF_ONESHOT,
irq_type->irq_name,
- &irq_data[i]);
+ irq_data);
if (error)
return dev_err_probe(tps->dev, PTR_ERR(rdev),
"Failed to request %s IRQ %d: %d\n",
base-commit: 75f5f23f8787c5e184fcb2fbcd02d8e9317dc5e7
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] regulator: tps65219: Fix devm_kmalloc size allocation
2025-06-20 15:45 [PATCH v2] regulator: tps65219: Fix devm_kmalloc size allocation Shree Ramamoorthy
@ 2025-06-27 19:31 ` Nishanth Menon
2025-06-27 19:45 ` Shree Ramamoorthy
2025-06-30 11:40 ` Mark Brown
1 sibling, 1 reply; 4+ messages in thread
From: Nishanth Menon @ 2025-06-27 19:31 UTC (permalink / raw)
To: Shree Ramamoorthy
Cc: aaro.koskinen, andreas, khilman, rogerq, tony, lee, d-gole,
robertcnelson, jkridner, linux-omap, linux-kernel, m-leonard,
praneeth, afd
On 10:45-20250620, Shree Ramamoorthy wrote:
> In probe(), two arrays of structs are allocated with the devm_kmalloc()
> function, but the memory size of the allocations were given as the arrays'
> length (pmic->common_irq_size for the first call and pmic->dev_irq_size for
> the second devm_kmalloc call). The memory size should have been the total
> memory needed.
>
> This led to a heap overflow when the struct array was used. The issue was
> first discovered with the PocketBeagle2 and BeaglePlay. The common and
> device-specific structs are now allocated one at a time within the loop.
>
> Fixes: 38c9f98db20a ("regulator: tps65219: Add support for TPS65215 Regulator IRQs")
> Reported-by: Dhruva Gole <d-gole@ti.com>
> Closes: https://lore.kernel.org/all/20250619153526.297398-1-d-gole@ti.com/
> Tested-by: Robert Nelson <robertcnelson@gmail.com>
> Acked-by: Andrew Davis <afd@ti.com>
> Signed-off-by: Shree Ramamoorthy <s-ramamoorthy@ti.com>
> ---
> v2: Update commit message explanation & tags.
> ---
Kasan also reports the same on latest next :(
https://gist.github.com/nmenon/a0a020e8417c198d2f366fa00b900e12
Could this be routed to master please?
Reviewed-by: Nishanth Menon <nm@ti.com>
> drivers/regulator/tps65219-regulator.c | 28 +++++++++++++-------------
> 1 file changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/drivers/regulator/tps65219-regulator.c b/drivers/regulator/tps65219-regulator.c
> index b16b300d7f45..5e67fdc88f49 100644
> --- a/drivers/regulator/tps65219-regulator.c
> +++ b/drivers/regulator/tps65219-regulator.c
> @@ -436,46 +436,46 @@ static int tps65219_regulator_probe(struct platform_device *pdev)
> pmic->rdesc[i].name);
> }
>
> - irq_data = devm_kmalloc(tps->dev, pmic->common_irq_size, GFP_KERNEL);
> - if (!irq_data)
> - return -ENOMEM;
> -
> for (i = 0; i < pmic->common_irq_size; ++i) {
> irq_type = &pmic->common_irq_types[i];
> irq = platform_get_irq_byname(pdev, irq_type->irq_name);
> if (irq < 0)
> return -EINVAL;
>
> - irq_data[i].dev = tps->dev;
> - irq_data[i].type = irq_type;
> + irq_data = devm_kmalloc(tps->dev, sizeof(*irq_data), GFP_KERNEL);
> + if (!irq_data)
> + return -ENOMEM;
> +
> + irq_data->dev = tps->dev;
> + irq_data->type = irq_type;
> error = devm_request_threaded_irq(tps->dev, irq, NULL,
> tps65219_regulator_irq_handler,
> IRQF_ONESHOT,
> irq_type->irq_name,
> - &irq_data[i]);
> + irq_data);
> if (error)
> return dev_err_probe(tps->dev, PTR_ERR(rdev),
> "Failed to request %s IRQ %d: %d\n",
> irq_type->irq_name, irq, error);
> }
>
> - irq_data = devm_kmalloc(tps->dev, pmic->dev_irq_size, GFP_KERNEL);
> - if (!irq_data)
> - return -ENOMEM;
> -
> for (i = 0; i < pmic->dev_irq_size; ++i) {
> irq_type = &pmic->irq_types[i];
> irq = platform_get_irq_byname(pdev, irq_type->irq_name);
> if (irq < 0)
> return -EINVAL;
>
> - irq_data[i].dev = tps->dev;
> - irq_data[i].type = irq_type;
> + irq_data = devm_kmalloc(tps->dev, sizeof(*irq_data), GFP_KERNEL);
> + if (!irq_data)
> + return -ENOMEM;
> +
> + irq_data->dev = tps->dev;
> + irq_data->type = irq_type;
> error = devm_request_threaded_irq(tps->dev, irq, NULL,
> tps65219_regulator_irq_handler,
> IRQF_ONESHOT,
> irq_type->irq_name,
> - &irq_data[i]);
> + irq_data);
> if (error)
> return dev_err_probe(tps->dev, PTR_ERR(rdev),
> "Failed to request %s IRQ %d: %d\n",
>
> base-commit: 75f5f23f8787c5e184fcb2fbcd02d8e9317dc5e7
> --
> 2.43.0
>
>
--
Regards,
Nishanth Menon
Key (0xDDB5849D1736249D) / Fingerprint: F8A2 8693 54EB 8232 17A3 1A34 DDB5 849D 1736 249D
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] regulator: tps65219: Fix devm_kmalloc size allocation
2025-06-27 19:31 ` Nishanth Menon
@ 2025-06-27 19:45 ` Shree Ramamoorthy
0 siblings, 0 replies; 4+ messages in thread
From: Shree Ramamoorthy @ 2025-06-27 19:45 UTC (permalink / raw)
To: Nishanth Menon
Cc: aaro.koskinen, andreas, khilman, rogerq, tony, lee, d-gole,
robertcnelson, jkridner, linux-omap, linux-kernel, m-leonard,
praneeth, afd, broonie
+Mark. Sorry, missed cc'ing you on this series!
On 6/27/2025 2:31 PM, Nishanth Menon wrote:
> On 10:45-20250620, Shree Ramamoorthy wrote:
>> In probe(), two arrays of structs are allocated with the devm_kmalloc()
>> function, but the memory size of the allocations were given as the arrays'
>> length (pmic->common_irq_size for the first call and pmic->dev_irq_size for
>> the second devm_kmalloc call). The memory size should have been the total
>> memory needed.
>>
>> This led to a heap overflow when the struct array was used. The issue was
>> first discovered with the PocketBeagle2 and BeaglePlay. The common and
>> device-specific structs are now allocated one at a time within the loop.
>>
>> Fixes: 38c9f98db20a ("regulator: tps65219: Add support for TPS65215 Regulator IRQs")
>> Reported-by: Dhruva Gole <d-gole@ti.com>
>> Closes: https://lore.kernel.org/all/20250619153526.297398-1-d-gole@ti.com/
>> Tested-by: Robert Nelson <robertcnelson@gmail.com>
>> Acked-by: Andrew Davis <afd@ti.com>
>> Signed-off-by: Shree Ramamoorthy <s-ramamoorthy@ti.com>
>> ---
>> v2: Update commit message explanation & tags.
>> ---
> Kasan also reports the same on latest next :(
> https://gist.github.com/nmenon/a0a020e8417c198d2f366fa00b900e12
>
> Could this be routed to master please?
>
> Reviewed-by: Nishanth Menon <nm@ti.com>
>
>> drivers/regulator/tps65219-regulator.c | 28 +++++++++++++-------------
>> 1 file changed, 14 insertions(+), 14 deletions(-)
>>
>> diff --git a/drivers/regulator/tps65219-regulator.c b/drivers/regulator/tps65219-regulator.c
>> index b16b300d7f45..5e67fdc88f49 100644
>> --- a/drivers/regulator/tps65219-regulator.c
>> +++ b/drivers/regulator/tps65219-regulator.c
>> @@ -436,46 +436,46 @@ static int tps65219_regulator_probe(struct platform_device *pdev)
>> pmic->rdesc[i].name);
>> }
>>
>> - irq_data = devm_kmalloc(tps->dev, pmic->common_irq_size, GFP_KERNEL);
>> - if (!irq_data)
>> - return -ENOMEM;
>> -
>> for (i = 0; i < pmic->common_irq_size; ++i) {
>> irq_type = &pmic->common_irq_types[i];
>> irq = platform_get_irq_byname(pdev, irq_type->irq_name);
>> if (irq < 0)
>> return -EINVAL;
>>
>> - irq_data[i].dev = tps->dev;
>> - irq_data[i].type = irq_type;
>> + irq_data = devm_kmalloc(tps->dev, sizeof(*irq_data), GFP_KERNEL);
>> + if (!irq_data)
>> + return -ENOMEM;
>> +
>> + irq_data->dev = tps->dev;
>> + irq_data->type = irq_type;
>> error = devm_request_threaded_irq(tps->dev, irq, NULL,
>> tps65219_regulator_irq_handler,
>> IRQF_ONESHOT,
>> irq_type->irq_name,
>> - &irq_data[i]);
>> + irq_data);
>> if (error)
>> return dev_err_probe(tps->dev, PTR_ERR(rdev),
>> "Failed to request %s IRQ %d: %d\n",
>> irq_type->irq_name, irq, error);
>> }
>>
>> - irq_data = devm_kmalloc(tps->dev, pmic->dev_irq_size, GFP_KERNEL);
>> - if (!irq_data)
>> - return -ENOMEM;
>> -
>> for (i = 0; i < pmic->dev_irq_size; ++i) {
>> irq_type = &pmic->irq_types[i];
>> irq = platform_get_irq_byname(pdev, irq_type->irq_name);
>> if (irq < 0)
>> return -EINVAL;
>>
>> - irq_data[i].dev = tps->dev;
>> - irq_data[i].type = irq_type;
>> + irq_data = devm_kmalloc(tps->dev, sizeof(*irq_data), GFP_KERNEL);
>> + if (!irq_data)
>> + return -ENOMEM;
>> +
>> + irq_data->dev = tps->dev;
>> + irq_data->type = irq_type;
>> error = devm_request_threaded_irq(tps->dev, irq, NULL,
>> tps65219_regulator_irq_handler,
>> IRQF_ONESHOT,
>> irq_type->irq_name,
>> - &irq_data[i]);
>> + irq_data);
>> if (error)
>> return dev_err_probe(tps->dev, PTR_ERR(rdev),
>> "Failed to request %s IRQ %d: %d\n",
>>
>> base-commit: 75f5f23f8787c5e184fcb2fbcd02d8e9317dc5e7
>> --
>> 2.43.0
>>
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] regulator: tps65219: Fix devm_kmalloc size allocation
2025-06-20 15:45 [PATCH v2] regulator: tps65219: Fix devm_kmalloc size allocation Shree Ramamoorthy
2025-06-27 19:31 ` Nishanth Menon
@ 2025-06-30 11:40 ` Mark Brown
1 sibling, 0 replies; 4+ messages in thread
From: Mark Brown @ 2025-06-30 11:40 UTC (permalink / raw)
To: aaro.koskinen, andreas, khilman, rogerq, tony, lee, d-gole,
robertcnelson, jkridner, linux-omap, linux-kernel,
Shree Ramamoorthy
Cc: m-leonard, praneeth, afd
On Fri, 20 Jun 2025 10:45:41 -0500, Shree Ramamoorthy wrote:
> In probe(), two arrays of structs are allocated with the devm_kmalloc()
> function, but the memory size of the allocations were given as the arrays'
> length (pmic->common_irq_size for the first call and pmic->dev_irq_size for
> the second devm_kmalloc call). The memory size should have been the total
> memory needed.
>
> This led to a heap overflow when the struct array was used. The issue was
> first discovered with the PocketBeagle2 and BeaglePlay. The common and
> device-specific structs are now allocated one at a time within the loop.
>
> [...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator.git for-next
Thanks!
[1/1] regulator: tps65219: Fix devm_kmalloc size allocation
commit: eeca209124bb694650026216d3e59cae02d91686
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-06-30 11:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-20 15:45 [PATCH v2] regulator: tps65219: Fix devm_kmalloc size allocation Shree Ramamoorthy
2025-06-27 19:31 ` Nishanth Menon
2025-06-27 19:45 ` Shree Ramamoorthy
2025-06-30 11:40 ` Mark Brown
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).