From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jerome Blin <jerome.blin@intel.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Mark Brown <broonie@linaro.org>
Subject: [ 95/95] spi/pxa2xx: fix memory corruption due to wrong size used in devm_kzalloc()
Date: Tue, 25 Jun 2013 11:33:22 -0700 [thread overview]
Message-ID: <20130625182204.390799090@linuxfoundation.org> (raw)
In-Reply-To: <20130625182153.605455184@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mika Westerberg <mika.westerberg@linux.intel.com>
commit cc0ee9873c6afafb387379ca1df25da78a08c603 upstream.
ACPI part of the driver accidentally used sizeof(*ssp) instead of the
correct sizeof(*pdata). This leads to nasty memory corruptions like the one
below:
BUG: unable to handle kernel paging request at 0000000749fd30b8
IP: [<ffffffff813fe8a1>] __list_del_entry+0x31/0xd0
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 30 Comm: kworker/0:1 Not tainted 3.10.0-rc6v3.10-rc6_sdhci_modprobe+ #443
task: ffff8801483a0940 ti: ffff88014839e000 task.ti: ffff88014839e000
RIP: 0010:[<ffffffff813fe8a1>] [<ffffffff813fe8a1>] __list_del_entry+0x31/0xd0
RSP: 0000:ffff88014839fde8 EFLAGS: 00010046
RAX: ffff880149fd30b0 RBX: ffff880149fd3040 RCX: dead000000200200
RDX: 0000000749fd30b0 RSI: ffff880149fd3058 RDI: ffff88014834d640
RBP: ffff88014839fde8 R08: ffff88014834d640 R09: 0000000000000001
R10: ffff8801483a0940 R11: 0000000000000001 R12: ffff880149fd3040
R13: ffffffff810e0b30 R14: ffff8801483a0940 R15: ffff88014834d640
FS: 0000000000000000(0000) GS:ffff880149e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000168 CR3: 0000000001e0b000 CR4: 00000000001407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
ffff88014839fe48 ffffffff810e0baf ffffffff81120abd ffff88014839fe20
ffff8801483a0940 ffff8801483a0940 ffff8801483a0940 ffff8801486b1c90
ffff88014834d640 ffffffff810e0b30 0000000000000000 0000000000000000
Call Trace:
[<ffffffff810e0baf>] worker_thread+0x7f/0x390
[<ffffffff81120abd>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff810e0b30>] ? manage_workers.isra.22+0x2b0/0x2b0
[<ffffffff810e6c09>] kthread+0xd9/0xe0
[<ffffffff810f93df>] ? local_clock+0x3f/0x50
[<ffffffff810e6b30>] ? kthread_create_on_node+0x110/0x110
[<ffffffff818c5dec>] ret_from_fork+0x7c/0xb0
[<ffffffff810e6b30>] ? kthread_create_on_node+0x110/0x110
Fix this by using the right structure size in devm_kzalloc().
Reported-by: Jerome Blin <jerome.blin@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-pxa2xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -1069,7 +1069,7 @@ pxa2xx_spi_acpi_get_pdata(struct platfor
acpi_bus_get_device(ACPI_HANDLE(&pdev->dev), &adev))
return NULL;
- pdata = devm_kzalloc(&pdev->dev, sizeof(*ssp), GFP_KERNEL);
+ pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata), GFP_KERNEL);
if (!pdata) {
dev_err(&pdev->dev,
"failed to allocate memory for platform data\n");
next prev parent reply other threads:[~2013-06-25 18:51 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-25 18:31 [ 00/95] 3.9.8-stable review Greg Kroah-Hartman
2013-06-25 18:31 ` [ 01/95] ARM: 7752/1: errata: LoUIS bit field in CLIDR register is incorrect Greg Kroah-Hartman
2013-06-25 18:31 ` [ 02/95] ARM: 7754/1: Fix the CPU ID and the mask associated to the PJ4B Greg Kroah-Hartman
2013-06-25 18:31 ` [ 03/95] perf: arm64: Record the user-mode PC in the call chain Greg Kroah-Hartman
2013-06-25 18:31 ` [ 04/95] ALSA: usb-audio: Fix invalid volume resolution for Logitech HD Webcam c310 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 05/95] ALSA: hda - Fix pin configurations for MacBook Air 4,2 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 06/95] ALSA: usb-audio: work around Android accessory firmware bug Greg Kroah-Hartman
2013-06-25 18:31 ` [ 07/95] clk: remove notifier from list before freeing it Greg Kroah-Hartman
2013-06-25 18:31 ` [ 08/95] tilepro: work around module link error with gcc 4.7 Greg Kroah-Hartman
2013-06-25 18:31 ` [ 09/95] rtlwifi: rtl8192cu: Fix problem in connecting to WEP or WPA(1) networks Greg Kroah-Hartman
2013-06-25 18:31 ` [ 10/95] brcmfmac: Turn off ARP offloading when configured for AP Greg Kroah-Hartman
2013-06-25 18:31 ` [ 11/95] parisc: add kernel stack overflow check Greg Kroah-Hartman
2013-06-25 18:31 ` [ 12/95] parisc: implement irq stacks Greg Kroah-Hartman
2013-06-25 18:32 ` [ 13/95] parisc: more irq statistics in /proc/interrupts Greg Kroah-Hartman
2013-06-25 18:32 ` [ 14/95] parisc: tlb flush counting fix for SMP and UP Greg Kroah-Hartman
2013-06-25 18:32 ` [ 15/95] parisc: remove the second argument of kmap_atomic() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 16/95] parisc: implement irq stacks - part 2 (v2) Greg Kroah-Hartman
2013-06-25 18:32 ` [ 17/95] parisc: add rp5470 entry to machine database Greg Kroah-Hartman
2013-06-25 18:32 ` [ 18/95] parisc: show number of FPE and unaligned access handler calls in /proc/interrupts Greg Kroah-Hartman
2013-06-25 18:32 ` [ 19/95] parisc: make interrupt and interruption stack allocation reentrant Greg Kroah-Hartman
2013-06-25 18:32 ` [ 20/95] parisc: fix irq stack on UP and SMP Greg Kroah-Hartman
2013-06-25 18:32 ` [ 21/95] parisc: memory overflow, name length is too short for using Greg Kroah-Hartman
2013-06-25 18:32 ` [ 22/95] parisc: fix kernel BUG at arch/parisc/include/asm/mmzone.h:50 Greg Kroah-Hartman
2013-06-25 18:32 ` [ 23/95] parisc: rename "CONFIG_PA7100" to "CONFIG_PA7000" Greg Kroah-Hartman
2013-06-25 18:32 ` [ 24/95] parisc: kernel: using strlcpy() instead of strcpy() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 25/95] parisc: parport0: fix this legacy no-device port driver! Greg Kroah-Hartman
2013-06-25 18:32 ` [ 26/95] parisc: fix kernel BUG at arch/parisc/include/asm/mmzone.h:50 (part 2) Greg Kroah-Hartman
2013-06-25 18:32 ` [ 27/95] parisc: fix serial ports on C8000 workstation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 28/95] parisc: provide pci_mmap_page_range() for parisc Greg Kroah-Hartman
2013-06-25 18:32 ` [ 29/95] carl9170: fix frame drop and WARN due to minstrel_ht change Greg Kroah-Hartman
2013-06-25 18:32 ` [ 30/95] x86/efi: Fix dummy variable buffer allocation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 31/95] x86: kvmclock: zero initialize pvclock shared memory area Greg Kroah-Hartman
2013-06-25 18:32 ` [ 32/95] KVM: x86: remove vcpus CPL check in host-invoked XCR set Greg Kroah-Hartman
2013-06-25 18:32 ` [ 33/95] ACPI / resources: call acpi_get_override_irq() only for legacy IRQ resources Greg Kroah-Hartman
2013-06-25 18:32 ` [ 34/95] ACPI / dock: Take ACPI scan lock in write_undock() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 35/95] ACPI / PM: Fix error code path for power resources initialization Greg Kroah-Hartman
2013-06-25 18:32 ` [ 36/95] drm/prime: Honor requested file flags when exporting a buffer Greg Kroah-Hartman
2013-06-25 18:32 ` [ 37/95] drm/radeon: do not try to uselessly update virtual memory pagetable Greg Kroah-Hartman
2013-06-25 18:32 ` [ 38/95] drm/radeon: update lockup tracking when scheduling in empty ring Greg Kroah-Hartman
2013-06-25 18:32 ` [ 39/95] range: Do not add new blank slot with add_range_with_merge Greg Kroah-Hartman
2013-06-25 18:32 ` [ 40/95] x86, mtrr: Fix original mtrr range get for mtrr_cleanup Greg Kroah-Hartman
2013-06-25 18:32 ` [ 41/95] x86: fix build error and kconfig for ia32_emulation and binfmt Greg Kroah-Hartman
2013-06-25 18:32 ` [ 42/95] x86: Fix section mismatch on load_ucode_ap Greg Kroah-Hartman
2013-06-25 18:32 ` [ 43/95] net: fec: fix kernel oops when plug/unplug cable many times Greg Kroah-Hartman
2013-06-25 18:32 ` [ 44/95] tcp: fix tcp_md5_hash_skb_data() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 45/95] net/802/mrp: fix lockdep splat Greg Kroah-Hartman
2013-06-25 18:32 ` [ 46/95] gianfar: add missing iounmap() on error in gianfar_ptp_probe() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 47/95] vxlan: Update vxlan fdb used field after each usage Greg Kroah-Hartman
2013-06-25 18:32 ` [ 48/95] ipv6: fix possible crashes in ip6_cork_release() Greg Kroah-Hartman
2013-06-25 18:32 ` [ 49/95] netlabel: improve domain mapping validation Greg Kroah-Hartman
2013-06-25 18:32 ` [ 50/95] r8169: fix offloaded tx checksum for small packets Greg Kroah-Hartman
2013-06-25 18:32 ` [ 51/95] 8139cp: reset BQL when ring tx ring cleared Greg Kroah-Hartman
2013-06-25 18:32 ` [ 52/95] tcp: bug fix in proportional rate reduction Greg Kroah-Hartman
2013-06-25 18:32 ` [ 53/95] xfrm: properly handle invalid states as an error Greg Kroah-Hartman
2013-06-25 18:32 ` [ 54/95] tcp: xps: fix reordering issues Greg Kroah-Hartman
2013-06-25 18:32 ` [ 55/95] ip_tunnel: fix kernel panic with icmp_dest_unreach Greg Kroah-Hartman
2013-06-25 18:32 ` [ 56/95] net: phy: fix a bug when verify the EEE support Greg Kroah-Hartman
2013-06-25 18:32 ` [ 57/95] ipv4: fix redirect handling for TCP packets Greg Kroah-Hartman
2013-06-25 18:32 ` [ 58/95] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg Greg Kroah-Hartman
2013-06-25 18:32 ` [ 59/95] net/core/sock.c: add missing VSOCK string in af_family_*_key_strings Greg Kroah-Hartman
2013-06-25 18:32 ` [ 60/95] tuntap: forbid changing mq flag for persistent device Greg Kroah-Hartman
2013-06-25 18:32 ` [ 61/95] udp6: Fix udp fragmentation for tunnel traffic Greg Kroah-Hartman
2013-06-25 18:32 ` [ 62/95] net: force a reload of first item in hlist_nulls_for_each_entry_rcu Greg Kroah-Hartman
2013-06-25 18:32 ` [ 63/95] net_sched: restore "overhead xxx" handling Greg Kroah-Hartman
2013-06-25 18:32 ` [ 64/95] ipv6: assign rt6_info to inet6_ifaddr in init_loopback Greg Kroah-Hartman
2013-06-25 18:32 ` [ 65/95] net_sched: htb: do not mix 1ns and 64ns time units Greg Kroah-Hartman
2013-06-25 18:32 ` [ 66/95] vhost_net: clear msg.control for non-zerocopy case during tx Greg Kroah-Hartman
2013-06-25 18:32 ` [ 67/95] net: sctp: fix NULL pointer dereference in socket destruction Greg Kroah-Hartman
2013-06-25 18:32 ` [ 68/95] tuntap: set SOCK_ZEROCOPY flag during open Greg Kroah-Hartman
2013-06-25 18:32 ` [ 69/95] team: check return value of team_get_port_by_index_rcu() for NULL Greg Kroah-Hartman
2013-06-25 18:32 ` [ 70/95] team: move add to port list before port enablement Greg Kroah-Hartman
2013-06-25 18:32 ` [ 71/95] packet: packet_getname_spkt: make sure string is always 0-terminated Greg Kroah-Hartman
2013-06-25 18:32 ` [ 72/95] l2tp: Fix PPP header erasure and memory leak Greg Kroah-Hartman
2013-06-25 18:33 ` [ 73/95] l2tp: Fix sendmsg() return value Greg Kroah-Hartman
2013-06-25 18:33 ` [ 74/95] sctp: fully initialize sctp_outq in sctp_outq_init Greg Kroah-Hartman
2013-06-25 18:33 ` [ 75/95] net: sh_eth: fix incorrect RX length error if R8A7740 Greg Kroah-Hartman
2013-06-25 18:33 ` [ 76/95] tuntap: correct the return value in tun_set_iff() Greg Kroah-Hartman
2013-06-25 18:33 ` [ 77/95] macvtap: set transport header before passing skb to lower device Greg Kroah-Hartman
2013-06-25 18:33 ` [ 78/95] tuntap: set transport header before passing it to kernel Greg Kroah-Hartman
2013-06-25 18:33 ` [ 79/95] packet: set transport header before doing xmit Greg Kroah-Hartman
2013-06-25 18:33 ` [ 80/95] netback: set transport header before passing it to kernel Greg Kroah-Hartman
2013-06-25 18:33 ` [ 81/95] net_sched: better precise estimation on packet length for untrusted packets Greg Kroah-Hartman
2013-06-25 18:33 ` [ 82/95] Input: cyttsp - fix memcpy size param Greg Kroah-Hartman
2013-06-25 18:33 ` [ 83/95] Input: add missing dependencies on CONFIG_HAS_IOMEM Greg Kroah-Hartman
2013-06-25 18:33 ` [ 84/95] Input: xpad - fix for "Mad Catz Street Fighter IV FightPad" controllers Greg Kroah-Hartman
2013-06-25 18:33 ` [ 85/95] USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable Greg Kroah-Hartman
2013-06-25 18:33 ` [ 86/95] firmware loader: fix use-after-free by double abort Greg Kroah-Hartman
2013-06-25 18:33 ` [ 87/95] tcm_qla2xxx: Fix residual for underrun commands that fail Greg Kroah-Hartman
2013-06-25 18:33 ` [ 88/95] tty: Fix transient pty write() EIO Greg Kroah-Hartman
2013-06-25 18:33 ` [ 89/95] target/iscsi: dont corrupt bh_count in iscsit_stop_time2retain_timer() Greg Kroah-Hartman
2013-06-25 18:33 ` [ 90/95] rbd: use the correct length for format 2 object names Greg Kroah-Hartman
2013-06-25 18:33 ` [ 91/95] perf: Fix perf mmap bugs Greg Kroah-Hartman
2013-06-25 18:33 ` [ 92/95] perf: Fix mmap() accounting hole Greg Kroah-Hartman
2013-06-25 18:33 ` [ 93/95] drivers: uio: Fix UIO device registration failure Greg Kroah-Hartman
2013-06-25 18:33 ` [ 94/95] spi/pxa2xx: use GFP_ATOMIC in sg table allocation Greg Kroah-Hartman
2013-06-25 18:33 ` Greg Kroah-Hartman [this message]
2013-06-26 2:58 ` [ 00/95] 3.9.8-stable review Guenter Roeck
2013-06-26 3:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130625182204.390799090@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=broonie@linaro.org \
--cc=jerome.blin@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox