* [PATCH] clk: mstar: msc313-mpll: fix one-element shadow array overrun
@ 2026-05-09 10:42 Stepan Ionichev
2026-05-11 9:06 ` Daniel Palmer
0 siblings, 1 reply; 2+ messages in thread
From: Stepan Ionichev @ 2026-05-09 10:42 UTC (permalink / raw)
To: daniel
Cc: romain.perier, mturquette, sboyd, linux-arm-kernel, linux-clk,
linux-kernel, Stepan Ionichev
msc313_mpll_probe() defines
#define NUMOUTPUTS (ARRAY_SIZE(output_dividers) + 1)
and uses NUMOUTPUTS for the clock provider's clk_hw count
(clk_data->num = NUMOUTPUTS) and writes that many entries:
mpll->clk_data->hws[0] = &mpll->clk_hw; /* parent */
for (i = 0; i < ARRAY_SIZE(output_dividers); i++) /* dividers */
mpll->clk_data->hws[i + 1] = divhw;
So the function legitimately needs NUMOUTPUTS slots in the
flexible 'hws' array. However the array is allocated for only
ARRAY_SIZE(output_dividers) (== NUMOUTPUTS - 1) slots:
mpll->clk_data = devm_kzalloc(dev, struct_size(mpll->clk_data, hws,
ARRAY_SIZE(output_dividers)), GFP_KERNEL);
The last loop iteration therefore writes one element past the
allocation, and clk_data->num advertises a slot that does not
exist to of_clk_hw_onecell_get().
smatch flags the underflow:
drivers/clk/mstar/clk-msc313-mpll.c:134 msc313_mpll_probe()
error: buffer overflow 'mpll->clk_data->hws' 7 <= 7
Use NUMOUTPUTS in struct_size() so the allocation matches the
declared count and the loop's last write.
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
---
drivers/clk/mstar/clk-msc313-mpll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/mstar/clk-msc313-mpll.c b/drivers/clk/mstar/clk-msc313-mpll.c
index 61beb4e87..71bedb7e9 100644
--- a/drivers/clk/mstar/clk-msc313-mpll.c
+++ b/drivers/clk/mstar/clk-msc313-mpll.c
@@ -105,7 +105,7 @@ static int msc313_mpll_probe(struct platform_device *pdev)
return PTR_ERR(mpll->loop_div_second);
mpll->clk_data = devm_kzalloc(dev, struct_size(mpll->clk_data, hws,
- ARRAY_SIZE(output_dividers)), GFP_KERNEL);
+ NUMOUTPUTS), GFP_KERNEL);
if (!mpll->clk_data)
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] clk: mstar: msc313-mpll: fix one-element shadow array overrun
2026-05-09 10:42 [PATCH] clk: mstar: msc313-mpll: fix one-element shadow array overrun Stepan Ionichev
@ 2026-05-11 9:06 ` Daniel Palmer
0 siblings, 0 replies; 2+ messages in thread
From: Daniel Palmer @ 2026-05-11 9:06 UTC (permalink / raw)
To: Stepan Ionichev
Cc: romain.perier, mturquette, sboyd, linux-arm-kernel, linux-clk,
linux-kernel
Hi Stepan,
On Sun, 10 May 2026 at 02:58, Stepan Ionichev <sozdayvek@gmail.com> wrote:
> mpll->clk_data = devm_kzalloc(dev, struct_size(mpll->clk_data, hws,
> - ARRAY_SIZE(output_dividers)), GFP_KERNEL);
> + NUMOUTPUTS), GFP_KERNEL);
> if (!mpll->clk_data)
> return -ENOMEM;
It's been a long time since I wrote that stuff but what you have found
looks correct. I think initially the driver only exposed the "output
dividers" outputs and then was adjusted to expose the undivided pll
output and that allocation didn't get updated.
Since the report and the change look correct:
Acked-by: Daniel Palmer <daniel@thingy.jp>
Cheers,
Daniel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-11 9:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-09 10:42 [PATCH] clk: mstar: msc313-mpll: fix one-element shadow array overrun Stepan Ionichev
2026-05-11 9:06 ` Daniel Palmer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox