From: Nathan Chancellor <nathan@kernel.org>
To: Anders Roxell <anders.roxell@linaro.org>
Cc: peter.ujfalusi@gmail.com, vkoul@kernel.org,
dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org,
llvm@lists.linux.dev, dan.carpenter@linaro.org, arnd@arndb.de,
benjamin.copeland@linaro.org
Subject: Re: [PATCH] dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
Date: Fri, 29 Aug 2025 16:21:32 -0700 [thread overview]
Message-ID: <20250829232132.GA1983886@ax162> (raw)
In-Reply-To: <20250829131346.3697633-1-anders.roxell@linaro.org>
Hi Anders,
On Fri, Aug 29, 2025 at 03:13:46PM +0200, Anders Roxell wrote:
> Fix a critical memory allocation bug in edma_setup_from_hw() where
> queue_priority_map was allocated with insufficient memory. The code
> declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but
> allocated memory using sizeof(s8) instead of sizeof(s8[2]).
>
> This caused out-of-bounds memory writes when accessing:
> queue_priority_map[i][0] = i;
> queue_priority_map[i][1] = i;
>
> The bug manifested as kernel crashes with "Oops - undefined instruction"
> on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the
> memory corruption triggered kernel hardening features on Clang.
>
> Change the allocation from:
> devm_kcalloc(dev, ecc->num_tc + 1, sizeof(s8), GFP_KERNEL)
> to this:
> devm_kcalloc(dev, ecc->num_tc + 1, sizeof(s8[2]), GFP_KERNEL)
>
> This ensures proper allocation of (ecc->num_tc + 1) * 2 bytes to match
> the expected 2D array structure.
>
> Fixes: 2b6b3b742019 ("ARM/dmaengine: edma: Merge the two drivers under drivers/dma/")
> Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
> ---
> drivers/dma/ti/edma.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c
> index 3ed406f08c44..8f9b65e4bc87 100644
> --- a/drivers/dma/ti/edma.c
> +++ b/drivers/dma/ti/edma.c
> @@ -2064,7 +2064,7 @@ static int edma_setup_from_hw(struct device *dev, struct edma_soc_info *pdata,
> * priority. So Q0 is the highest priority queue and the last queue has
> * the lowest priority.
> */
> - queue_priority_map = devm_kcalloc(dev, ecc->num_tc + 1, sizeof(s8),
> + queue_priority_map = devm_kcalloc(dev, ecc->num_tc + 1, sizeof(s8[2]),
Would
sizeof(*queue_priority_map)
work instead? That tends to be preferred within the kernel so that the
type information is not open coded twice and it helps avoid bugs exactly
like this one. See other uses of devm_kcalloc() and "14) Allocating
memory" in Documentation/process/coding-style.rst.
> GFP_KERNEL);
> if (!queue_priority_map)
> return -ENOMEM;
> --
> 2.50.1
>
next prev parent reply other threads:[~2025-08-29 23:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 13:13 [PATCH] dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Anders Roxell
2025-08-29 23:21 ` Nathan Chancellor [this message]
2025-08-30 9:48 ` Anders Roxell
2025-08-30 9:49 ` [PATCHv2] " Anders Roxell
2025-09-02 9:35 ` Vinod Koul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250829232132.GA1983886@ax162 \
--to=nathan@kernel.org \
--cc=anders.roxell@linaro.org \
--cc=arnd@arndb.de \
--cc=benjamin.copeland@linaro.org \
--cc=dan.carpenter@linaro.org \
--cc=dmaengine@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=peter.ujfalusi@gmail.com \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).