stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Geert Uytterhoeven <geert+renesas@glider.be>,
	Linus Walleij <linus.walleij@linaro.org>,
	Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.14 024/100] gpio: 74x164: Fix crash during .remove()
Date: Sun, 28 Jan 2018 22:26:13 +0000	[thread overview]
Message-ID: <20180128222547.7398-24-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180128222547.7398-1-alexander.levin@microsoft.com>

From: Geert Uytterhoeven <geert+renesas@glider.be>

[ Upstream commit a158531f3c92467df0e93e000d58185acae78a6e ]

Commit 7ebc194d0fd4bb0f ("gpio: 74x164: Introduce 'enable-gpios'
property") added a new member gpiod_oe to the end of the struct
gen_74x164_chip, after the zero-length buffer array.

However, this buffer is a flexible array, allocated together with the
structure during .probe().  As the buffer is no longer the last member,
writing to it corrupts the newly added member after it.
During device removal, the corrupted member will be used as a pointer,
leading to a crash.

This went unnoticed, as the flexible array was declared as "buffer[0]"
instead of "buffer[]", and thus did not trigger a "flexible array member
not at end of struct" error from gcc.

Move the gpiod_oe field up to fix this, and drop the zero from the array
size to prevent future similar bugs.

Fixes: 7ebc194d0fd4bb0f ("gpio: 74x164: Introduce 'enable-gpios' property")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/gpio/gpio-74x164.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpio/gpio-74x164.c b/drivers/gpio/gpio-74x164.c
index 6b535ec858cc..15a1f4b348c4 100644
--- a/drivers/gpio/gpio-74x164.c
+++ b/drivers/gpio/gpio-74x164.c
@@ -23,6 +23,7 @@
 struct gen_74x164_chip {
 	struct gpio_chip	gpio_chip;
 	struct mutex		lock;
+	struct gpio_desc	*gpiod_oe;
 	u32			registers;
 	/*
 	 * Since the registers are chained, every byte sent will make
@@ -31,8 +32,7 @@ struct gen_74x164_chip {
 	 * register at the end of the transfer. So, to have a logical
 	 * numbering, store the bytes in reverse order.
 	 */
-	u8			buffer[0];
-	struct gpio_desc	*gpiod_oe;
+	u8			buffer[];
 };
 
 static int __gen_74x164_write_config(struct gen_74x164_chip *chip)
-- 
2.11.0

  parent reply	other threads:[~2018-01-28 22:26 UTC|newest]

Thread overview: 99+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-28 22:25 [PATCH AUTOSEL for 4.14 001/100] usb: build drivers/usb/common/ when USB_SUPPORT is set Sasha Levin
2018-01-28 22:25 ` [PATCH AUTOSEL for 4.14 003/100] ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context Sasha Levin
2018-01-28 22:25 ` [PATCH AUTOSEL for 4.14 002/100] serdev: fix receive_buf return value when no callback Sasha Levin
2018-01-28 22:25 ` [PATCH AUTOSEL for 4.14 004/100] ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function Sasha Levin
2018-01-28 22:25 ` [PATCH AUTOSEL for 4.14 005/100] ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen Sasha Levin
2018-01-28 22:25 ` [PATCH AUTOSEL for 4.14 006/100] ARM: dts: logicpd-som-lv: Fix gpmc addresses for NAND and enet Sasha Levin
2018-01-28 22:25 ` [PATCH AUTOSEL for 4.14 007/100] ARM: dts: logicpd-somlv: Fix wl127x pinmux Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 008/100] ARM: dts: am4372: Correct the interrupts_properties of McASP Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 009/100] ARM: dts: am437x-cm-t43: Correct the dmas property of spi0 Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 010/100] perf record: Fix -c/-F options for cpu event aliases Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 011/100] perf help: Fix a bug during strstart() conversion Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 012/100] perf annotate: Do not truncate instruction names at 6 chars Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 013/100] perf test shell: Fix check open filename arg using 'perf trace' on s390x Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 014/100] perf: Fix header.size for namespace events Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 016/100] perf bench numa: Fixup discontiguous/sparse numa nodes Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 015/100] perf top: Fix window dimensions change handling Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 017/100] perf test: Fix test 21 for s390x Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 019/100] kvm: arm: don't treat unavailable HYP mode as an error Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 018/100] pinctrl: denverton: Fix UART2 RTS pin mode Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 020/100] trace/xdp: fix compile warning: 'struct bpf_map' declared inside parameter list Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 021/100] media: s5k6aa: describe some function parameters Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 022/100] media: ov13858: Select V4L2_FWNODE Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 023/100] net: mvpp2: allocate zeroed tx descriptors Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 025/100] gpio: davinci: Assign first bank regs for unbanked case Sasha Levin
2018-01-28 22:26 ` Sasha Levin [this message]
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 026/100] pinctrl: sunxi: Fix A80 interrupt pin bank Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 027/100] pinctrl: sunxi: Fix A64 UART mux value Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 028/100] IB/hfi1: Initialize bth1 in 16B rc ack builder Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 029/100] meson-gx-socinfo: Fix package id parsing Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 030/100] KVM: arm/arm64: Fix spinlock acquisition in vgic_set_owner Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 031/100] i40iw: Allocate a sdbuf per CQP WQE Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 032/100] i40iw: Do not free sqbuf when event is I40IW_TIMER_TYPE_CLOSE Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 033/100] i40iw: Correct ARP index mask Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 034/100] RDMA/cma: Make sure that PSN is not over max allowed Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 035/100] IB/core: Init subsys if compiled to vmlinuz-core Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 036/100] md/raid5: correct degraded calculation in raid5_error Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 037/100] sctp: only update outstanding_bytes for transmitted queue when doing prsctp_prune Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 039/100] phylink: ensure we take the link down when phylink_stop() is called Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 038/100] sfp: fix RX_LOS signal handling Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 041/100] iio: proximity: sx9500: Assign interrupt from GpioIo() Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 040/100] md/raid1/10: add missed blk plug Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 042/100] iio: fix kernel-doc build errors Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 044/100] bnxt_en: Need to unconditionally shut down RoCE in bnxt_shutdown Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 043/100] scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 045/100] ipvlan: Add the skb->mark as flow4's member to lookup route Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 046/100] m68k: add missing SOFTIRQENTRY_TEXT linker section Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 047/100] powerpc/perf: Fix oops when grouping different pmu events Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 049/100] s390/virtio: add BSD license to virtio-ccw Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 048/100] PM / runtime: Fix handling of suppliers with disabled runtime PM Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 050/100] s390/dasd: prevent prefix I/O error Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 051/100] ARM: dts: Fix elm interrupt compiler warning Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 052/100] nfp: fix port stats for mac representors Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 054/100] net_sched: red: Avoid devision by zero Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 053/100] gianfar: fix a flooded alignment reports because of padding issue Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 055/100] net_sched: red: Avoid illegal values Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 056/100] VSOCK: fix outdated sk_state value in hvs_release() Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 057/100] KVM: VMX: fix page leak in hardware_setup() Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 058/100] net: qualcomm: rmnet: Fix leak on transmit failure Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 059/100] dccp: CVE-2017-8824: use-after-free in DCCP code Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 060/100] locking/lockdep: Fix possible NULL deref Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 061/100] sched/wait: Fix add_wait_queue() behavioral change Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 062/100] btrfs: Fix quota reservation leak on preallocated files Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 063/100] Btrfs: disable FUA if mounted with nobarrier Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 064/100] btrfs: Fix possible off-by-one in btrfs_search_path_in_tree Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 065/100] brcmfmac: Avoid build error with make W=1 Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 066/100] virtio_net: fix return value check in receive_mergeable() Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 067/100] net: ethernet: arc: fix error handling in emac_rockchip_probe Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 069/100] net: dsa: mv88e6xxx: Unregister MDIO bus on error path Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 068/100] net: dsa: mv88e6xxx: Fix interrupt masking on removal Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 070/100] 509: fix printing uninitialized stack memory when OID is empty Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 071/100] gianfar: Disable EEE autoneg by default Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 072/100] scsi: lpfc: Use after free in lpfc_rq_buf_free() Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 073/100] scsi: bfa: fix access to bfad_im_port_s Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 074/100] dmaengine: ioat: Fix error handling path Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 075/100] dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 076/100] xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0) Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 077/100] xfrm: Fix stack-out-of-bounds read on socket policy lookup Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 078/100] netfilter: nfnetlink_cthelper: Add missing permission checks Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 079/100] netfilter: xt_bpf: add overflow checks Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 081/100] netfilter: xt_osf: Add missing permission checks Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 080/100] clk: fix a panic error caused by accessing NULL pointer Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 082/100] staging: ccree: Uninitialized return in ssi_ahash_import() Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 084/100] spi: sun4i: disable clocks in the remove function Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 083/100] ASoC: rockchip: disable clock on error Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 085/100] IB/mlx4: Fix RSS hash fields restrictions Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 086/100] RDMA/netlink: Fix general protection fault Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 087/100] xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 088/100] drm/armada: fix leak of crtc structure Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 089/100] ASoC: rsnd: ssi: fix race condition in rsnd_ssi_pointer_update Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 090/100] drm/vc4: Release fence after signalling Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 091/100] dmaengine: jz4740: disable/unprepare clk if probe fails Sasha Levin
2018-01-28 22:26 ` [PATCH AUTOSEL for 4.14 092/100] usb: dwc3: gadget: Wait longer for controller to end command processing Sasha Levin
2018-01-28 22:27 ` [PATCH AUTOSEL for 4.14 093/100] usb: dwc3: of-simple: fix missing clk_disable_unprepare Sasha Levin
2018-01-28 22:27 ` [PATCH AUTOSEL for 4.14 095/100] x86/mm/kmmio: Fix mmiotrace for page unaligned addresses Sasha Levin
2018-01-28 22:27 ` [PATCH AUTOSEL for 4.14 096/100] platform/x86: dell-laptop: Fix keyboard max lighting for Dell Latitude E6410 Sasha Levin
2018-01-28 22:27 ` [PATCH AUTOSEL for 4.14 097/100] xen: XEN_ACPI_PROCESSOR is Dom0-only Sasha Levin
2018-01-28 22:27 ` [PATCH AUTOSEL for 4.14 098/100] PCI: rcar: Fix use-after-free in probe error path Sasha Levin
2018-01-28 22:27 ` [PATCH AUTOSEL for 4.14 099/100] powerpc/perf/imc: Fix nest-imc cpuhotplug callback failure Sasha Levin
2018-01-28 22:27 ` [PATCH AUTOSEL for 4.14 100/100] hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180128222547.7398-24-alexander.levin@microsoft.com \
    --to=alexander.levin@microsoft.com \
    --cc=geert+renesas@glider.be \
    --cc=linus.walleij@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).