From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Russell King <rmk+kernel@armlinux.org.uk>,
Santosh Shilimkar <ssantosh@kernel.org>,
Olof Johansson <olof@lixom.net>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 3.18 30/85] ARM: keystone: fix platform_domain_notifier array overrun
Date: Sun, 1 Jul 2018 18:01:48 +0200 [thread overview]
Message-ID: <20180701153123.563915696@linuxfoundation.org> (raw)
In-Reply-To: <20180701153122.365061142@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
[ Upstream commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa ]
platform_domain_notifier contains a variable sized array, which the
pm_clk_notify() notifier treats as a NULL terminated array:
for (con_id = clknb->con_ids; *con_id; con_id++)
pm_clk_add(dev, *con_id);
Omitting the initialiser for con_ids means that the array is zero
sized, and there is no NULL terminator. This leads to pm_clk_notify()
overrunning into what ever structure follows, which may not be NULL.
This leads to an oops:
Unable to handle kernel NULL pointer dereference at virtual address 0000008c
pgd = c0003000
[0000008c] *pgd=80000800004003c, *pmd=00000000c
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:c
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9
Hardware name: Keystone
PC is at strlen+0x0/0x34
LR is at kstrdup+0x18/0x54
pc : [<c0623340>] lr : [<c0111d6c>] psr: 20000013
sp : eec73dc0 ip : eed780c0 fp : 00000001
r10: 00000000 r9 : 00000000 r8 : eed71e10
r7 : 0000008c r6 : 0000008c r5 : 014000c0 r4 : c03a6ff4
r3 : c09445d0 r2 : 00000000 r1 : 014000c0 r0 : 0000008c
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 30c5387d Table: 00003000 DAC: fffffffd
Process swapper/0 (pid: 1, stack limit = 0xeec72210)
Stack: (0xeec73dc0 to 0xeec74000)
...
[<c0623340>] (strlen) from [<c0111d6c>] (kstrdup+0x18/0x54)
[<c0111d6c>] (kstrdup) from [<c03a6ff4>] (__pm_clk_add+0x58/0x120)
[<c03a6ff4>] (__pm_clk_add) from [<c03a731c>] (pm_clk_notify+0x64/0xa8)
[<c03a731c>] (pm_clk_notify) from [<c004614c>] (notifier_call_chain+0x44/0x84)
[<c004614c>] (notifier_call_chain) from [<c0046320>] (__blocking_notifier_call_chain+0x48/0x60)
[<c0046320>] (__blocking_notifier_call_chain) from [<c0046350>] (blocking_notifier_call_chain+0x18/0x20)
[<c0046350>] (blocking_notifier_call_chain) from [<c0390234>] (device_add+0x36c/0x534)
[<c0390234>] (device_add) from [<c047fc00>] (of_platform_device_create_pdata+0x70/0xa4)
[<c047fc00>] (of_platform_device_create_pdata) from [<c047fea0>] (of_platform_bus_create+0xf0/0x1ec)
[<c047fea0>] (of_platform_bus_create) from [<c047fff8>] (of_platform_populate+0x5c/0xac)
[<c047fff8>] (of_platform_populate) from [<c08b1f04>] (of_platform_default_populate_init+0x8c/0xa8)
[<c08b1f04>] (of_platform_default_populate_init) from [<c000a78c>] (do_one_initcall+0x3c/0x164)
[<c000a78c>] (do_one_initcall) from [<c087bd9c>] (kernel_init_freeable+0x10c/0x1d0)
[<c087bd9c>] (kernel_init_freeable) from [<c0628db0>] (kernel_init+0x8/0xf0)
[<c0628db0>] (kernel_init) from [<c00090d8>] (ret_from_fork+0x14/0x3c)
Exception stack(0xeec73fb0 to 0xeec73ff8)
3fa0: 00000000 00000000 00000000 00000000
3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000)
---[ end trace cafa8f148e262e80 ]---
Fix this by adding the necessary initialiser.
Fixes: fc20ffe1213b ("ARM: keystone: add PM domain support for clock management")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Acked-by: Santosh Shilimkar <ssantosh@kernel.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-keystone/pm_domain.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-keystone/pm_domain.c
+++ b/arch/arm/mach-keystone/pm_domain.c
@@ -59,6 +59,7 @@ static struct dev_pm_domain keystone_pm_
static struct pm_clk_notifier_block platform_domain_notifier = {
.pm_domain = &keystone_pm_domain,
+ .con_ids = { NULL },
};
static struct of_device_id of_keystone_table[] = {
next prev parent reply other threads:[~2018-07-01 16:12 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-01 16:01 [PATCH 3.18 00/85] 3.18.114-stable review Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 01/85] tools build: No need to make libapi for perf explicitly Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 02/85] tools build: Fix Makefile(s) to properly invoke tools build Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 03/85] af_key: Always verify length of provided sadb_key Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 04/85] fsnotify: fix ignore mask logic in send_to_group() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 05/85] MIPS: io: Add barrier after register read in readX() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 06/85] s390/smsgiucv: disable SMSG on module unload Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 07/85] isofs: fix potential memory leak in mount option parsing Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 08/85] scsi: iscsi: respond to netlink with unicast when appropriate Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 09/85] drm/msm: Fix possible null dereference on failure of get_pages() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 10/85] parisc: time: Convert read_persistent_clock() to read_persistent_clock64() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 11/85] scsi: isci: Fix infinite loop in while loop Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 12/85] net: phy: marvell: clear wol event before setting it Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 13/85] arm64: ptrace: remove addr_limit manipulation Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 14/85] selftests: ftrace: Add a testcase for multiple actions on trigger Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 16/85] x86/cpu/intel: Add missing TLB cpuid values Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 18/85] ARM: davinci: board-dm355-evm: fix broken networking Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 19/85] hexagon: add memset_io() helper Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 20/85] hexagon: export csum_partial_copy_nocheck Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 21/85] scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 22/85] parisc: drivers.c: Fix section mismatches Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 23/85] kthread, sched/wait: Fix kthread_parkme() wait-loop Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 24/85] mac80211: Adjust SAE authentication timeout Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 25/85] drm/omap: fix possible NULL ref issue in tiler_reserve_2d Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 27/85] can: dev: increase bus-off message severity Greg Kroah-Hartman
2018-07-01 16:01 ` Greg Kroah-Hartman [this message]
2018-07-01 16:01 ` [PATCH 3.18 31/85] i2c: pmcmsp: return message count on master_xfer success Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 32/85] i2c: pmcmsp: fix error return from master_xfer Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 33/85] i2c: viperboard: return message count on master_xfer success Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 34/85] ARM: davinci: board-dm646x-evm: set VPIF capture card name Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 35/85] parisc: Move setup_profiling_timer() out of init section Greg Kroah-Hartman
2018-07-01 16:29 ` Helge Deller
2018-07-03 9:17 ` Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 37/85] tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 38/85] ext4: update mtime in ext4_punch_hole even if no blocks are released Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 39/85] ext4: fix fencepost error in check for inode count overflow during resize Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 40/85] btrfs: scrub: Dont use inode pages for device replace Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 41/85] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 42/85] libata: zpodd: make arrays cdb static, reduces object code size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 43/85] libata: zpodd: small read overflow in eject_tray() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 44/85] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 45/85] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 46/85] fs/binfmt_misc.c: do not allow offset overflow Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 47/85] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 48/85] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 49/85] usb: do not reset if a low-speed or full-speed device timed out Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 50/85] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 51/85] ASoC: cirrus: i2s: Fix LRCLK configuration Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 53/85] mips: ftrace: fix static function graph tracing Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 54/85] branch-check: fix long->int truncation when profiling branches Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 55/85] ipmi:bt: Set the timeout before doing a capabilities check Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 56/85] fuse: atomic_o_trunc should truncate pagecache Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 57/85] fuse: dont keep dead fuse_conn at fuse_fill_super() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 58/85] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 59/85] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 60/85] powerpc/ptrace: Fix enforcement of DAWR constraints Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 61/85] powerpc/fadump: Unregister fadump on kexec down path Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 62/85] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 63/85] mtd: cfi_cmdset_0002: Change write buffer to check correct value Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 64/85] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 65/85] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 66/85] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 67/85] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 69/85] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 70/85] MIPS: io: Add barrier after register read in inX() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 72/85] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 73/85] UBIFS: Fix potential integer overflow in allocation Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 74/85] backlight: as3711_bl: Fix Device Tree node lookup Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 75/85] backlight: max8925_bl: " Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 76/85] backlight: tps65217_bl: " Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 77/85] media: v4l2-compat-ioctl32: prevent go past max size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 78/85] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 79/85] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 80/85] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 81/85] video: uvesafb: Fix integer overflow in allocation Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 82/85] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 83/85] udf: Detect incorrect directory size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 84/85] block: Fix transfer when chunk sectors exceeds max Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 85/85] dm thin: handle running out of data space vs concurrent discard Greg Kroah-Hartman
2018-07-01 19:37 ` [PATCH 3.18 00/85] 3.18.114-stable review Nathan Chancellor
2018-07-02 6:34 ` Greg Kroah-Hartman
2018-07-02 7:51 ` Harsh 'MSF Jarvis' Shandilya
2018-07-02 8:35 ` Greg Kroah-Hartman
2018-07-02 16:31 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180701153123.563915696@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=olof@lixom.net \
--cc=rmk+kernel@armlinux.org.uk \
--cc=ssantosh@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).