From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Stephen Boyd <swboyd@chromium.org>,
Evan Green <evgreen@chromium.org>,
Thierry Reding <treding@nvidia.com>,
Grygorii Strashko <grygorii.strashko@ti.com>,
Linus Walleij <linus.walleij@linaro.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.18 19/27] gpio: Assign gpio_irq_chip::parents to non-stack pointer
Date: Mon, 22 Oct 2018 06:19:16 -0400 [thread overview]
Message-ID: <20181022101924.40531-19-sashal@kernel.org> (raw)
In-Reply-To: <20181022101924.40531-1-sashal@kernel.org>
From: Stephen Boyd <swboyd@chromium.org>
[ Upstream commit 3e779a2e7f909015f21428b66834127496110b6d ]
gpiochip_set_cascaded_irqchip() is passed 'parent_irq' as an argument
and then the address of that argument is assigned to the gpio chips
gpio_irq_chip 'parents' pointer shortly thereafter. This can't ever
work, because we've just assigned some stack address to a pointer that
we plan to dereference later in gpiochip_irq_map(). I ran into this
issue with the KASAN report below when gpiochip_irq_map() tried to setup
the parent irq with a total junk pointer for the 'parents' array.
BUG: KASAN: stack-out-of-bounds in gpiochip_irq_map+0x228/0x248
Read of size 4 at addr ffffffc0dde472e0 by task swapper/0/1
CPU: 7 PID: 1 Comm: swapper/0 Not tainted 4.14.72 #34
Call trace:
[<ffffff9008093638>] dump_backtrace+0x0/0x718
[<ffffff9008093da4>] show_stack+0x20/0x2c
[<ffffff90096b9224>] __dump_stack+0x20/0x28
[<ffffff90096b91c8>] dump_stack+0x80/0xbc
[<ffffff900845a350>] print_address_description+0x70/0x238
[<ffffff900845a8e4>] kasan_report+0x1cc/0x260
[<ffffff900845aa14>] __asan_report_load4_noabort+0x2c/0x38
[<ffffff900897e098>] gpiochip_irq_map+0x228/0x248
[<ffffff900820cc08>] irq_domain_associate+0x114/0x2ec
[<ffffff900820d13c>] irq_create_mapping+0x120/0x234
[<ffffff900820da78>] irq_create_fwspec_mapping+0x4c8/0x88c
[<ffffff900820e2d8>] irq_create_of_mapping+0x180/0x210
[<ffffff900917114c>] of_irq_get+0x138/0x198
[<ffffff9008dc70ac>] spi_drv_probe+0x94/0x178
[<ffffff9008ca5168>] driver_probe_device+0x51c/0x824
[<ffffff9008ca6538>] __device_attach_driver+0x148/0x20c
[<ffffff9008ca14cc>] bus_for_each_drv+0x120/0x188
[<ffffff9008ca570c>] __device_attach+0x19c/0x2dc
[<ffffff9008ca586c>] device_initial_probe+0x20/0x2c
[<ffffff9008ca18bc>] bus_probe_device+0x80/0x154
[<ffffff9008c9b9b4>] device_add+0x9b8/0xbdc
[<ffffff9008dc7640>] spi_add_device+0x1b8/0x380
[<ffffff9008dcbaf0>] spi_register_controller+0x111c/0x1378
[<ffffff9008dd6b10>] spi_geni_probe+0x4dc/0x6f8
[<ffffff9008cab058>] platform_drv_probe+0xdc/0x130
[<ffffff9008ca5168>] driver_probe_device+0x51c/0x824
[<ffffff9008ca59cc>] __driver_attach+0x100/0x194
[<ffffff9008ca0ea8>] bus_for_each_dev+0x104/0x16c
[<ffffff9008ca58c0>] driver_attach+0x48/0x54
[<ffffff9008ca1edc>] bus_add_driver+0x274/0x498
[<ffffff9008ca8448>] driver_register+0x1ac/0x230
[<ffffff9008caaf6c>] __platform_driver_register+0xcc/0xdc
[<ffffff9009c4b33c>] spi_geni_driver_init+0x1c/0x24
[<ffffff9008084cb8>] do_one_initcall+0x240/0x3dc
[<ffffff9009c017d0>] kernel_init_freeable+0x378/0x468
[<ffffff90096e8240>] kernel_init+0x14/0x110
[<ffffff9008086fcc>] ret_from_fork+0x10/0x18
The buggy address belongs to the page:
page:ffffffbf037791c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffffbf037791e0 ffffffbf037791e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffffc0dde47180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0dde47200: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2
>ffffffc0dde47280: f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
^
ffffffc0dde47300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0dde47380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Let's leave around one unsigned int in the gpio_irq_chip struct for the
single parent irq case and repoint the 'parents' array at it. This way
code is left mostly intact to setup parents and we waste an extra few
bytes per structure of which there should be only a handful in a system.
Cc: Evan Green <evgreen@chromium.org>
Cc: Thierry Reding <treding@nvidia.com>
Cc: Grygorii Strashko <grygorii.strashko@ti.com>
Fixes: e0d897289813 ("gpio: Implement tighter IRQ chip integration")
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib.c | 3 ++-
include/linux/gpio/driver.h | 7 +++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 06dce16e22bb..70f0dedca59f 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1675,7 +1675,8 @@ static void gpiochip_set_cascaded_irqchip(struct gpio_chip *gpiochip,
irq_set_chained_handler_and_data(parent_irq, parent_handler,
gpiochip);
- gpiochip->irq.parents = &parent_irq;
+ gpiochip->irq.parent_irq = parent_irq;
+ gpiochip->irq.parents = &gpiochip->irq.parent_irq;
gpiochip->irq.num_parents = 1;
}
diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h
index 5382b5183b7e..82a953ec5ef0 100644
--- a/include/linux/gpio/driver.h
+++ b/include/linux/gpio/driver.h
@@ -94,6 +94,13 @@ struct gpio_irq_chip {
*/
unsigned int num_parents;
+ /**
+ * @parent_irq:
+ *
+ * For use by gpiochip_set_cascaded_irqchip()
+ */
+ unsigned int parent_irq;
+
/**
* @parents:
*
--
2.17.1
next prev parent reply other threads:[~2018-10-22 10:19 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-22 10:18 [PATCH AUTOSEL 4.18 01/27] ARM: dts: imx53-qsb: disable 1.2GHz OPP Sasha Levin
2018-10-22 10:18 ` [PATCH AUTOSEL 4.18 02/27] s390/hibernate: fix error handling when suspend cpu != resume cpu Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 03/27] perf report: Don't try to map ip to invalid map Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 04/27] Input: i8042 - enable keyboard wakeups by default when s2idle is used Sasha Levin
2018-10-22 16:58 ` Dmitry Torokhov
2018-10-23 15:48 ` Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 05/27] Input: mousedev - add a schedule point in mousedev_write() Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 06/27] perf python: Use -Wno-redundant-decls to build with PYTHON=python3 Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 07/27] perf record: Use unmapped IP for inline callchain cursors Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 08/27] Input: evdev - add a schedule point in evdev_write() Sasha Levin
2018-10-22 17:02 ` Dmitry Torokhov
2018-10-23 15:49 ` Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 09/27] Input: uinput - add a schedule point in uinput_inject_events() Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 10/27] rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 11/27] rxrpc: Carry call state out of locked section in rxrpc_rotate_tx_window() Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 12/27] rxrpc: Only take the rwind and mtu values from latest ACK Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 13/27] rxrpc: Fix connection-level abort handling Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 14/27] KVM: x86: support CONFIG_KVM_AMD=y with CONFIG_CRYPTO_DEV_CCP_DD=m Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 15/27] net: ena: fix warning in rmmod caused by double iounmap Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 16/27] net: ena: fix rare bug when failed restart/resume is followed by driver removal Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 17/27] net: ena: fix NULL dereference due to untimely napi initialization Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 18/27] libertas: call into generic suspend code before turning off power Sasha Levin
2018-10-22 10:19 ` Sasha Levin [this message]
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 20/27] IB/mlx5: Unmap DMA addr from HCA before IOMMU Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 21/27] rds: RDS (tcp) hangs on sendto() to unresponding address Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 22/27] selftests: rtnetlink.sh explicitly requires bash Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 23/27] selftests: udpgso_bench.sh " Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 24/27] vmlinux.lds.h: Fix incomplete .text.exit discards Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 25/27] vmlinux.lds.h: Fix linker warnings about orphan .LPBX sections Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 26/27] afs: Fix cell proc list Sasha Levin
2018-10-22 10:19 ` [PATCH AUTOSEL 4.18 27/27] fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181022101924.40531-19-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=evgreen@chromium.org \
--cc=grygorii.strashko@ti.com \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=swboyd@chromium.org \
--cc=treding@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).