From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Andrey Skvortsov <andrej.skvortzov@gmail.com>,
Stephen Boyd <sboyd@kernel.org>
Subject: [PATCH 5.10 44/84] clk: Fix slab-out-of-bounds error in devm_clk_release()
Date: Mon, 28 Aug 2023 12:14:01 +0200 [thread overview]
Message-ID: <20230828101150.760420388@linuxfoundation.org> (raw)
In-Reply-To: <20230828101149.146126827@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Skvortsov <andrej.skvortzov@gmail.com>
commit 66fbfb35da47f391bdadf9fa7ceb88af4faa9022 upstream.
Problem can be reproduced by unloading snd_soc_simple_card, because in
devm_get_clk_from_child() devres data is allocated as `struct clk`, but
devm_clk_release() expects devres data to be `struct devm_clk_state`.
KASAN report:
==================================================================
BUG: KASAN: slab-out-of-bounds in devm_clk_release+0x20/0x54
Read of size 8 at addr ffffff800ee09688 by task (udev-worker)/287
Call trace:
dump_backtrace+0xe8/0x11c
show_stack+0x1c/0x30
dump_stack_lvl+0x60/0x78
print_report+0x150/0x450
kasan_report+0xa8/0xf0
__asan_load8+0x78/0xa0
devm_clk_release+0x20/0x54
release_nodes+0x84/0x120
devres_release_all+0x144/0x210
device_unbind_cleanup+0x1c/0xac
really_probe+0x2f0/0x5b0
__driver_probe_device+0xc0/0x1f0
driver_probe_device+0x68/0x120
__driver_attach+0x140/0x294
bus_for_each_dev+0xec/0x160
driver_attach+0x38/0x44
bus_add_driver+0x24c/0x300
driver_register+0xf0/0x210
__platform_driver_register+0x48/0x54
asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
do_one_initcall+0xac/0x340
do_init_module+0xd0/0x300
load_module+0x2ba4/0x3100
__do_sys_init_module+0x2c8/0x300
__arm64_sys_init_module+0x48/0x5c
invoke_syscall+0x64/0x190
el0_svc_common.constprop.0+0x124/0x154
do_el0_svc+0x44/0xdc
el0_svc+0x14/0x50
el0t_64_sync_handler+0xec/0x11c
el0t_64_sync+0x14c/0x150
Allocated by task 287:
kasan_save_stack+0x38/0x60
kasan_set_track+0x28/0x40
kasan_save_alloc_info+0x20/0x30
__kasan_kmalloc+0xac/0xb0
__kmalloc_node_track_caller+0x6c/0x1c4
__devres_alloc_node+0x44/0xb4
devm_get_clk_from_child+0x44/0xa0
asoc_simple_parse_clk+0x1b8/0x1dc [snd_soc_simple_card_utils]
simple_parse_node.isra.0+0x1ec/0x230 [snd_soc_simple_card]
simple_dai_link_of+0x1bc/0x334 [snd_soc_simple_card]
__simple_for_each_link+0x2ec/0x320 [snd_soc_simple_card]
asoc_simple_probe+0x468/0x4dc [snd_soc_simple_card]
platform_probe+0x90/0xf0
really_probe+0x118/0x5b0
__driver_probe_device+0xc0/0x1f0
driver_probe_device+0x68/0x120
__driver_attach+0x140/0x294
bus_for_each_dev+0xec/0x160
driver_attach+0x38/0x44
bus_add_driver+0x24c/0x300
driver_register+0xf0/0x210
__platform_driver_register+0x48/0x54
asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
do_one_initcall+0xac/0x340
do_init_module+0xd0/0x300
load_module+0x2ba4/0x3100
__do_sys_init_module+0x2c8/0x300
__arm64_sys_init_module+0x48/0x5c
invoke_syscall+0x64/0x190
el0_svc_common.constprop.0+0x124/0x154
do_el0_svc+0x44/0xdc
el0_svc+0x14/0x50
el0t_64_sync_handler+0xec/0x11c
el0t_64_sync+0x14c/0x150
The buggy address belongs to the object at ffffff800ee09600
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 136 bytes inside of
256-byte region [ffffff800ee09600, ffffff800ee09700)
The buggy address belongs to the physical page:
page:000000002d97303b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ee08
head:000000002d97303b order:1 compound_mapcount:0 compound_pincount:0
flags: 0x10200(slab|head|zone=0)
raw: 0000000000010200 0000000000000000 dead000000000122 ffffff8002c02480
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffff800ee09580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffff800ee09600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffff800ee09680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffffff800ee09700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffff800ee09780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Link: https://lore.kernel.org/r/20230805084847.3110586-1-andrej.skvortzov@gmail.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/clk-devres.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/clk/clk-devres.c
+++ b/drivers/clk/clk-devres.c
@@ -205,18 +205,19 @@ EXPORT_SYMBOL(devm_clk_put);
struct clk *devm_get_clk_from_child(struct device *dev,
struct device_node *np, const char *con_id)
{
- struct clk **ptr, *clk;
+ struct devm_clk_state *state;
+ struct clk *clk;
- ptr = devres_alloc(devm_clk_release, sizeof(*ptr), GFP_KERNEL);
- if (!ptr)
+ state = devres_alloc(devm_clk_release, sizeof(*state), GFP_KERNEL);
+ if (!state)
return ERR_PTR(-ENOMEM);
clk = of_clk_get_by_name(np, con_id);
if (!IS_ERR(clk)) {
- *ptr = clk;
- devres_add(dev, ptr);
+ state->clk = clk;
+ devres_add(dev, state);
} else {
- devres_free(ptr);
+ devres_free(state);
}
return clk;
next prev parent reply other threads:[~2023-08-28 10:51 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-28 10:13 [PATCH 5.10 00/84] 5.10.193-rc1 review Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 01/84] objtool/x86: Fix SRSO mess Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 02/84] NFSv4: fix out path in __nfs4_get_acl_uncached Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 03/84] xprtrdma: Remap Receive buffers after a reconnect Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 04/84] PCI: acpiphp: Reassign resources on bridge if necessary Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 05/84] dlm: improve plock logging if interrupted Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 06/84] dlm: replace usage of found with dedicated list iterator variable Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 07/84] fs: dlm: add pid to debug log Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 08/84] fs: dlm: change plock interrupted message to debug again Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 09/84] fs: dlm: use dlm_plock_info for do_unlock_close Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 10/84] fs: dlm: fix mismatch of plock results from userspace Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 11/84] MIPS: cpu-features: Enable octeon_cache by cpu_type Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 12/84] MIPS: cpu-features: Use boot_cpu_type for CPU type based features Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 13/84] fbdev: Improve performance of sys_imageblit() Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 14/84] fbdev: Fix sys_imageblit() for arbitrary image widths Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 15/84] fbdev: fix potential OOB read in fast_imageblit() Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 16/84] dm integrity: increase RECALC_SECTORS to improve recalculate speed Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 17/84] dm integrity: reduce vmalloc space footprint on 32-bit architectures Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 18/84] ALSA: pcm: Fix potential data race at PCM memory allocation helpers Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 19/84] drm/amd/display: do not wait for mpc idle if tg is disabled Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 20/84] drm/amd/display: check TG is non-null before checking if enabled Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 21/84] libceph, rbd: ignore addr->type while comparing in some cases Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 22/84] rbd: make get_lock_owner_info() return a single locker or NULL Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 23/84] rbd: retrieve and check lock owner twice before blocklisting Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 24/84] rbd: prevent busy loop when requesting exclusive lock Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 25/84] tracing: Fix cpu buffers unavailable due to record_disabled missed Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 26/84] tracing: Fix memleak due to race between current_tracer and trace Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 27/84] octeontx2-af: SDP: fix receive link config Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 28/84] sock: annotate data-races around prot->memory_pressure Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 29/84] dccp: annotate data-races in dccp_poll() Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 30/84] ipvlan: Fix a reference count leak warning in ipvlan_ns_exit() Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 31/84] net: bgmac: Fix return value check for fixed_phy_register() Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 32/84] net: bcmgenet: " Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 33/84] net: validate veth and vxcan peer ifindexes Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 34/84] ice: fix receive buffer size miscalculation Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 35/84] igb: Avoid starting unnecessary workqueues Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 36/84] net/sched: fix a qdisc modification with ambiguous command request Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 37/84] netfilter: nf_tables: fix out of memory error handling Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 38/84] rtnetlink: return ENODEV when ifname does not exist and group is given Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 39/84] rtnetlink: Reject negative ifindexes in RTM_NEWLINK Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 40/84] net: remove bond_slave_has_mac_rcu() Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 41/84] bonding: fix macvlan over alb bond support Greg Kroah-Hartman
2023-08-28 10:13 ` [PATCH 5.10 42/84] ibmveth: Use dcbf rather than dcbfl Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 43/84] NFSv4: Fix dropped lock for racing OPEN and delegation return Greg Kroah-Hartman
2023-08-28 10:14 ` Greg Kroah-Hartman [this message]
2023-08-28 10:14 ` [PATCH 5.10 45/84] mm: add a call to flush_cache_vmap() in vmap_pfn() Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 46/84] NFS: Fix a use after free in nfs_direct_join_group() Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 47/84] nfsd: Fix race to FREE_STATEID and cl_revoked Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 48/84] selinux: set next pointer before attaching to list Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 49/84] batman-adv: Trigger events for auto adjusted MTU Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 50/84] batman-adv: Dont increase MTU when set by user Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 51/84] batman-adv: Do not get eth header before batadv_check_management_packet Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 52/84] batman-adv: Fix TT global entry leak when client roamed back Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 53/84] batman-adv: Fix batadv_v_ogm_aggr_send memory leak Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 54/84] batman-adv: Hold rtnl lock during MTU update via netlink Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 55/84] lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 56/84] radix tree: remove unused variable Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 57/84] of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 58/84] media: vcodec: Fix potential array out-of-bounds in encoder queue_setup Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 59/84] PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 60/84] drm/vmwgfx: Fix shader stage validation Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 61/84] drm/display/dp: Fix the DP DSC Receiver cap size Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 62/84] x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4 Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 63/84] torture: Fix hang during kthread shutdown phase Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 64/84] tick: Detect and fix jiffies update stall Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 65/84] timers/nohz: Switch to ONESHOT_STOPPED in the low-res handler when the tick is stopped Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 66/84] cgroup/cpuset: Rename functions dealing with DEADLINE accounting Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 67/84] sched/cpuset: Bring back cpuset_mutex Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 68/84] sched/cpuset: Keep track of SCHED_DEADLINE task in cpusets Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 69/84] cgroup/cpuset: Iterate only if DEADLINE tasks are present Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 70/84] sched/deadline: Create DL BW alloc, free & check overflow interface Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 71/84] cgroup/cpuset: Free DL BW in case can_attach() fails Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 72/84] drm/i915: Fix premature release of requests reusable memory Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 73/84] ASoC: rt711: add two jack detection modes Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 74/84] scsi: snic: Fix double free in snic_tgt_create() Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 75/84] scsi: core: raid_class: Remove raid_component_add() Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 76/84] clk: Fix undefined reference to `clk_rate_exclusive_{get,put} Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 77/84] pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function} Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 78/84] dma-buf/sw_sync: Avoid recursive lock during fence signal Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 79/84] mm,hwpoison: refactor get_any_page Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 80/84] mm: fix page reference leak in soft_offline_page() Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 81/84] mm: memory-failure: kill soft_offline_free_page() Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 82/84] mm: memory-failure: fix unexpected return value in soft_offline_page() Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 83/84] ASoC: Intel: sof_sdw: include rt711.h for RT711 JD mode Greg Kroah-Hartman
2023-08-28 10:14 ` [PATCH 5.10 84/84] mm,hwpoison: fix printing of page flags Greg Kroah-Hartman
2023-08-28 16:42 ` [PATCH 5.10 00/84] 5.10.193-rc1 review Guenter Roeck
2023-08-30 10:52 ` Greg Kroah-Hartman
2023-08-30 16:01 ` Guenter Roeck
2023-08-30 17:07 ` Florian Fainelli
2023-08-30 17:38 ` Manuel Lauss
2023-08-31 10:31 ` Greg Kroah-Hartman
2023-08-31 14:54 ` Florian Fainelli
2023-08-31 15:13 ` Greg Kroah-Hartman
2023-08-28 17:24 ` Guenter Roeck
2023-08-30 10:53 ` Greg Kroah-Hartman
2023-08-29 9:06 ` luomeng
2023-08-29 9:15 ` Naresh Kamboju
2023-08-29 11:42 ` Sudip Mukherjee (Codethink)
2023-08-29 14:22 ` Shuah Khan
2023-08-29 18:07 ` Florian Fainelli
2023-08-30 2:02 ` Guenter Roeck
2023-08-30 10:24 ` Jon Hunter
2023-08-30 11:29 ` Pavel Machek
2023-08-30 13:16 ` Joel Fernandes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230828101150.760420388@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andrej.skvortzov@gmail.com \
--cc=patches@lists.linux.dev \
--cc=sboyd@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).