From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, stable@kernel.org,
Han Xu <han.xu@nxp.com>, Mark Brown <broonie@kernel.org>
Subject: [PATCH 6.6 77/91] spi: nxp-fspi: fix the KASAN report out-of-bounds bug
Date: Mon, 16 Sep 2024 13:44:53 +0200 [thread overview]
Message-ID: <20240916114227.005846121@linuxfoundation.org> (raw)
In-Reply-To: <20240916114224.509743970@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Han Xu <han.xu@nxp.com>
commit 2a8787c1cdc7be24fdd8953ecd1a8743a1006235 upstream.
Change the memcpy length to fix the out-of-bounds issue when writing the
data that is not 4 byte aligned to TX FIFO.
To reproduce the issue, write 3 bytes data to NOR chip.
dd if=3b of=/dev/mtd0
[ 36.926103] ==================================================================
[ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838
[ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455
[ 36.946721]
[ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070
[ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT)
[ 36.961260] Call trace:
[ 36.963723] dump_backtrace+0x90/0xe8
[ 36.967414] show_stack+0x18/0x24
[ 36.970749] dump_stack_lvl+0x78/0x90
[ 36.974451] print_report+0x114/0x5cc
[ 36.978151] kasan_report+0xa4/0xf0
[ 36.981670] __asan_report_load_n_noabort+0x1c/0x28
[ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838
[ 36.990800] spi_mem_exec_op+0x8ec/0xd30
[ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0
[ 36.999323] spi_mem_dirmap_write+0x238/0x32c
[ 37.003710] spi_nor_write_data+0x220/0x374
[ 37.007932] spi_nor_write+0x110/0x2e8
[ 37.011711] mtd_write_oob_std+0x154/0x1f0
[ 37.015838] mtd_write_oob+0x104/0x1d0
[ 37.019617] mtd_write+0xb8/0x12c
[ 37.022953] mtdchar_write+0x224/0x47c
[ 37.026732] vfs_write+0x1e4/0x8c8
[ 37.030163] ksys_write+0xec/0x1d0
[ 37.033586] __arm64_sys_write+0x6c/0x9c
[ 37.037539] invoke_syscall+0x6c/0x258
[ 37.041327] el0_svc_common.constprop.0+0x160/0x22c
[ 37.046244] do_el0_svc+0x44/0x5c
[ 37.049589] el0_svc+0x38/0x78
[ 37.052681] el0t_64_sync_handler+0x13c/0x158
[ 37.057077] el0t_64_sync+0x190/0x194
[ 37.060775]
[ 37.062274] Allocated by task 455:
[ 37.065701] kasan_save_stack+0x2c/0x54
[ 37.069570] kasan_save_track+0x20/0x3c
[ 37.073438] kasan_save_alloc_info+0x40/0x54
[ 37.077736] __kasan_kmalloc+0xa0/0xb8
[ 37.081515] __kmalloc_noprof+0x158/0x2f8
[ 37.085563] mtd_kmalloc_up_to+0x120/0x154
[ 37.089690] mtdchar_write+0x130/0x47c
[ 37.093469] vfs_write+0x1e4/0x8c8
[ 37.096901] ksys_write+0xec/0x1d0
[ 37.100332] __arm64_sys_write+0x6c/0x9c
[ 37.104287] invoke_syscall+0x6c/0x258
[ 37.108064] el0_svc_common.constprop.0+0x160/0x22c
[ 37.112972] do_el0_svc+0x44/0x5c
[ 37.116319] el0_svc+0x38/0x78
[ 37.119401] el0t_64_sync_handler+0x13c/0x158
[ 37.123788] el0t_64_sync+0x190/0x194
[ 37.127474]
[ 37.128977] The buggy address belongs to the object at ffff00081037c2a0
[ 37.128977] which belongs to the cache kmalloc-8 of size 8
[ 37.141177] The buggy address is located 0 bytes inside of
[ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3)
[ 37.153465]
[ 37.154971] The buggy address belongs to the physical page:
[ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c
[ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[ 37.175149] page_type: 0xfdffffff(slab)
[ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000
[ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000
[ 37.194553] page dumped because: kasan: bad access detected
[ 37.200144]
[ 37.201647] Memory state around the buggy address:
[ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
[ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc
[ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc
[ 37.228186] ^
[ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 37.246962] ==================================================================
[ 37.254394] Disabling lock debugging due to kernel taint
0+1 records in
0+1 records out
3 bytes copied, 0.335911 s, 0.0 kB/s
Fixes: a5356aef6a90 ("spi: spi-mem: Add driver for NXP FlexSPI controller")
Cc: stable@kernel.org
Signed-off-by: Han Xu <han.xu@nxp.com>
Link: https://patch.msgid.link/20240911211146.3337068-1-han.xu@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-nxp-fspi.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/spi/spi-nxp-fspi.c
+++ b/drivers/spi/spi-nxp-fspi.c
@@ -805,14 +805,15 @@ static void nxp_fspi_fill_txfifo(struct
if (i < op->data.nbytes) {
u32 data = 0;
int j;
+ int remaining = op->data.nbytes - i;
/* Wait for TXFIFO empty */
ret = fspi_readl_poll_tout(f, f->iobase + FSPI_INTR,
FSPI_INTR_IPTXWE, 0,
POLL_TOUT, true);
WARN_ON(ret);
- for (j = 0; j < ALIGN(op->data.nbytes - i, 4); j += 4) {
- memcpy(&data, buf + i + j, 4);
+ for (j = 0; j < ALIGN(remaining, 4); j += 4) {
+ memcpy(&data, buf + i + j, min_t(int, 4, remaining - j));
fspi_writel(f, data, base + FSPI_TFDR + j);
}
fspi_writel(f, FSPI_INTR_IPTXWE, base + FSPI_INTR);
next prev parent reply other threads:[~2024-09-16 12:12 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-16 11:43 [PATCH 6.6 00/91] 6.6.52-rc1 review Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 01/91] device property: Add cleanup.h based fwnode_handle_put() scope based cleanup Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 02/91] device property: Introduce device_for_each_child_node_scoped() Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 03/91] iio: adc: ad7124: Switch from of specific to fwnode based property handling Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 04/91] iio: adc: ad7124: fix DT configuration parsing Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 05/91] nvmem: core: add nvmem_dev_size() helper Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 06/91] nvmem: u-boot-env: use nvmem_add_one_cell() nvmem subsystem helper Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 07/91] nvmem: u-boot-env: use nvmem device helpers Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 08/91] nvmem: u-boot-env: improve coding style Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 09/91] nvmem: u-boot-env: error if NVMEM device is too small Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 10/91] ksmbd: override fsids for share path check Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 11/91] ksmbd: override fsids for smb2_query_info() Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 12/91] usbnet: ipheth: remove extraneous rx URB length check Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 13/91] usbnet: ipheth: drop RX URBs with no payload Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 14/91] usbnet: ipheth: do not stop RX on failing RX callback Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 15/91] usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 16/91] net: ethernet: use ip_hdrlen() instead of bit shift Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 17/91] drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 18/91] drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 19/91] net: phy: vitesse: repair vsc73xx autonegotiation Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 20/91] powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 21/91] wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 22/91] net: hns3: use correct release function during uninitialization Greg Kroah-Hartman
2024-09-16 11:43 ` [PATCH 6.6 23/91] btrfs: update target inodes ctime on unlink Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 24/91] Input: ads7846 - ratelimit the spi_sync error message Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 25/91] Input: synaptics - enable SMBus for HP Elitebook 840 G2 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 26/91] HID: multitouch: Add support for GT7868Q Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 27/91] scripts: kconfig: merge_config: config files: add a trailing newline Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 28/91] platform/surface: aggregator_registry: Add Support for Surface Pro 10 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 29/91] platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 30/91] drm/msm/adreno: Fix error return if missing firmware-name Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 31/91] Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 32/91] s390/mm: Prevent lowcore vs identity mapping overlap Greg Kroah-Hartman
2024-09-17 11:06 ` Alexander Gordeev
2024-09-17 11:15 ` Greg Kroah-Hartman
2024-09-17 15:17 ` Alexander Gordeev
2024-09-18 6:17 ` Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 33/91] smb/server: fix return value of smb2_open() Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 34/91] NFSv4: Fix clearing of layout segments in layoutreturn Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 35/91] NFS: Avoid unnecessary rescanning of the per-server delegation list Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 36/91] platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 37/91] platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 38/91] mptcp: pm: Fix uaf in __timer_delete_sync Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 39/91] selftests: mptcp: join: restrict fullmesh endp on 1st sf Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 40/91] arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 41/91] arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog " Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 42/91] minmax: reduce min/max macro expansion in atomisp driver Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 43/91] net: tighten bad gso csum offset check in virtio_net_hdr Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 44/91] dm-integrity: fix a race condition when accessing recalc_sector Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 45/91] x86/hyperv: fix kexec crash due to VP assist page corruption Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 46/91] mm: avoid leaving partial pfn mappings around in error case Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 47/91] net: xilinx: axienet: Fix race in axienet_stop Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 48/91] arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 49/91] drm/amd/display: Disable error correction if its not supported Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 50/91] drm/amd/display: Fix FEC_READY write on DP LT Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 51/91] eeprom: digsy_mtc: Fix 93xx46 driver probe failure Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 52/91] cxl/core: Fix incorrect vendor debug UUID define Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 53/91] selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 54/91] hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 55/91] ice: Fix lldp packets dropping after changing the number of channels Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 56/91] ice: fix accounting for filters shared by multiple VSIs Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 57/91] ice: fix VSI lists confusion when adding VLANs Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 58/91] igb: Always call igb_xdp_ring_update_tail() under Tx lock Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 59/91] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 60/91] net/mlx5e: Add missing link modes to ptys2ethtool_map Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 61/91] IB/mlx5: Rename 400G_8X speed to comply to naming convention Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 62/91] net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 63/91] net/mlx5: Explicitly set scheduling element and TSAR type Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 64/91] net/mlx5: Add missing masks and QoS bit masks for scheduling elements Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 65/91] net/mlx5: Correct TASR typo into TSAR Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 66/91] net/mlx5: Verify support for scheduling element and TSAR type Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 67/91] net/mlx5: Fix bridge mode operations when there are no VFs Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 68/91] fou: fix initialization of grc Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 69/91] octeontx2-af: Modify SMQ flush sequence to drop packets Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 70/91] net: ftgmac100: Enable TX interrupt to avoid TX timeout Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 71/91] selftests: net: csum: Fix checksums for packets with non-zero padding Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 72/91] netfilter: nft_socket: fix sk refcount leaks Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 73/91] netfilter: nft_socket: make cgroupsv2 matching work with namespaces Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 74/91] net: dsa: felix: ignore pending status of TAS module when its disabled Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 75/91] net: dpaa: Pad packets to ETH_ZLEN Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 76/91] tracing/osnoise: Fix build when timerlat is not enabled Greg Kroah-Hartman
2024-09-16 11:44 ` Greg Kroah-Hartman [this message]
2024-09-16 11:44 ` [PATCH 6.6 78/91] soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 79/91] drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 80/91] dma-buf: heaps: Fix off-by-one in CMA heap fault handler Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 81/91] drm/nouveau/fb: restore init() for ramgp102 Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 82/91] drm/amdgpu/atomfirmware: Silence UBSAN warning Greg Kroah-Hartman
2024-09-16 11:44 ` [PATCH 6.6 83/91] drm/amd/amdgpu: apply command submission parser for JPEG v1 Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 84/91] spi: geni-qcom: Undo runtime PM changes at driver exit time Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 85/91] spi: geni-qcom: Fix incorrect free_irq() sequence Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 86/91] drm/i915/guc: prevent a possible int overflow in wq offsets Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 87/91] ASoC: codecs: avoid possible garbage value in peb2466_reg_read() Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 88/91] cifs: Fix signature miscalculation Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 89/91] pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 90/91] ASoC: meson: axg-card: fix use-after-free Greg Kroah-Hartman
2024-09-16 11:45 ` [PATCH 6.6 91/91] riscv: dts: starfive: add assigned-clock* to limit frquency Greg Kroah-Hartman
2024-09-16 14:10 ` [PATCH 6.6 00/91] 6.6.52-rc1 review Takeshi Ogasawara
2024-09-16 16:29 ` Harshit Mogalapalli
2024-09-16 18:12 ` Peter Schneider
2024-09-17 9:56 ` Mark Brown
2024-09-17 10:30 ` Naresh Kamboju
2024-09-18 6:17 ` Greg Kroah-Hartman
2024-09-17 15:19 ` Jon Hunter
2024-09-17 21:44 ` Florian Fainelli
2024-09-17 22:35 ` Ron Economos
2024-09-18 10:03 ` Kexy Biscuit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240916114227.005846121@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=broonie@kernel.org \
--cc=han.xu@nxp.com \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).