From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Russell King <rmk+kernel@armlinux.org.uk>,
Santosh Shilimkar <ssantosh@kernel.org>,
Olof Johansson <olof@lixom.net>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 3.18 30/85] ARM: keystone: fix platform_domain_notifier array overrun
Date: Sun, 1 Jul 2018 18:01:48 +0200 [thread overview]
Message-ID: <20180701153123.563915696@linuxfoundation.org> (raw)
In-Reply-To: <20180701153122.365061142@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
[ Upstream commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa ]
platform_domain_notifier contains a variable sized array, which the
pm_clk_notify() notifier treats as a NULL terminated array:
for (con_id = clknb->con_ids; *con_id; con_id++)
pm_clk_add(dev, *con_id);
Omitting the initialiser for con_ids means that the array is zero
sized, and there is no NULL terminator. This leads to pm_clk_notify()
overrunning into what ever structure follows, which may not be NULL.
This leads to an oops:
Unable to handle kernel NULL pointer dereference at virtual address 0000008c
pgd = c0003000
[0000008c] *pgd=80000800004003c, *pmd=00000000c
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:c
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9
Hardware name: Keystone
PC is at strlen+0x0/0x34
LR is at kstrdup+0x18/0x54
pc : [<c0623340>] lr : [<c0111d6c>] psr: 20000013
sp : eec73dc0 ip : eed780c0 fp : 00000001
r10: 00000000 r9 : 00000000 r8 : eed71e10
r7 : 0000008c r6 : 0000008c r5 : 014000c0 r4 : c03a6ff4
r3 : c09445d0 r2 : 00000000 r1 : 014000c0 r0 : 0000008c
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 30c5387d Table: 00003000 DAC: fffffffd
Process swapper/0 (pid: 1, stack limit = 0xeec72210)
Stack: (0xeec73dc0 to 0xeec74000)
...
[<c0623340>] (strlen) from [<c0111d6c>] (kstrdup+0x18/0x54)
[<c0111d6c>] (kstrdup) from [<c03a6ff4>] (__pm_clk_add+0x58/0x120)
[<c03a6ff4>] (__pm_clk_add) from [<c03a731c>] (pm_clk_notify+0x64/0xa8)
[<c03a731c>] (pm_clk_notify) from [<c004614c>] (notifier_call_chain+0x44/0x84)
[<c004614c>] (notifier_call_chain) from [<c0046320>] (__blocking_notifier_call_chain+0x48/0x60)
[<c0046320>] (__blocking_notifier_call_chain) from [<c0046350>] (blocking_notifier_call_chain+0x18/0x20)
[<c0046350>] (blocking_notifier_call_chain) from [<c0390234>] (device_add+0x36c/0x534)
[<c0390234>] (device_add) from [<c047fc00>] (of_platform_device_create_pdata+0x70/0xa4)
[<c047fc00>] (of_platform_device_create_pdata) from [<c047fea0>] (of_platform_bus_create+0xf0/0x1ec)
[<c047fea0>] (of_platform_bus_create) from [<c047fff8>] (of_platform_populate+0x5c/0xac)
[<c047fff8>] (of_platform_populate) from [<c08b1f04>] (of_platform_default_populate_init+0x8c/0xa8)
[<c08b1f04>] (of_platform_default_populate_init) from [<c000a78c>] (do_one_initcall+0x3c/0x164)
[<c000a78c>] (do_one_initcall) from [<c087bd9c>] (kernel_init_freeable+0x10c/0x1d0)
[<c087bd9c>] (kernel_init_freeable) from [<c0628db0>] (kernel_init+0x8/0xf0)
[<c0628db0>] (kernel_init) from [<c00090d8>] (ret_from_fork+0x14/0x3c)
Exception stack(0xeec73fb0 to 0xeec73ff8)
3fa0: 00000000 00000000 00000000 00000000
3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000)
---[ end trace cafa8f148e262e80 ]---
Fix this by adding the necessary initialiser.
Fixes: fc20ffe1213b ("ARM: keystone: add PM domain support for clock management")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Acked-by: Santosh Shilimkar <ssantosh@kernel.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-keystone/pm_domain.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-keystone/pm_domain.c
+++ b/arch/arm/mach-keystone/pm_domain.c
@@ -59,6 +59,7 @@ static struct dev_pm_domain keystone_pm_
static struct pm_clk_notifier_block platform_domain_notifier = {
.pm_domain = &keystone_pm_domain,
+ .con_ids = { NULL },
};
static struct of_device_id of_keystone_table[] = {
next prev parent reply other threads:[~2018-07-01 16:12 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-01 16:01 [PATCH 3.18 00/85] 3.18.114-stable review Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 01/85] tools build: No need to make libapi for perf explicitly Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 02/85] tools build: Fix Makefile(s) to properly invoke tools build Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 03/85] af_key: Always verify length of provided sadb_key Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 04/85] fsnotify: fix ignore mask logic in send_to_group() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 05/85] MIPS: io: Add barrier after register read in readX() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 06/85] s390/smsgiucv: disable SMSG on module unload Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 07/85] isofs: fix potential memory leak in mount option parsing Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 08/85] scsi: iscsi: respond to netlink with unicast when appropriate Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 09/85] drm/msm: Fix possible null dereference on failure of get_pages() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 10/85] parisc: time: Convert read_persistent_clock() to read_persistent_clock64() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 11/85] scsi: isci: Fix infinite loop in while loop Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 12/85] net: phy: marvell: clear wol event before setting it Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 13/85] arm64: ptrace: remove addr_limit manipulation Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 14/85] selftests: ftrace: Add a testcase for multiple actions on trigger Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 16/85] x86/cpu/intel: Add missing TLB cpuid values Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 18/85] ARM: davinci: board-dm355-evm: fix broken networking Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 19/85] hexagon: add memset_io() helper Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 20/85] hexagon: export csum_partial_copy_nocheck Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 21/85] scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 22/85] parisc: drivers.c: Fix section mismatches Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 23/85] kthread, sched/wait: Fix kthread_parkme() wait-loop Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 24/85] mac80211: Adjust SAE authentication timeout Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 25/85] drm/omap: fix possible NULL ref issue in tiler_reserve_2d Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 27/85] can: dev: increase bus-off message severity Greg Kroah-Hartman
2018-07-01 16:01 ` Greg Kroah-Hartman [this message]
2018-07-01 16:01 ` [PATCH 3.18 31/85] i2c: pmcmsp: return message count on master_xfer success Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 32/85] i2c: pmcmsp: fix error return from master_xfer Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 33/85] i2c: viperboard: return message count on master_xfer success Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 34/85] ARM: davinci: board-dm646x-evm: set VPIF capture card name Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 35/85] parisc: Move setup_profiling_timer() out of init section Greg Kroah-Hartman
2018-07-01 16:29 ` Helge Deller
2018-07-03 9:17 ` Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 37/85] tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 38/85] ext4: update mtime in ext4_punch_hole even if no blocks are released Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 39/85] ext4: fix fencepost error in check for inode count overflow during resize Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 40/85] btrfs: scrub: Dont use inode pages for device replace Greg Kroah-Hartman
2018-07-01 16:01 ` [PATCH 3.18 41/85] ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 42/85] libata: zpodd: make arrays cdb static, reduces object code size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 43/85] libata: zpodd: small read overflow in eject_tray() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 44/85] libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 45/85] w1: mxc_w1: Enable clock before calling clk_get_rate() on it Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 46/85] fs/binfmt_misc.c: do not allow offset overflow Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 47/85] m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 48/85] signal/xtensa: Consistenly use SIGBUS in do_unaligned_user Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 49/85] usb: do not reset if a low-speed or full-speed device timed out Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 50/85] ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 51/85] ASoC: cirrus: i2s: Fix LRCLK configuration Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 53/85] mips: ftrace: fix static function graph tracing Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 54/85] branch-check: fix long->int truncation when profiling branches Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 55/85] ipmi:bt: Set the timeout before doing a capabilities check Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 56/85] fuse: atomic_o_trunc should truncate pagecache Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 57/85] fuse: dont keep dead fuse_conn at fuse_fill_super() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 58/85] powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch Greg Kroah-Hartman
2018-07-01 16:02 ` Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 59/85] powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 60/85] powerpc/ptrace: Fix enforcement of DAWR constraints Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 61/85] powerpc/fadump: Unregister fadump on kexec down path Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 62/85] ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 63/85] mtd: cfi_cmdset_0002: Change write buffer to check correct value Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 64/85] mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 65/85] mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 66/85] mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 67/85] mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 68/85] MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 69/85] PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 70/85] MIPS: io: Add barrier after register read in inX() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 71/85] time: Make sure jiffies_to_msecs() preserves non-zero time periods Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 72/85] scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 73/85] UBIFS: Fix potential integer overflow in allocation Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 74/85] backlight: as3711_bl: Fix Device Tree node lookup Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 75/85] backlight: max8925_bl: " Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 76/85] backlight: tps65217_bl: " Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 77/85] media: v4l2-compat-ioctl32: prevent go past max size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 78/85] media: cx231xx: Add support for AverMedia DVD EZMaker 7 Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 79/85] media: dvb_frontend: fix locking issues at dvb_frontend_get_event() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 80/85] nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 81/85] video: uvesafb: Fix integer overflow in allocation Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 82/85] xen: Remove unnecessary BUG_ON from __unbind_from_irq() Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 83/85] udf: Detect incorrect directory size Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 84/85] block: Fix transfer when chunk sectors exceeds max Greg Kroah-Hartman
2018-07-01 16:02 ` [PATCH 3.18 85/85] dm thin: handle running out of data space vs concurrent discard Greg Kroah-Hartman
2018-07-01 16:02 ` Greg Kroah-Hartman
2018-07-01 19:37 ` [PATCH 3.18 00/85] 3.18.114-stable review Nathan Chancellor
2018-07-02 6:34 ` Greg Kroah-Hartman
2018-07-02 7:51 ` Harsh 'MSF Jarvis' Shandilya
2018-07-02 8:35 ` Greg Kroah-Hartman
2018-07-02 16:31 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180701153123.563915696@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=olof@lixom.net \
--cc=rmk+kernel@armlinux.org.uk \
--cc=ssantosh@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.