From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Chen-Yu Tsai <wens@csie.org>,
Neil Armstrong <narmstrong@baylibre.com>,
Maxime Ripard <maxime.ripard@bootlin.com>,
Linus Walleij <linus.walleij@linaro.org>
Subject: [PATCH 4.19 16/44] pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller
Date: Wed, 13 Feb 2019 19:38:17 +0100 [thread overview]
Message-ID: <20190213183653.042951004@linuxfoundation.org> (raw)
In-Reply-To: <20190213183651.648060257@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wens@csie.org>
commit 10098709b4ee6f6f19f25ba81d9c6f83518c584c upstream.
The H6 main pin controller has four banks of interrupt-triggering pins.
The driver as originally submitted only specified three, but had pin
descriptions referencing a fourth bank. This results in a out-of-bounds
access into .irq_array of struct sunxi_pinctrl. This however did not
result in a crash until v4.20, with commit a66d972465d1 ("devres: Align
data[] to ARCH_KMALLOC_MINALIGN"), which changed the alignment of memory
region returned by devm_kcalloc(). The increase likely moved the
out-of-bounds access into the next, unmapped page.
With KASAN on, the bug is quite clear:
BUG: KASAN: slab-out-of-bounds in sunxi_pinctrl_init_with_variant+0x49c/0x12b8
Write of size 4 at addr ffff80002c680280 by task swapper/0/1
CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1-00016-gc480a5e6a077 #3
Hardware name: OrangePi Lite2 (DT)
Call trace:
dump_backtrace+0x0/0x220
show_stack+0x14/0x20
dump_stack+0xac/0xd4
print_address_description+0x60/0x25c
kasan_report+0x14c/0x1ac
__asan_store4+0x80/0xa0
sunxi_pinctrl_init_with_variant+0x49c/0x12b8
h6_pinctrl_probe+0x18/0x20
platform_drv_probe+0x6c/0xc8
really_probe+0x244/0x4b0
driver_probe_device.part.4+0x11c/0x164
__driver_attach+0x120/0x190
bus_for_each_dev+0xe8/0x158
driver_attach+0x30/0x40
bus_add_driver+0x308/0x318
driver_register+0xbc/0x1d0
__platform_driver_register+0x7c/0x88
h6_pinctrl_driver_init+0x18/0x20
do_one_initcall+0xd4/0x208
kernel_init_freeable+0x230/0x2c8
kernel_init+0x10/0x108
ret_from_fork+0x10/0x1c
Allocated by task 1:
kasan_kmalloc.part.0+0x4c/0x100
kasan_kmalloc+0xc4/0xe8
kasan_slab_alloc+0x14/0x20
__kmalloc_track_caller+0x130/0x238
devm_kmalloc+0x34/0xd0
sunxi_pinctrl_init_with_variant+0x1d8/0x12b8
h6_pinctrl_probe+0x18/0x20
platform_drv_probe+0x6c/0xc8
really_probe+0x244/0x4b0
driver_probe_device.part.4+0x11c/0x164
__driver_attach+0x120/0x190
bus_for_each_dev+0xe8/0x158
driver_attach+0x30/0x40
bus_add_driver+0x308/0x318
driver_register+0xbc/0x1d0
__platform_driver_register+0x7c/0x88
h6_pinctrl_driver_init+0x18/0x20
do_one_initcall+0xd4/0x208
kernel_init_freeable+0x230/0x2c8
kernel_init+0x10/0x108
ret_from_fork+0x10/0x1c
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff80002c680080
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes to the right of
512-byte region [ffff80002c680080, ffff80002c680280)
The buggy address belongs to the page:
page:ffff7e0000b1a000 count:1 mapcount:0 mapping:ffff80002e00c780 index:0xffff80002c683c80 compound_mapcount: 0
flags: 0x10200(slab|head)
raw: 0000000000010200 ffff80002e003a10 ffff80002e003a10 ffff80002e00c780
raw: ffff80002c683c80 0000000000100001 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80002c680180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80002c680200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80002c680280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff80002c680300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff80002c680380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Correct the number of IRQ banks so there are no more mismatches.
Fixes: c8a830904991 ("pinctrl: sunxi: add support for the Allwinner H6 main pin controller")
Cc: <stable@vger.kernel.org>
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Tested-by: Neil Armstrong <narmstrong@baylibre.com>
Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c
@@ -588,7 +588,7 @@ static const unsigned int h6_irq_bank_ma
static const struct sunxi_pinctrl_desc h6_pinctrl_data = {
.pins = h6_pins,
.npins = ARRAY_SIZE(h6_pins),
- .irq_banks = 3,
+ .irq_banks = 4,
.irq_bank_map = h6_irq_bank_map,
.irq_read_needs_mux = true,
};
next prev parent reply other threads:[~2019-02-13 18:53 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-13 18:38 [PATCH 4.19 00/44] 4.19.22-stable review Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 01/44] mtd: Make sure mtd->erasesize is valid even if the partition is of size 0 Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 02/44] mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 03/44] mtd: spinand: Fix the error/cleanup path in spinand_init() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 04/44] mtd: rawnand: gpmi: fix MX28 bus master lockup problem Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 05/44] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 06/44] tools: iio: iio_generic_buffer: make num_loops signed Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 07/44] iio: adc: axp288: Fix TS-pin handling Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 08/44] iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 09/44] iio: ti-ads8688: Update buffer allocation for timestamps Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 10/44] signal: Always notice exiting tasks Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 11/44] signal: Better detection of synchronous signals Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 12/44] misc: vexpress: Off by one in vexpress_syscfg_exec() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 13/44] mei: me: add ice lake point device id Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 14/44] samples: mei: use /dev/mei0 instead of /dev/mei Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 15/44] debugfs: fix debugfs_rename parameter checking Greg Kroah-Hartman
2019-02-13 18:38 ` Greg Kroah-Hartman [this message]
2019-02-13 18:38 ` [PATCH 4.19 17/44] pinctrl: cherryview: fix Strago DMI workaround Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 18/44] tracing: uprobes: Fix typo in pr_fmt string Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 19/44] mips: cm: reprime error cause Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 20/44] MIPS: OCTEON: dont set octeon_dma_bar_type if PCI is disabled Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 21/44] MIPS: VDSO: Use same -m%-float cflag as the kernel proper Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 22/44] mips: loongson64: remove unreachable(), fix loongson_poweroff() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 23/44] MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 24/44] ARM: iop32x/n2100: fix PCI IRQ mapping Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 25/44] ARM: tango: Improve ARCH_MULTIPLATFORM compatibility Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 26/44] ARM: dts: da850: fix interrupt numbers for clocksource Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 27/44] firmware: arm_scmi: provide the mandatory device release callback Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 28/44] powerpc/radix: Fix kernel crash with mremap() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 29/44] mic: vop: Fix use-after-free on remove Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 30/44] mac80211: ensure that mgmt tx skbs have tailroom for encryption Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 31/44] drm/modes: Prevent division by zero htotal Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 32/44] drm/amd/powerplay: Fix missing break in switch Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 33/44] drm/i915: always return something on DDI clock selection Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 34/44] drm/vmwgfx: Fix setting of dma masks Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 35/44] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 36/44] [STABLE PATCH] SUNRPC: Always drop the XPRT_LOCK on XPRT_CLOSE_WAIT Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 37/44] xfrm: Make set-mark default behavior backward compatible Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 38/44] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal" Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 39/44] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 40/44] xfrm: refine validation of template and selector families Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 41/44] batman-adv: Avoid WARN on net_device without parent in netns Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 42/44] batman-adv: Force mac header to start of data on xmit Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 43/44] svcrdma: Reduce max_send_sges Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.19 44/44] svcrdma: Remove max_sge check at connect time Greg Kroah-Hartman
2019-02-14 16:46 ` [PATCH 4.19 00/44] 4.19.22-stable review Dan Rue
2019-02-14 19:17 ` Guenter Roeck
2019-02-14 22:23 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190213183653.042951004@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maxime.ripard@bootlin.com \
--cc=narmstrong@baylibre.com \
--cc=stable@vger.kernel.org \
--cc=wens@csie.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.