From: Jason Cooper <jason@lakedaemon.net>
To: David Woodhouse <dwmw2@infradead.org>,
Linus Walleij <linus.walleij@linaro.org>
Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>,
Thomas Petazzoni <thomas.petazzoni@free-electrons.com>,
Stephen Warren <swarren@wwwdotorg.org>,
linux-kernel@vger.kernel.org,
Gregory CLEMENT <gregory.clement@free-electrons.com>,
Ezequiel Garcia <ezequiel.garcia@free-electrons.com>,
Linux ARM Kernel <linux-arm-kernel@lists.infradead.org>,
David Woodhouse <David.Woodhouse@intel.com>,
Jason Cooper <jason@lakedaemon.net>
Subject: [PATCH] pinctrl: mvebu: prevent walking off the end of group array
Date: Wed, 13 Mar 2013 17:35:55 +0000 [thread overview]
Message-ID: <1363196155-1620-1-git-send-email-jason@lakedaemon.net> (raw)
In-Reply-To: <1362872371.3690.106.camel@shinybook.infradead.org>
From: David Woodhouse <dwmw2@infradead.org>
While investigating (ab)use of krealloc, David found this bug. It's
unlikely to occur, but now we detect the condition and error out
appropriately.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
---
David, please double check that this is as you intended. I had to hand-jam it in due to some peculiarities on my side.
drivers/pinctrl/mvebu/pinctrl-mvebu.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/drivers/pinctrl/mvebu/pinctrl-mvebu.c b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
index c689c04..8d8f175 100644
--- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c
+++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
@@ -478,16 +478,21 @@ static struct pinctrl_ops mvebu_pinctrl_ops = {
.dt_free_map = mvebu_pinctrl_dt_free_map,
};
-static int _add_function(struct mvebu_pinctrl_function *funcs, const char *name)
+static int _add_function(struct mvebu_pinctrl_function *funcs, nt nr_funcs,
+ const char *name)
{
- while (funcs->num_groups) {
+ while (nr_funcs && funcs->num_groups) {
/* function already there */
if (strcmp(funcs->name, name) == 0) {
funcs->num_groups++;
return -EEXIST;
}
funcs++;
+ nr_funcs--;
}
+ if (!nr_funcs)
+ return -EOVERFLOW;
+
funcs->name = name;
funcs->num_groups = 1;
return 0;
@@ -501,7 +506,7 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev,
int n, s;
/* we allocate functions for number of pins and hope
- * there are less unique functions than pins available */
+ * there are fewer unique functions than pins available */
funcs = devm_kzalloc(&pdev->dev, pctl->desc.npins *
sizeof(struct mvebu_pinctrl_function), GFP_KERNEL);
if (!funcs)
@@ -510,26 +515,26 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev,
for (n = 0; n < pctl->num_groups; n++) {
struct mvebu_pinctrl_group *grp = &pctl->groups[n];
for (s = 0; s < grp->num_settings; s++) {
+ int ret;
+
/* skip unsupported settings on this variant */
if (pctl->variant &&
!(pctl->variant & grp->settings[s].variant))
continue;
/* check for unique functions and count groups */
- if (_add_function(funcs, grp->settings[s].name))
+ ret = _add_function(funcs, pctl->desc.npins,
+ grp->settings[s].name);
+ if (ret == -EOVERFLOW)
+ dev_err(&pdev->dev,
+ "More functions than pins(%d)\n",
+ pctl->desc.npins);
continue;
num++;
}
}
- /* with the number of unique functions and it's groups known,
- reallocate functions and assign group names */
- funcs = krealloc(funcs, num * sizeof(struct mvebu_pinctrl_function),
- GFP_KERNEL);
- if (!funcs)
- return -ENOMEM;
-
pctl->num_functions = num;
pctl->functions = funcs;
--
1.8.1.5
WARNING: multiple messages have this Message-ID (diff)
From: jason@lakedaemon.net (Jason Cooper)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] pinctrl: mvebu: prevent walking off the end of group array
Date: Wed, 13 Mar 2013 17:35:55 +0000 [thread overview]
Message-ID: <1363196155-1620-1-git-send-email-jason@lakedaemon.net> (raw)
In-Reply-To: <1362872371.3690.106.camel@shinybook.infradead.org>
From: David Woodhouse <dwmw2@infradead.org>
While investigating (ab)use of krealloc, David found this bug. It's
unlikely to occur, but now we detect the condition and error out
appropriately.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
---
David, please double check that this is as you intended. I had to hand-jam it in due to some peculiarities on my side.
drivers/pinctrl/mvebu/pinctrl-mvebu.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/drivers/pinctrl/mvebu/pinctrl-mvebu.c b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
index c689c04..8d8f175 100644
--- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c
+++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
@@ -478,16 +478,21 @@ static struct pinctrl_ops mvebu_pinctrl_ops = {
.dt_free_map = mvebu_pinctrl_dt_free_map,
};
-static int _add_function(struct mvebu_pinctrl_function *funcs, const char *name)
+static int _add_function(struct mvebu_pinctrl_function *funcs, nt nr_funcs,
+ const char *name)
{
- while (funcs->num_groups) {
+ while (nr_funcs && funcs->num_groups) {
/* function already there */
if (strcmp(funcs->name, name) == 0) {
funcs->num_groups++;
return -EEXIST;
}
funcs++;
+ nr_funcs--;
}
+ if (!nr_funcs)
+ return -EOVERFLOW;
+
funcs->name = name;
funcs->num_groups = 1;
return 0;
@@ -501,7 +506,7 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev,
int n, s;
/* we allocate functions for number of pins and hope
- * there are less unique functions than pins available */
+ * there are fewer unique functions than pins available */
funcs = devm_kzalloc(&pdev->dev, pctl->desc.npins *
sizeof(struct mvebu_pinctrl_function), GFP_KERNEL);
if (!funcs)
@@ -510,26 +515,26 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev,
for (n = 0; n < pctl->num_groups; n++) {
struct mvebu_pinctrl_group *grp = &pctl->groups[n];
for (s = 0; s < grp->num_settings; s++) {
+ int ret;
+
/* skip unsupported settings on this variant */
if (pctl->variant &&
!(pctl->variant & grp->settings[s].variant))
continue;
/* check for unique functions and count groups */
- if (_add_function(funcs, grp->settings[s].name))
+ ret = _add_function(funcs, pctl->desc.npins,
+ grp->settings[s].name);
+ if (ret == -EOVERFLOW)
+ dev_err(&pdev->dev,
+ "More functions than pins(%d)\n",
+ pctl->desc.npins);
continue;
num++;
}
}
- /* with the number of unique functions and it's groups known,
- reallocate functions and assign group names */
- funcs = krealloc(funcs, num * sizeof(struct mvebu_pinctrl_function),
- GFP_KERNEL);
- if (!funcs)
- return -ENOMEM;
-
pctl->num_functions = num;
pctl->functions = funcs;
--
1.8.1.5
next prev parent reply other threads:[~2013-03-13 17:36 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-08 15:58 memory leak and other oddness in pinctrl-mvebu.c David Woodhouse
2013-03-09 8:49 ` Sebastian Hesselbarth
2013-03-09 19:02 ` David Woodhouse
2013-03-09 19:46 ` Sebastian Hesselbarth
2013-03-09 22:53 ` Jason Cooper
2013-03-09 23:39 ` David Woodhouse
2013-03-10 0:06 ` Jason Cooper
2013-03-10 0:06 ` Jason Cooper
2013-03-13 16:59 ` Linus Walleij
2013-03-13 16:59 ` Linus Walleij
2013-03-13 17:35 ` Jason Cooper [this message]
2013-03-13 17:35 ` [PATCH] pinctrl: mvebu: prevent walking off the end of group array Jason Cooper
2013-03-13 17:47 ` Linus Walleij
2013-03-13 17:47 ` Linus Walleij
2013-03-13 17:50 ` Jason Cooper
2013-03-13 17:50 ` Jason Cooper
2013-03-13 18:40 ` Linus Walleij
2013-03-13 18:40 ` Linus Walleij
2013-03-13 17:48 ` Sebastian Hesselbarth
2013-03-13 17:48 ` Sebastian Hesselbarth
2013-03-13 17:48 ` [PATCH V2] " Jason Cooper
2013-03-13 17:48 ` Jason Cooper
2013-03-14 10:29 ` David Woodhouse
2013-03-14 10:29 ` David Woodhouse
2013-03-16 11:44 ` [PATCH v3] " Sebastian Hesselbarth
2013-03-16 11:44 ` Sebastian Hesselbarth
2013-03-22 16:39 ` Jason Cooper
2013-03-22 16:39 ` Jason Cooper
2013-03-27 22:06 ` Linus Walleij
2013-03-27 22:06 ` Linus Walleij
2013-03-27 22:11 ` Woodhouse, David
2013-03-27 22:11 ` Woodhouse, David
2013-03-27 22:34 ` Linus Walleij
2013-03-27 22:34 ` Linus Walleij
2013-03-28 11:08 ` Jason Cooper
2013-03-28 11:08 ` Jason Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1363196155-1620-1-git-send-email-jason@lakedaemon.net \
--to=jason@lakedaemon.net \
--cc=David.Woodhouse@intel.com \
--cc=dwmw2@infradead.org \
--cc=ezequiel.garcia@free-electrons.com \
--cc=gregory.clement@free-electrons.com \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sebastian.hesselbarth@gmail.com \
--cc=swarren@wwwdotorg.org \
--cc=thomas.petazzoni@free-electrons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.