From: Jason Cooper <jason@lakedaemon.net> To: David Woodhouse <dwmw2@infradead.org>, Linus Walleij <linus.walleij@linaro.org> Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>, Thomas Petazzoni <thomas.petazzoni@free-electrons.com>, Stephen Warren <swarren@wwwdotorg.org>, linux-kernel@vger.kernel.org, Gregory CLEMENT <gregory.clement@free-electrons.com>, Ezequiel Garcia <ezequiel.garcia@free-electrons.com>, Linux ARM Kernel <linux-arm-kernel@lists.infradead.org>, David Woodhouse <David.Woodhouse@intel.com>, Jason Cooper <jason@lakedaemon.net> Subject: [PATCH] pinctrl: mvebu: prevent walking off the end of group array Date: Wed, 13 Mar 2013 17:35:55 +0000 [thread overview] Message-ID: <1363196155-1620-1-git-send-email-jason@lakedaemon.net> (raw) In-Reply-To: <1362872371.3690.106.camel@shinybook.infradead.org> From: David Woodhouse <dwmw2@infradead.org> While investigating (ab)use of krealloc, David found this bug. It's unlikely to occur, but now we detect the condition and error out appropriately. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: Jason Cooper <jason@lakedaemon.net> --- David, please double check that this is as you intended. I had to hand-jam it in due to some peculiarities on my side. drivers/pinctrl/mvebu/pinctrl-mvebu.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/drivers/pinctrl/mvebu/pinctrl-mvebu.c b/drivers/pinctrl/mvebu/pinctrl-mvebu.c index c689c04..8d8f175 100644 --- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c +++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c @@ -478,16 +478,21 @@ static struct pinctrl_ops mvebu_pinctrl_ops = { .dt_free_map = mvebu_pinctrl_dt_free_map, }; -static int _add_function(struct mvebu_pinctrl_function *funcs, const char *name) +static int _add_function(struct mvebu_pinctrl_function *funcs, nt nr_funcs, + const char *name) { - while (funcs->num_groups) { + while (nr_funcs && funcs->num_groups) { /* function already there */ if (strcmp(funcs->name, name) == 0) { funcs->num_groups++; return -EEXIST; } funcs++; + nr_funcs--; } + if (!nr_funcs) + return -EOVERFLOW; + funcs->name = name; funcs->num_groups = 1; return 0; @@ -501,7 +506,7 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev, int n, s; /* we allocate functions for number of pins and hope - * there are less unique functions than pins available */ + * there are fewer unique functions than pins available */ funcs = devm_kzalloc(&pdev->dev, pctl->desc.npins * sizeof(struct mvebu_pinctrl_function), GFP_KERNEL); if (!funcs) @@ -510,26 +515,26 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev, for (n = 0; n < pctl->num_groups; n++) { struct mvebu_pinctrl_group *grp = &pctl->groups[n]; for (s = 0; s < grp->num_settings; s++) { + int ret; + /* skip unsupported settings on this variant */ if (pctl->variant && !(pctl->variant & grp->settings[s].variant)) continue; /* check for unique functions and count groups */ - if (_add_function(funcs, grp->settings[s].name)) + ret = _add_function(funcs, pctl->desc.npins, + grp->settings[s].name); + if (ret == -EOVERFLOW) + dev_err(&pdev->dev, + "More functions than pins(%d)\n", + pctl->desc.npins); continue; num++; } } - /* with the number of unique functions and it's groups known, - reallocate functions and assign group names */ - funcs = krealloc(funcs, num * sizeof(struct mvebu_pinctrl_function), - GFP_KERNEL); - if (!funcs) - return -ENOMEM; - pctl->num_functions = num; pctl->functions = funcs; -- 1.8.1.5
WARNING: multiple messages have this Message-ID (diff)
From: jason@lakedaemon.net (Jason Cooper) To: linux-arm-kernel@lists.infradead.org Subject: [PATCH] pinctrl: mvebu: prevent walking off the end of group array Date: Wed, 13 Mar 2013 17:35:55 +0000 [thread overview] Message-ID: <1363196155-1620-1-git-send-email-jason@lakedaemon.net> (raw) In-Reply-To: <1362872371.3690.106.camel@shinybook.infradead.org> From: David Woodhouse <dwmw2@infradead.org> While investigating (ab)use of krealloc, David found this bug. It's unlikely to occur, but now we detect the condition and error out appropriately. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: Jason Cooper <jason@lakedaemon.net> --- David, please double check that this is as you intended. I had to hand-jam it in due to some peculiarities on my side. drivers/pinctrl/mvebu/pinctrl-mvebu.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/drivers/pinctrl/mvebu/pinctrl-mvebu.c b/drivers/pinctrl/mvebu/pinctrl-mvebu.c index c689c04..8d8f175 100644 --- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c +++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c @@ -478,16 +478,21 @@ static struct pinctrl_ops mvebu_pinctrl_ops = { .dt_free_map = mvebu_pinctrl_dt_free_map, }; -static int _add_function(struct mvebu_pinctrl_function *funcs, const char *name) +static int _add_function(struct mvebu_pinctrl_function *funcs, nt nr_funcs, + const char *name) { - while (funcs->num_groups) { + while (nr_funcs && funcs->num_groups) { /* function already there */ if (strcmp(funcs->name, name) == 0) { funcs->num_groups++; return -EEXIST; } funcs++; + nr_funcs--; } + if (!nr_funcs) + return -EOVERFLOW; + funcs->name = name; funcs->num_groups = 1; return 0; @@ -501,7 +506,7 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev, int n, s; /* we allocate functions for number of pins and hope - * there are less unique functions than pins available */ + * there are fewer unique functions than pins available */ funcs = devm_kzalloc(&pdev->dev, pctl->desc.npins * sizeof(struct mvebu_pinctrl_function), GFP_KERNEL); if (!funcs) @@ -510,26 +515,26 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev, for (n = 0; n < pctl->num_groups; n++) { struct mvebu_pinctrl_group *grp = &pctl->groups[n]; for (s = 0; s < grp->num_settings; s++) { + int ret; + /* skip unsupported settings on this variant */ if (pctl->variant && !(pctl->variant & grp->settings[s].variant)) continue; /* check for unique functions and count groups */ - if (_add_function(funcs, grp->settings[s].name)) + ret = _add_function(funcs, pctl->desc.npins, + grp->settings[s].name); + if (ret == -EOVERFLOW) + dev_err(&pdev->dev, + "More functions than pins(%d)\n", + pctl->desc.npins); continue; num++; } } - /* with the number of unique functions and it's groups known, - reallocate functions and assign group names */ - funcs = krealloc(funcs, num * sizeof(struct mvebu_pinctrl_function), - GFP_KERNEL); - if (!funcs) - return -ENOMEM; - pctl->num_functions = num; pctl->functions = funcs; -- 1.8.1.5
next prev parent reply other threads:[~2013-03-13 17:36 UTC|newest] Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2013-03-08 15:58 memory leak and other oddness in pinctrl-mvebu.c David Woodhouse 2013-03-09 8:49 ` Sebastian Hesselbarth 2013-03-09 19:02 ` David Woodhouse 2013-03-09 19:46 ` Sebastian Hesselbarth 2013-03-09 22:53 ` Jason Cooper 2013-03-09 23:39 ` David Woodhouse 2013-03-10 0:06 ` Jason Cooper 2013-03-10 0:06 ` Jason Cooper 2013-03-13 16:59 ` Linus Walleij 2013-03-13 16:59 ` Linus Walleij 2013-03-13 17:35 ` Jason Cooper [this message] 2013-03-13 17:35 ` [PATCH] pinctrl: mvebu: prevent walking off the end of group array Jason Cooper 2013-03-13 17:47 ` Linus Walleij 2013-03-13 17:47 ` Linus Walleij 2013-03-13 17:50 ` Jason Cooper 2013-03-13 17:50 ` Jason Cooper 2013-03-13 18:40 ` Linus Walleij 2013-03-13 18:40 ` Linus Walleij 2013-03-13 17:48 ` Sebastian Hesselbarth 2013-03-13 17:48 ` Sebastian Hesselbarth 2013-03-13 17:48 ` [PATCH V2] " Jason Cooper 2013-03-13 17:48 ` Jason Cooper 2013-03-14 10:29 ` David Woodhouse 2013-03-14 10:29 ` David Woodhouse 2013-03-16 11:44 ` [PATCH v3] " Sebastian Hesselbarth 2013-03-16 11:44 ` Sebastian Hesselbarth 2013-03-22 16:39 ` Jason Cooper 2013-03-22 16:39 ` Jason Cooper 2013-03-27 22:06 ` Linus Walleij 2013-03-27 22:06 ` Linus Walleij 2013-03-27 22:11 ` Woodhouse, David 2013-03-27 22:11 ` Woodhouse, David 2013-03-27 22:34 ` Linus Walleij 2013-03-27 22:34 ` Linus Walleij 2013-03-28 11:08 ` Jason Cooper 2013-03-28 11:08 ` Jason Cooper
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1363196155-1620-1-git-send-email-jason@lakedaemon.net \ --to=jason@lakedaemon.net \ --cc=David.Woodhouse@intel.com \ --cc=dwmw2@infradead.org \ --cc=ezequiel.garcia@free-electrons.com \ --cc=gregory.clement@free-electrons.com \ --cc=linus.walleij@linaro.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=sebastian.hesselbarth@gmail.com \ --cc=swarren@wwwdotorg.org \ --cc=thomas.petazzoni@free-electrons.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.