From: ndesaulniers@google.com
To: Chen-Yu Tsai <wens@csie.org>,
Jernej Skrabec <jernej.skrabec@gmail.com>,
Samuel Holland <samuel@sholland.org>
Cc: Russell King <linux@armlinux.org.uk>,
Arnd Bergmann <arnd@arndb.de>,
linux-arm-kernel@lists.infradead.org,
linux-sunxi@lists.linux.dev, linux-kernel@vger.kernel.org,
Nick Desaulniers <ndesaulniers@google.com>
Subject: [PATCH] ARM: sunxi: fix return code check of of_property_match_string
Date: Tue, 16 May 2023 09:35:24 -0700 [thread overview]
Message-ID: <20230516-sunxi-v1-1-ac4b9651a8c1@google.com> (raw)
of_property_match_string returns an int; either an index from 0 or
greater if successful or negative on failure.
Fixes the following splat observed with UBSAN:
[ 0.166489][ T1] UBSAN: array-index-out-of-bounds in arch/arm/mach-sunxi/mc_smp.c:810:29
[ 0.166934][ T1] index 2 is out of range for type 'sunxi_mc_smp_data [2]'
[ 0.167206][ T1] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.4.0-rc2 #1
[ 0.167515][ T1] Hardware name: Generic DT based system
[ 0.167727][ T1] unwind_backtrace from show_stack+0x18/0x1c
[ 0.167979][ T1] show_stack from dump_stack_lvl+0x68/0x90
[ 0.168226][ T1] dump_stack_lvl from ubsan_epilogue+0x8/0x34
[ 0.168474][ T1] ubsan_epilogue from __ubsan_handle_out_of_bounds+0x78/0x80
[ 0.168760][ T1] __ubsan_handle_out_of_bounds from sunxi_mc_smp_init+0xe8/0x574
[ 0.169100][ T1] sunxi_mc_smp_init from do_one_initcall+0x178/0x9c8
[ 0.169364][ T1] do_one_initcall from kernel_init_freeable+0x1dc/0x28c
[ 0.169661][ T1] kernel_init_freeable from kernel_init+0x20/0x164
[ 0.169912][ T1] kernel_init from ret_from_fork+0x14/0x2c
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
---
arch/arm/mach-sunxi/mc_smp.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c
index cb63921232a6..c7635e9e36ef 100644
--- a/arch/arm/mach-sunxi/mc_smp.c
+++ b/arch/arm/mach-sunxi/mc_smp.c
@@ -782,7 +782,7 @@ static int __init sunxi_mc_smp_init(void)
struct device_node *node;
struct resource res;
void __iomem *addr;
- int i, ret;
+ int i, ret = -1;
/*
* Don't bother checking the "cpus" node, as an enable-method
@@ -803,10 +803,13 @@ static int __init sunxi_mc_smp_init(void)
for (i = 0; i < ARRAY_SIZE(sunxi_mc_smp_data); i++) {
ret = of_property_match_string(node, "enable-method",
sunxi_mc_smp_data[i].enable_method);
- if (!ret)
+ if (ret >= 0)
break;
}
+ if (ret < 0)
+ return -ENODEV;
+
is_a83t = sunxi_mc_smp_data[i].is_a83t;
of_node_put(node);
---
base-commit: f1fcbaa18b28dec10281551dfe6ed3a3ed80e3d6
change-id: 20230516-sunxi-bc9dda2d228e
Best regards,
--
Nick Desaulniers <ndesaulniers@google.com>
WARNING: multiple messages have this Message-ID (diff)
From: ndesaulniers@google.com
To: Chen-Yu Tsai <wens@csie.org>,
Jernej Skrabec <jernej.skrabec@gmail.com>,
Samuel Holland <samuel@sholland.org>
Cc: Russell King <linux@armlinux.org.uk>,
Arnd Bergmann <arnd@arndb.de>,
linux-arm-kernel@lists.infradead.org,
linux-sunxi@lists.linux.dev, linux-kernel@vger.kernel.org,
Nick Desaulniers <ndesaulniers@google.com>
Subject: [PATCH] ARM: sunxi: fix return code check of of_property_match_string
Date: Tue, 16 May 2023 09:35:24 -0700 [thread overview]
Message-ID: <20230516-sunxi-v1-1-ac4b9651a8c1@google.com> (raw)
of_property_match_string returns an int; either an index from 0 or
greater if successful or negative on failure.
Fixes the following splat observed with UBSAN:
[ 0.166489][ T1] UBSAN: array-index-out-of-bounds in arch/arm/mach-sunxi/mc_smp.c:810:29
[ 0.166934][ T1] index 2 is out of range for type 'sunxi_mc_smp_data [2]'
[ 0.167206][ T1] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.4.0-rc2 #1
[ 0.167515][ T1] Hardware name: Generic DT based system
[ 0.167727][ T1] unwind_backtrace from show_stack+0x18/0x1c
[ 0.167979][ T1] show_stack from dump_stack_lvl+0x68/0x90
[ 0.168226][ T1] dump_stack_lvl from ubsan_epilogue+0x8/0x34
[ 0.168474][ T1] ubsan_epilogue from __ubsan_handle_out_of_bounds+0x78/0x80
[ 0.168760][ T1] __ubsan_handle_out_of_bounds from sunxi_mc_smp_init+0xe8/0x574
[ 0.169100][ T1] sunxi_mc_smp_init from do_one_initcall+0x178/0x9c8
[ 0.169364][ T1] do_one_initcall from kernel_init_freeable+0x1dc/0x28c
[ 0.169661][ T1] kernel_init_freeable from kernel_init+0x20/0x164
[ 0.169912][ T1] kernel_init from ret_from_fork+0x14/0x2c
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
---
arch/arm/mach-sunxi/mc_smp.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c
index cb63921232a6..c7635e9e36ef 100644
--- a/arch/arm/mach-sunxi/mc_smp.c
+++ b/arch/arm/mach-sunxi/mc_smp.c
@@ -782,7 +782,7 @@ static int __init sunxi_mc_smp_init(void)
struct device_node *node;
struct resource res;
void __iomem *addr;
- int i, ret;
+ int i, ret = -1;
/*
* Don't bother checking the "cpus" node, as an enable-method
@@ -803,10 +803,13 @@ static int __init sunxi_mc_smp_init(void)
for (i = 0; i < ARRAY_SIZE(sunxi_mc_smp_data); i++) {
ret = of_property_match_string(node, "enable-method",
sunxi_mc_smp_data[i].enable_method);
- if (!ret)
+ if (ret >= 0)
break;
}
+ if (ret < 0)
+ return -ENODEV;
+
is_a83t = sunxi_mc_smp_data[i].is_a83t;
of_node_put(node);
---
base-commit: f1fcbaa18b28dec10281551dfe6ed3a3ed80e3d6
change-id: 20230516-sunxi-bc9dda2d228e
Best regards,
--
Nick Desaulniers <ndesaulniers@google.com>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2023-05-16 16:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-16 16:35 ndesaulniers [this message]
2023-05-16 16:35 ` [PATCH] ARM: sunxi: fix return code check of of_property_match_string ndesaulniers
2023-05-16 18:34 ` Florian Fainelli
2023-05-16 18:34 ` Florian Fainelli
2023-05-22 19:55 ` Nick Desaulniers
2023-05-22 19:55 ` Nick Desaulniers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230516-sunxi-v1-1-ac4b9651a8c1@google.com \
--to=ndesaulniers@google.com \
--cc=arnd@arndb.de \
--cc=jernej.skrabec@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=linux@armlinux.org.uk \
--cc=samuel@sholland.org \
--cc=wens@csie.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.