Message ID | 20230503012127.4157304-1-xiaolei.wang@windriver.com |
---|---|
State | Superseded |
Headers | show |
Series | [v2] pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 | expand |
Wed, May 03, 2023 at 09:21:27AM +0800, Xiaolei Wang kirjoitti: > The config passed in by pad wakeup is 1, When num_configs is 1, > configs[1] should not be obtained, which will generate the > following memory out-of-bounds situation: > > BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160 > Read size 8 at address ffff8000104c7558 by task sh/664 > CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1 > Hardware name: Freescale i.MX8QM MEK (DT) > Call trace: > dump_backtrace.part.0+0xe0/0xf0 > show stack+0x18/0x30 > dump_stack_lvl+0x64/0x80 > print report +0x154/0x458 > kasan_report+0xb8/0x100 > __asan_load8+0x80/0xac > imx_pinconf_set_scu+0x9c/0x160 > imx_pinconf_set+0x6c/0x214 > pinconf_set_config+0x68/0x90 > pinctrl_gpio_set_config+0x138/0x170 > gpiochip_generic_config+0x44/0x60 > mxc_gpio_set_pad_wakeup+0x100/0x140 > mxc_gpio_noirq_suspend+0x50/0x74 > pm_generic_suspend_noirq+0x4c/0x70 > genpd_finish_suspend+0x174/0x260 > genpd_suspend_noirq+0x14/0x20 > dpm_run_callback.constprop.0+0x48/0xec > __device_suspend_noirq+0x1a8/0x370 > dpm_noirq_suspend_devices+0x1cc/0x320 > dpm_suspend_noirq+0x7c/0x11c > suspend_devices_and_enter+0x27c/0x760 > pm_suspend+0x36c/0x3e0 I have already pointed out to the documentation in which you may find what to do to make above better. > Fixes: f60c9eac54af ("gpio: mxc: enable pad wakeup on i.MX8x platforms") > Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com> > --- Where is the changelog?
diff --git a/drivers/pinctrl/freescale/pinctrl-scu.c b/drivers/pinctrl/freescale/pinctrl-scu.c index ea261b6e7458..3b252d684d72 100644 --- a/drivers/pinctrl/freescale/pinctrl-scu.c +++ b/drivers/pinctrl/freescale/pinctrl-scu.c @@ -90,7 +90,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id, struct imx_sc_msg_req_pad_set msg; struct imx_sc_rpc_msg *hdr = &msg.hdr; unsigned int mux = configs[0]; - unsigned int conf = configs[1]; + unsigned int conf; unsigned int val; int ret; @@ -115,6 +115,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id, * Set mux and conf together in one IPC call */ WARN_ON(num_configs != 2); + conf = configs[1]; val = conf | BM_PAD_CTL_IFMUX_ENABLE | BM_PAD_CTL_GP_ENABLE; val |= mux << BP_PAD_CTL_IFMUX;
The config passed in by pad wakeup is 1, When num_configs is 1, configs[1] should not be obtained, which will generate the following memory out-of-bounds situation: BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160 Read size 8 at address ffff8000104c7558 by task sh/664 CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1 Hardware name: Freescale i.MX8QM MEK (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show stack+0x18/0x30 dump_stack_lvl+0x64/0x80 print report +0x154/0x458 kasan_report+0xb8/0x100 __asan_load8+0x80/0xac imx_pinconf_set_scu+0x9c/0x160 imx_pinconf_set+0x6c/0x214 pinconf_set_config+0x68/0x90 pinctrl_gpio_set_config+0x138/0x170 gpiochip_generic_config+0x44/0x60 mxc_gpio_set_pad_wakeup+0x100/0x140 mxc_gpio_noirq_suspend+0x50/0x74 pm_generic_suspend_noirq+0x4c/0x70 genpd_finish_suspend+0x174/0x260 genpd_suspend_noirq+0x14/0x20 dpm_run_callback.constprop.0+0x48/0xec __device_suspend_noirq+0x1a8/0x370 dpm_noirq_suspend_devices+0x1cc/0x320 dpm_suspend_noirq+0x7c/0x11c suspend_devices_and_enter+0x27c/0x760 pm_suspend+0x36c/0x3e0 Fixes: f60c9eac54af ("gpio: mxc: enable pad wakeup on i.MX8x platforms") Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com> --- drivers/pinctrl/freescale/pinctrl-scu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)