superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Andrey Skvortsov a7d172252b clk: Fix slab-out-of-bounds error in devm_clk_release() 
commit 66fbfb35da upstream.

Problem can be reproduced by unloading snd_soc_simple_card, because in
devm_get_clk_from_child() devres data is allocated as `struct clk`, but
devm_clk_release() expects devres data to be `struct devm_clk_state`.

KASAN report:
 ==================================================================
 BUG: KASAN: slab-out-of-bounds in devm_clk_release+0x20/0x54
 Read of size 8 at addr ffffff800ee09688 by task (udev-worker)/287

 Call trace:
  dump_backtrace+0xe8/0x11c
  show_stack+0x1c/0x30
  dump_stack_lvl+0x60/0x78
  print_report+0x150/0x450
  kasan_report+0xa8/0xf0
  __asan_load8+0x78/0xa0
  devm_clk_release+0x20/0x54
  release_nodes+0x84/0x120
  devres_release_all+0x144/0x210
  device_unbind_cleanup+0x1c/0xac
  really_probe+0x2f0/0x5b0
  __driver_probe_device+0xc0/0x1f0
  driver_probe_device+0x68/0x120
  __driver_attach+0x140/0x294
  bus_for_each_dev+0xec/0x160
  driver_attach+0x38/0x44
  bus_add_driver+0x24c/0x300
  driver_register+0xf0/0x210
  __platform_driver_register+0x48/0x54
  asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
  do_one_initcall+0xac/0x340
  do_init_module+0xd0/0x300
  load_module+0x2ba4/0x3100
  __do_sys_init_module+0x2c8/0x300
  __arm64_sys_init_module+0x48/0x5c
  invoke_syscall+0x64/0x190
  el0_svc_common.constprop.0+0x124/0x154
  do_el0_svc+0x44/0xdc
  el0_svc+0x14/0x50
  el0t_64_sync_handler+0xec/0x11c
  el0t_64_sync+0x14c/0x150

 Allocated by task 287:
  kasan_save_stack+0x38/0x60
  kasan_set_track+0x28/0x40
  kasan_save_alloc_info+0x20/0x30
  __kasan_kmalloc+0xac/0xb0
  __kmalloc_node_track_caller+0x6c/0x1c4
  __devres_alloc_node+0x44/0xb4
  devm_get_clk_from_child+0x44/0xa0
  asoc_simple_parse_clk+0x1b8/0x1dc [snd_soc_simple_card_utils]
  simple_parse_node.isra.0+0x1ec/0x230 [snd_soc_simple_card]
  simple_dai_link_of+0x1bc/0x334 [snd_soc_simple_card]
  __simple_for_each_link+0x2ec/0x320 [snd_soc_simple_card]
  asoc_simple_probe+0x468/0x4dc [snd_soc_simple_card]
  platform_probe+0x90/0xf0
  really_probe+0x118/0x5b0
  __driver_probe_device+0xc0/0x1f0
  driver_probe_device+0x68/0x120
  __driver_attach+0x140/0x294
  bus_for_each_dev+0xec/0x160
  driver_attach+0x38/0x44
  bus_add_driver+0x24c/0x300
  driver_register+0xf0/0x210
  __platform_driver_register+0x48/0x54
  asoc_simple_card_init+0x24/0x1000 [snd_soc_simple_card]
  do_one_initcall+0xac/0x340
  do_init_module+0xd0/0x300
  load_module+0x2ba4/0x3100
  __do_sys_init_module+0x2c8/0x300
  __arm64_sys_init_module+0x48/0x5c
  invoke_syscall+0x64/0x190
  el0_svc_common.constprop.0+0x124/0x154
  do_el0_svc+0x44/0xdc
  el0_svc+0x14/0x50
  el0t_64_sync_handler+0xec/0x11c
  el0t_64_sync+0x14c/0x150

 The buggy address belongs to the object at ffffff800ee09600
  which belongs to the cache kmalloc-256 of size 256
 The buggy address is located 136 bytes inside of
  256-byte region [ffffff800ee09600, ffffff800ee09700)

 The buggy address belongs to the physical page:
 page:000000002d97303b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ee08
 head:000000002d97303b order:1 compound_mapcount:0 compound_pincount:0
 flags: 0x10200(slab|head|zone=0)
 raw: 0000000000010200 0000000000000000 dead000000000122 ffffff8002c02480
 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffffff800ee09580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffffff800ee09600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 >ffffff800ee09680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
  ffffff800ee09700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffffff800ee09780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ==================================================================

Fixes: abae8e57e4 ("clk: generalize devm_clk_get() a bit")
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Link: https://lore.kernel.org/r/20230805084847.3110586-1-andrej.skvortzov@gmail.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-08-30 16:11:06 +02:00
..
accessibility
acpi ACPI: scan: Create platform device for CS35L56 2023-08-16 18:27:31 +02:00
amba
android binder: fix memory leak in binder_init() 2023-08-16 18:27:24 +02:00
ata ata: pata_ns87415: mark ns87560_tf_read static 2023-08-03 10:24:07 +02:00
atm
auxdisplay
base x86/srso: Add a Speculative RAS Overflow mitigation 2023-08-08 20:03:50 +02:00
bcma
block rbd: prevent busy loop when requesting exclusive lock 2023-08-11 12:08:21 +02:00
bluetooth Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally 2023-08-23 17:52:25 +02:00
bus bus: ti-sysc: Flush posted write on enable before reset 2023-08-23 17:52:36 +02:00
cdrom
char tpm: Add a helper for checking hwrng enabled 2023-08-16 18:27:20 +02:00
clk clk: Fix slab-out-of-bounds error in devm_clk_release() 2023-08-30 16:11:06 +02:00
clocksource clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe 2023-07-19 16:20:59 +02:00
comedi
connector
counter
cpufreq cpufreq: intel_pstate: Drop ACPI _PSS states table patching 2023-08-03 10:24:18 +02:00
cpuidle cpuidle: psci: Move enabling OSI mode after power domains creation 2023-08-23 17:52:17 +02:00
crypto crypto: qat - unmap buffers before free for RSA 2023-07-19 16:21:42 +02:00
cxl cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws() 2023-08-03 10:24:04 +02:00
dax dax/kmem: Pass valid argument to memory_group_register_static 2023-07-19 16:21:43 +02:00
dca
devfreq
dio
dma dmaengine: owl-dma: Modify mismatched function name 2023-08-16 18:27:28 +02:00
dma-buf dma-buf: fix an error pointer vs NULL bug 2023-08-03 10:24:19 +02:00
edac EDAC/qcom: Get rid of hardcoded register offsets 2023-06-21 16:00:51 +02:00
eisa
extcon extcon: usbc-tusb320: Unregister typec port on driver removal 2023-07-19 16:22:08 +02:00
firewire firewire: net: fix use after free in fwnet_finish_incoming_packet() 2023-08-23 17:52:24 +02:00
firmware firmware: arm_scmi: Drop OF node reference in the transport channel setup 2023-08-11 12:08:19 +02:00
fpga
fsi
gnss
gpio gpio: sim: mark the GPIO chip as a one that can sleep 2023-08-16 18:27:29 +02:00
gpu drm/i915/gt: Support aux invalidation on all engines 2023-08-30 16:10:59 +02:00
greybus
hid HID: intel-ish-hid: ipc: Add Arrow Lake PCI device ID 2023-08-23 17:52:22 +02:00
hsi
hte
hv Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs 2023-06-28 11:12:23 +02:00
hwmon hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100 2023-08-16 18:27:22 +02:00
hwspinlock
hwtracing hwtracing: hisi_ptt: Fix potential sleep in atomic context 2023-07-19 16:21:58 +02:00
i2c i2c: designware: Handle invalid SMBus block data response length value 2023-08-23 17:52:31 +02:00
i3c i3c: master: svc: fix cpu schedule in spin lock 2023-07-19 16:21:54 +02:00
idle
iio iio: core: Prevent invalid memory access when there is no parent 2023-08-16 18:27:25 +02:00
infiniband RDMA/mlx5: Return the firmware result upon destroying QP/RQ 2023-08-23 17:52:21 +02:00
input Input: pm8941-powerkey - fix debounce on gen2+ PMICs 2023-07-19 16:21:26 +02:00
interconnect interconnect: qcom: sm8450: add enable_mask for bcm nodes 2023-08-16 18:27:25 +02:00
iommu iommu/amd: Introduce Disable IRTE Caching Support 2023-08-23 17:52:21 +02:00
ipack
irqchip irqchip/gic-v4.1: Properly lock VPEs when doing a directLPI invalidation 2023-08-03 10:24:14 +02:00
isdn mISDN: Update parameter type of dsp_cmx_send() 2023-08-16 18:27:26 +02:00
leds led: qcom-lpg: Fix resource leaks in for_each_available_child_of_node() loops 2023-08-23 17:52:23 +02:00
macintosh
mailbox mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 2023-07-19 16:22:03 +02:00
mcb
md dm cache policy smq: ensure IO doesn't prevent cleaner policy progress 2023-08-03 10:24:17 +02:00
media media: platform: mediatek: vpu: fix NULL ptr dereference 2023-08-23 17:52:23 +02:00
memory memory: brcmstb_dpfe: fix testing array offset after use 2023-07-19 16:21:24 +02:00
memstick memstick r592: make memstick_debug_get_tpc_name() static 2023-07-19 16:21:08 +02:00
message
mfd mfd: pm8008: Fix module autoloading 2023-07-23 13:49:37 +02:00
misc accel/habanalabs: add pci health check during heartbeat 2023-08-23 17:52:21 +02:00
mmc mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove 2023-08-23 17:52:42 +02:00
most
mtd mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() 2023-08-11 12:08:25 +02:00
mux
net ibmveth: Use dcbf rather than dcbfl 2023-08-30 16:11:05 +02:00
nfc nfcsim.c: Fix error checking for debugfs_create_dir 2023-06-28 11:12:36 +02:00
ntb NTB: ntb_tool: Add check for devm_kcalloc 2023-07-23 13:49:24 +02:00
nubus nubus: Partially revert proc_create_single_data() conversion 2023-07-05 18:27:37 +01:00
nvdimm
nvme nvme-rdma: fix potential unbalanced freeze & unfreeze 2023-08-16 18:27:30 +02:00
nvmem nvmem: rmem: Use NVMEM_DEVID_AUTO 2023-07-19 16:21:57 +02:00
of of: Preserve "of-display" device name for compatibility 2023-07-27 08:50:26 +02:00
opp opp: Fix use-after-free in lazy_opp_tables after probe deferral 2023-07-23 13:49:42 +02:00
parisc
parport
pci PCI: acpiphp: Reassign resources on bridge if necessary 2023-08-30 16:10:58 +02:00
pcmcia pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() 2023-08-23 17:52:24 +02:00
peci
perf perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start() 2023-07-23 13:49:44 +02:00
phy phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() 2023-08-03 10:23:59 +02:00
pinctrl pinctrl: renesas: rzg2l: Handle non-unique subnode names 2023-07-27 08:50:38 +02:00
platform platform/x86: ideapad-laptop: Add support for new hotkeys found on ThinkBook 14s Yoga ITL 2023-08-30 16:11:05 +02:00
pnp
power power: supply: Fix logic checking if system is running from battery 2023-06-21 16:00:52 +02:00
powercap powercap: RAPL: Fix CONFIG_IOSF_MBI dependency 2023-07-19 16:21:00 +02:00
pps
ps3
ptp
pwm pwm: meson: fix handling of period/duty if greater than UINT_MAX 2023-07-23 13:49:46 +02:00
rapidio
ras
regulator regulator: tps65219: Fix matching interrupts for their regulators 2023-07-19 16:22:14 +02:00
remoteproc
reset
rpmsg
rtc rtc: st-lpc: Release some resources in st_rtc_probe() in case of error 2023-07-19 16:21:59 +02:00
s390 s390/zcrypt: fix reply buffer calculations for CCA replies 2023-08-30 16:10:59 +02:00
sbus
scsi scsi: qedf: Fix firmware halt over suspend and resume 2023-08-16 18:27:31 +02:00
sh
siox
slimbus
soc soc: aspeed: socinfo: Add kfree for kstrdup 2023-08-23 17:52:38 +02:00
soundwire soundwire: fix enumeration completion 2023-08-03 10:24:15 +02:00
spi spi: dw: Remove misleading comment for Mount Evans SoC 2023-07-27 08:50:50 +02:00
spmi
ssb
staging staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() 2023-08-03 10:24:12 +02:00
target scsi: target: iscsi: Prevent login threads from racing between each other 2023-06-28 11:12:35 +02:00
tc
tee tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta' 2023-06-14 11:15:28 +02:00
thermal thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe() 2023-07-19 16:21:01 +02:00
thunderbolt thunderbolt: Limit Intel Barlow Ridge USB3 bandwidth 2023-08-23 17:52:24 +02:00
tty serial: 8250: Fix oops for port->pm on uart_change_pm() 2023-08-23 17:52:38 +02:00
ufs scsi: ufs: renesas: Fix private allocation 2023-08-16 18:27:30 +02:00
uio
usb usb: chipidea: imx: add missing USB PHY DPDM wakeup setting 2023-08-23 17:52:24 +02:00
vdpa vdpa: Enable strict validation for netlinks ops 2023-08-23 17:52:31 +02:00
vfio vfio/mdev: Move the compat_class initialization to module init 2023-07-19 16:21:41 +02:00
vhost vhost_net: revert upend_idx only on retriable error 2023-06-28 11:12:40 +02:00
video video/aperture: Move vga handling to pci function 2023-08-30 16:10:58 +02:00
virt virt: sevguest: Add CONFIG_CRYPTO dependency 2023-07-19 16:20:55 +02:00
virtio virtio-mmio: don't break lifecycle of vm_dev 2023-08-23 17:52:29 +02:00
vlynq
w1 w1: fix loop in w1_fini() 2023-07-19 16:21:48 +02:00
watchdog watchdog: sp5100_tco: support Hygon FCH/SCH (Server Controller Hub) 2023-08-23 17:52:25 +02:00
xen xen: speed up grant-table reclaim 2023-08-03 10:24:14 +02:00
zorro
Kconfig
Makefile