Compared with v2, v3 simplifies the call trace log and only keeps the real
problem part.
Xiaolei Wang (1):
pinctrl: freescale: Fix a memory out of bounds when num_configs is 1
drivers/pinctrl/freescale/pinctrl-scu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--
2.25.1
The config passed in by pad wakeup is 1, When num_configs is 1,
configs[1] should not be obtained, which will generate the
following memory out-of-bounds situation:
BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160
Read size 8 at address ffff8000104c7558 by task sh/664
CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1
Hardware name: Freescale i.MX8QM MEK (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0
show stack+0x18/0x30
dump_stack_lvl+0x64/0x80
print report +0x154/0x458
kasan_report+0xb8/0x100
__asan_load8+0x80/0xac
imx_pinconf_set_scu+0x9c/0x160
imx_pinconf_set+0x6c/0x214
pinconf_set_config+0x68/0x90
pinctrl_gpio_set_config+0x138/0x170
gpiochip_generic_config+0x44/0x60
mxc_gpio_set_pad_wakeup+0x100/0x140
Fixes: f60c9eac54af ("gpio: mxc: enable pad wakeup on i.MX8x platforms")
Signed-off-by: Xiaolei Wang <[email protected]>
---
drivers/pinctrl/freescale/pinctrl-scu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/freescale/pinctrl-scu.c b/drivers/pinctrl/freescale/pinctrl-scu.c
index ea261b6e7458..3b252d684d72 100644
--- a/drivers/pinctrl/freescale/pinctrl-scu.c
+++ b/drivers/pinctrl/freescale/pinctrl-scu.c
@@ -90,7 +90,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id,
struct imx_sc_msg_req_pad_set msg;
struct imx_sc_rpc_msg *hdr = &msg.hdr;
unsigned int mux = configs[0];
- unsigned int conf = configs[1];
+ unsigned int conf;
unsigned int val;
int ret;
@@ -115,6 +115,7 @@ int imx_pinconf_set_scu(struct pinctrl_dev *pctldev, unsigned pin_id,
* Set mux and conf together in one IPC call
*/
WARN_ON(num_configs != 2);
+ conf = configs[1];
val = conf | BM_PAD_CTL_IFMUX_ENABLE | BM_PAD_CTL_GP_ENABLE;
val |= mux << BP_PAD_CTL_IFMUX;
--
2.25.1
Thu, May 04, 2023 at 08:33:30AM +0800, Xiaolei Wang kirjoitti:
...
The link to the documentation I have added into reply to your v1 was about
backtraces in the commit messages. For a single patch there is no need to have
a cover letter.
> BUG: KASAN: stack out of bounds in imx_pinconf_set_scu+0x9c/0x160
> Read size 8 at address ffff8000104c7558 by task sh/664
> CPU: 3 PID: 664 Communication: sh Tainted: G WC 6.1.20 #1
> Hardware name: Freescale i.MX8QM MEK (DT)
> Call trace:
> dump_backtrace.part.0+0xe0/0xf0
> show stack+0x18/0x30
> dump_stack_lvl+0x64/0x80
> print report +0x154/0x458
> kasan_report+0xb8/0x100
> __asan_load8+0x80/0xac
> imx_pinconf_set_scu+0x9c/0x160
> imx_pinconf_set+0x6c/0x214
> pinconf_set_config+0x68/0x90
> pinctrl_gpio_set_config+0x138/0x170
> gpiochip_generic_config+0x44/0x60
> mxc_gpio_set_pad_wakeup+0x100/0x140
This is too long backtrace. The documentation tells you to shrink it to the
important lines only, which in this case something like less than 10 and not
17. Hence, remove _at least_ 8 lines from the backtrace.
Codewise the proposed change is good, though.
--
With Best Regards,
Andy Shevchenko