Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2456883imd; Fri, 2 Nov 2018 11:43:39 -0700 (PDT) X-Google-Smtp-Source: AJdET5fujd4vWrh3Z1nEXTzFPSgos6mY1pCkyRBhZOzuSheu/gSLEAmgfBXUeeL5wU7mN8f2+eaR X-Received: by 2002:a17:902:8eca:: with SMTP id x10-v6mr12790100plo.336.1541184219576; Fri, 02 Nov 2018 11:43:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541184219; cv=none; d=google.com; s=arc-20160816; b=jZZDiMxNU2gPWabIQNVNUYRTk2bpAdfgNehfr+4vLRNHXwOCEuqwTgqshbWZShCkb6 NkqUc/Yb848FZs5HGcFdeM/7D2aM/pFJkkoWVdocO78i2lr/A5ygB1UlkIGuyYRBOCOr VrPjIsOKEfqhZPqQ+ISuXzzJ+a5KvvXY2hWJjX2a+Ku/5HA+1Tv//mKP2OqIHZ1eY2TP 4MNh/l2YyJNLRWYwc1HqxrFRGgR27T/9PiRRpsn8LTF4f17ei9MNCj2O63GN49KIV/Ki 1kLkL2anEKDDJDfNJ4xZg/GnWZTQ30aVsodsVpdQbeKLPn7zfKVG+jsFCtuTsqkywoJj XIGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=97XAl7Q/ks4Zts5phrGCZMJjw7iJOC/QCqYM5ERnvdI=; b=B0oU0HzMw8sqfdRpK8un1sIUbU6eDh8i71jH4MuWi5PrNCNaLzUnkjtynk6D52wCH3 f9+KLzExu8hroMdLmFVZv2geQ+aK/rmW2wVZ4pjT9pYhAKMFMDyvpQjhoDN+shr3TpUK uMrDLJwG9bQ/BSMk1WRyUm2nEyPfEVdcNs2rWp9R4jxWOy/5JPcRj07xQrH6CRl0gSWm 32SJDfdI5tU0lxk+r3Bq51xVyMyNpAINmLIpvbAKGzIR+uizRV9+K4095Ks2lhU5hu5X 7jKS10DMOBL6fUfKuf51T8ULa3zVeA2XQVXrDlli1F2c3qFOotwcRFygunUAVxFZupeu 7ing== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="PDCL/oR/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si7217057plk.397.2018.11.02.11.43.25; Fri, 02 Nov 2018 11:43:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="PDCL/oR/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729006AbeKCDuc (ORCPT + 99 others); Fri, 2 Nov 2018 23:50:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:45568 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728033AbeKCDuc (ORCPT ); Fri, 2 Nov 2018 23:50:32 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CFFD120847; Fri, 2 Nov 2018 18:42:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541184139; bh=useNEBlnSyPDuFcxlgutFp/7Sqs9+3TG8NHPs8EfRl4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PDCL/oR/myVKTf8sfeUXF5AuyWCt0KCCSbNzEUL13xThSqi6qRRGDBawI97ldv3rZ B2joWhN1HLKmEJ7tYMaI7HCW1FVwD2FHW2cddiXr0reLj1X7+3zbEc6Ah5Z5JrF1Yw u2YMJhC9KDHu1/Ow+mNO7rGms/M2Ei4XwLSng500= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Evan Green , Thierry Reding , Grygorii Strashko , Stephen Boyd , Linus Walleij , Sasha Levin Subject: [PATCH 4.18 091/150] gpio: Assign gpio_irq_chip::parents to non-stack pointer Date: Fri, 2 Nov 2018 19:34:13 +0100 Message-Id: <20181102182909.816176244@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182902.250560510@linuxfoundation.org> References: <20181102182902.250560510@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 3e779a2e7f909015f21428b66834127496110b6d ] gpiochip_set_cascaded_irqchip() is passed 'parent_irq' as an argument and then the address of that argument is assigned to the gpio chips gpio_irq_chip 'parents' pointer shortly thereafter. This can't ever work, because we've just assigned some stack address to a pointer that we plan to dereference later in gpiochip_irq_map(). I ran into this issue with the KASAN report below when gpiochip_irq_map() tried to setup the parent irq with a total junk pointer for the 'parents' array. BUG: KASAN: stack-out-of-bounds in gpiochip_irq_map+0x228/0x248 Read of size 4 at addr ffffffc0dde472e0 by task swapper/0/1 CPU: 7 PID: 1 Comm: swapper/0 Not tainted 4.14.72 #34 Call trace: [] dump_backtrace+0x0/0x718 [] show_stack+0x20/0x2c [] __dump_stack+0x20/0x28 [] dump_stack+0x80/0xbc [] print_address_description+0x70/0x238 [] kasan_report+0x1cc/0x260 [] __asan_report_load4_noabort+0x2c/0x38 [] gpiochip_irq_map+0x228/0x248 [] irq_domain_associate+0x114/0x2ec [] irq_create_mapping+0x120/0x234 [] irq_create_fwspec_mapping+0x4c8/0x88c [] irq_create_of_mapping+0x180/0x210 [] of_irq_get+0x138/0x198 [] spi_drv_probe+0x94/0x178 [] driver_probe_device+0x51c/0x824 [] __device_attach_driver+0x148/0x20c [] bus_for_each_drv+0x120/0x188 [] __device_attach+0x19c/0x2dc [] device_initial_probe+0x20/0x2c [] bus_probe_device+0x80/0x154 [] device_add+0x9b8/0xbdc [] spi_add_device+0x1b8/0x380 [] spi_register_controller+0x111c/0x1378 [] spi_geni_probe+0x4dc/0x6f8 [] platform_drv_probe+0xdc/0x130 [] driver_probe_device+0x51c/0x824 [] __driver_attach+0x100/0x194 [] bus_for_each_dev+0x104/0x16c [] driver_attach+0x48/0x54 [] bus_add_driver+0x274/0x498 [] driver_register+0x1ac/0x230 [] __platform_driver_register+0xcc/0xdc [] spi_geni_driver_init+0x1c/0x24 [] do_one_initcall+0x240/0x3dc [] kernel_init_freeable+0x378/0x468 [] kernel_init+0x14/0x110 [] ret_from_fork+0x10/0x18 The buggy address belongs to the page: page:ffffffbf037791c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: ffffffbf037791e0 ffffffbf037791e0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffc0dde47180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0dde47200: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 >ffffffc0dde47280: f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 ^ ffffffc0dde47300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0dde47380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Let's leave around one unsigned int in the gpio_irq_chip struct for the single parent irq case and repoint the 'parents' array at it. This way code is left mostly intact to setup parents and we waste an extra few bytes per structure of which there should be only a handful in a system. Cc: Evan Green Cc: Thierry Reding Cc: Grygorii Strashko Fixes: e0d897289813 ("gpio: Implement tighter IRQ chip integration") Signed-off-by: Stephen Boyd Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin --- drivers/gpio/gpiolib.c | 3 ++- include/linux/gpio/driver.h | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 06dce16e22bb..70f0dedca59f 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -1675,7 +1675,8 @@ static void gpiochip_set_cascaded_irqchip(struct gpio_chip *gpiochip, irq_set_chained_handler_and_data(parent_irq, parent_handler, gpiochip); - gpiochip->irq.parents = &parent_irq; + gpiochip->irq.parent_irq = parent_irq; + gpiochip->irq.parents = &gpiochip->irq.parent_irq; gpiochip->irq.num_parents = 1; } diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h index 5382b5183b7e..82a953ec5ef0 100644 --- a/include/linux/gpio/driver.h +++ b/include/linux/gpio/driver.h @@ -94,6 +94,13 @@ struct gpio_irq_chip { */ unsigned int num_parents; + /** + * @parent_irq: + * + * For use by gpiochip_set_cascaded_irqchip() + */ + unsigned int parent_irq; + /** * @parents: * -- 2.17.1