| Message ID | 20230227102425.793841-1-AVKrasnov@sberdevices.ru (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v4] mtd: rawnand: meson: initialize struct with zeroes | expand |
On Mon, 2023-02-27 at 10:24:25 UTC, Arseniy Krasnov wrote: > This structure must be zeroed, because it's field 'hw->core' is used as > 'parent' in 'clk_core_fill_parent_index()', but it will be uninitialized. > This happens, because when this struct is not zeroed, pointer 'hw' is > "initialized" by garbage, which is valid pointer, but points to some > garbage. So 'hw' will be dereferenced, but 'core' contains some random > data which will be interpreted as a pointer. The following backtrace is > result of dereference of such pointer: > > [ 1.081319] __clk_register+0x414/0x820 > [ 1.085113] devm_clk_register+0x64/0xd0 > [ 1.088995] meson_nfc_probe+0x258/0x6ec > [ 1.092875] platform_probe+0x70/0xf0 > [ 1.096498] really_probe+0xc8/0x3e0 > [ 1.100034] __driver_probe_device+0x84/0x190 > [ 1.104346] driver_probe_device+0x44/0x120 > [ 1.108487] __driver_attach+0xb4/0x220 > [ 1.112282] bus_for_each_dev+0x78/0xd0 > [ 1.116077] driver_attach+0x2c/0x40 > [ 1.119613] bus_add_driver+0x184/0x240 > [ 1.123408] driver_register+0x80/0x140 > [ 1.127203] __platform_driver_register+0x30/0x40 > [ 1.131860] meson_nfc_driver_init+0x24/0x30 > > Changelog: > v1 -> v2: > * More details in the commit message. > v2 -> v3: > * Add 'a' article to "interpreted as a pointer". > v3 -> v4: > * Add changelog. > > Fixes: 1e4d3ba66888 ("mtd: rawnand: meson: fix the clock") > Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru> > Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> > Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/fixes, thanks. Miquel
diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c index 5ee01231ac4c..30e326adabfc 100644 --- a/drivers/mtd/nand/raw/meson_nand.c +++ b/drivers/mtd/nand/raw/meson_nand.c @@ -991,7 +991,7 @@ static const struct mtd_ooblayout_ops meson_ooblayout_ops = { static int meson_nfc_clk_init(struct meson_nfc *nfc) { - struct clk_parent_data nfc_divider_parent_data[1]; + struct clk_parent_data nfc_divider_parent_data[1] = {0}; struct clk_init_data init = {0}; int ret;
This structure must be zeroed, because it's field 'hw->core' is used as 'parent' in 'clk_core_fill_parent_index()', but it will be uninitialized. This happens, because when this struct is not zeroed, pointer 'hw' is "initialized" by garbage, which is valid pointer, but points to some garbage. So 'hw' will be dereferenced, but 'core' contains some random data which will be interpreted as a pointer. The following backtrace is result of dereference of such pointer: [ 1.081319] __clk_register+0x414/0x820 [ 1.085113] devm_clk_register+0x64/0xd0 [ 1.088995] meson_nfc_probe+0x258/0x6ec [ 1.092875] platform_probe+0x70/0xf0 [ 1.096498] really_probe+0xc8/0x3e0 [ 1.100034] __driver_probe_device+0x84/0x190 [ 1.104346] driver_probe_device+0x44/0x120 [ 1.108487] __driver_attach+0xb4/0x220 [ 1.112282] bus_for_each_dev+0x78/0xd0 [ 1.116077] driver_attach+0x2c/0x40 [ 1.119613] bus_add_driver+0x184/0x240 [ 1.123408] driver_register+0x80/0x140 [ 1.127203] __platform_driver_register+0x30/0x40 [ 1.131860] meson_nfc_driver_init+0x24/0x30 Changelog: v1 -> v2: * More details in the commit message. v2 -> v3: * Add 'a' article to "interpreted as a pointer". v3 -> v4: * Add changelog. Fixes: 1e4d3ba66888 ("mtd: rawnand: meson: fix the clock") Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru> Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> --- drivers/mtd/nand/raw/meson_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)