From patchwork Wed Mar 13 17:48:04 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Cooper X-Patchwork-Id: 2264191 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) by patchwork1.kernel.org (Postfix) with ESMTP id E031C3FD8C for ; Wed, 13 Mar 2013 17:50:47 +0000 (UTC) Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1UFpmn-0002B7-5C; Wed, 13 Mar 2013 17:48:21 +0000 Received: from mho-04-ewr.mailhop.org ([204.13.248.74] helo=mho-02-ewr.mailhop.org) by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1UFpmi-00029r-P9 for linux-arm-kernel@lists.infradead.org; Wed, 13 Mar 2013 17:48:17 +0000 Received: from pool-72-84-113-162.nrflva.fios.verizon.net ([72.84.113.162] helo=titan) by mho-02-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1UFpmg-0003qD-4s; Wed, 13 Mar 2013 17:48:14 +0000 Received: from triton.lakedaemon.net (triton.lakedaemon.net [10.16.5.78]) by titan (Postfix) with ESMTP id 6D37F4013AE; Wed, 13 Mar 2013 13:48:09 -0400 (EDT) X-Mail-Handler: Dyn Standard SMTP by Dyn X-Originating-IP: 72.84.113.162 X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX19uMZUZxlX+GxsEBa+mlNoCDPllairN+3E= From: Jason Cooper To: David Woodhouse , Linus Walleij Subject: [PATCH V2] pinctrl: mvebu: prevent walking off the end of group array Date: Wed, 13 Mar 2013 17:48:04 +0000 Message-Id: <1363196884-20193-1-git-send-email-jason@lakedaemon.net> X-Mailer: git-send-email 1.8.1.5 In-Reply-To: <1362872371.3690.106.camel@shinybook.infradead.org> References: <1362872371.3690.106.camel@shinybook.infradead.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20130313_134816_825973_9E393FCE X-CRM114-Status: GOOD ( 14.87 ) X-Spam-Score: -1.9 (-) X-Spam-Report: SpamAssassin version 3.3.2 on merlin.infradead.org summary: Content analysis details: (-1.9 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [204.13.248.74 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Cc: Thomas Petazzoni , David Woodhouse , Stephen Warren , linux-kernel@vger.kernel.org, Ezequiel Garcia , Gregory CLEMENT , Jason Cooper , Linux ARM Kernel , Sebastian Hesselbarth X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org From: David Woodhouse While investigating (ab)use of krealloc, David found this bug. It's unlikely to occur, but now we detect the condition and error out appropriately. Signed-off-by: David Woodhouse Signed-off-by: Jason Cooper --- Changes from v1: - correct typo (s/ nt / int /) I should've caught before sending. David, please double check that this is as you intended. I had to hand-jam it in due to some peculiarities on my side. drivers/pinctrl/mvebu/pinctrl-mvebu.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/drivers/pinctrl/mvebu/pinctrl-mvebu.c b/drivers/pinctrl/mvebu/pinctrl-mvebu.c index c689c04..5db5fad 100644 --- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c +++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c @@ -478,16 +478,21 @@ static struct pinctrl_ops mvebu_pinctrl_ops = { .dt_free_map = mvebu_pinctrl_dt_free_map, }; -static int _add_function(struct mvebu_pinctrl_function *funcs, const char *name) +static int _add_function(struct mvebu_pinctrl_function *funcs, int nr_funcs, + const char *name) { - while (funcs->num_groups) { + while (nr_funcs && funcs->num_groups) { /* function already there */ if (strcmp(funcs->name, name) == 0) { funcs->num_groups++; return -EEXIST; } funcs++; + nr_funcs--; } + if (!nr_funcs) + return -EOVERFLOW; + funcs->name = name; funcs->num_groups = 1; return 0; @@ -501,7 +506,7 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev, int n, s; /* we allocate functions for number of pins and hope - * there are less unique functions than pins available */ + * there are fewer unique functions than pins available */ funcs = devm_kzalloc(&pdev->dev, pctl->desc.npins * sizeof(struct mvebu_pinctrl_function), GFP_KERNEL); if (!funcs) @@ -510,26 +515,26 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev, for (n = 0; n < pctl->num_groups; n++) { struct mvebu_pinctrl_group *grp = &pctl->groups[n]; for (s = 0; s < grp->num_settings; s++) { + int ret; + /* skip unsupported settings on this variant */ if (pctl->variant && !(pctl->variant & grp->settings[s].variant)) continue; /* check for unique functions and count groups */ - if (_add_function(funcs, grp->settings[s].name)) + ret = _add_function(funcs, pctl->desc.npins, + grp->settings[s].name); + if (ret == -EOVERFLOW) + dev_err(&pdev->dev, + "More functions than pins(%d)\n", + pctl->desc.npins); continue; num++; } } - /* with the number of unique functions and it's groups known, - reallocate functions and assign group names */ - funcs = krealloc(funcs, num * sizeof(struct mvebu_pinctrl_function), - GFP_KERNEL); - if (!funcs) - return -ENOMEM; - pctl->num_functions = num; pctl->functions = funcs;