From patchwork Sat Mar 16 11:44:32 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sebastian Hesselbarth X-Patchwork-Id: 2281951 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) by patchwork2.kernel.org (Postfix) with ESMTP id D12CDDF5B1 for ; Sat, 16 Mar 2013 11:48:53 +0000 (UTC) Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1UGpY5-0003AC-Tj; Sat, 16 Mar 2013 11:45:17 +0000 Received: from mail-bk0-x22b.google.com ([2a00:1450:4008:c01::22b]) by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1UGpY2-00039K-69 for linux-arm-kernel@lists.infradead.org; Sat, 16 Mar 2013 11:45:15 +0000 Received: by mail-bk0-f43.google.com with SMTP id jm19so1889307bkc.30 for ; Sat, 16 Mar 2013 04:45:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references; bh=TzeGkN4EVG50kw5ao+6Jsr9nHEszeAJ56SfhL97YkqA=; b=DAX3vKhkFlJDThdzlc1S5xxeiJQANO8+KbwuwVZpI61Af6y6WsN87hhVc2oWx6ucXS yWPdl5S+jXVh+N60fU8Da7bOscMfLz+Iwbv67MkAEpIyWViSxRcwo1eBXKT+IMqQPpKz NgNlgaocBZVTGQ3PAg3BtgqJhfcGgtqUrAAddF00jXj2NfvjBXGDD+RZPv2awJ32c5ui qlNsnO1aYOY5PN9p7oUVUt422KxlQj5KxUsk4L8LEkCiSaWRe5PR76stv/6tFy1hI1wM lk7szhU8FxRtoKUx6HFSHsnw+KX4P14c4YyFmc+zAJmPQCry92Os6E5XXtMNlF+BhZwH ck7A== X-Received: by 10.205.34.195 with SMTP id st3mr4389248bkb.16.1363434311531; Sat, 16 Mar 2013 04:45:11 -0700 (PDT) Received: from nijin.lan (dslc-082-083-243-143.pools.arcor-ip.net. [82.83.243.143]) by mx.google.com with ESMTPS id s10sm2320195bkt.10.2013.03.16.04.44.56 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 16 Mar 2013 04:45:10 -0700 (PDT) From: Sebastian Hesselbarth To: Sebastian Hesselbarth Subject: [PATCH v3] pinctrl: mvebu: prevent walking off the end of group array Date: Sat, 16 Mar 2013 12:44:32 +0100 Message-Id: <1363434272-23172-1-git-send-email-sebastian.hesselbarth@gmail.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1363196884-20193-1-git-send-email-jason@lakedaemon.net> References: <1363196884-20193-1-git-send-email-jason@lakedaemon.net> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20130316_074514_406415_2E60ACA0 X-CRM114-Status: GOOD ( 18.46 ) X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.3.2 on merlin.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (sebastian.hesselbarth[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Cc: Thomas Petazzoni , Andrew Lunn , David Woodhouse , Stephen Warren , Linus Walleij , linux-kernel@vger.kernel.org, Ezequiel Garcia , Gregory Clement , David Woodhouse , Linux ARM Kernel , Jason Cooper X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org From: David Woodhouse While investigating (ab)use of krealloc, David found this bug. It's unlikely to occur, but now we detect the condition and error out appropriately. Signed-off-by: David Woodhouse Signed-off-by: Jason Cooper Signed-off-by: Sebastian Hesselbarth Acked-by: Jason Cooper --- Jason, David, I tested the patch on Dove and fixed all remaining issues. Thomas, Gregory, Andrew should test on their platforms, too. Sebastian Changes from v2: - fix counting of available array space - fix return code handling Changes from v1: - correct typo (s/ nt / int /) I should've caught before sending. drivers/pinctrl/mvebu/pinctrl-mvebu.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) --- Cc: Jason Cooper Cc: David Woodhouse Cc: Sebastian Hesselbarth Cc: Thomas Petazzoni Cc: Gregory Clement Cc: Andrew Lunn Cc: Ezequiel Garcia Cc: Linus Walleij Cc: Stephen Warren Cc: Linux ARM Kernel Cc: linux-kernel@vger.kernel.org --- diff --git a/drivers/pinctrl/mvebu/pinctrl-mvebu.c b/drivers/pinctrl/mvebu/pinctrl-mvebu.c index c689c04..aa77fb7a 100644 --- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c +++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c @@ -478,8 +478,12 @@ static struct pinctrl_ops mvebu_pinctrl_ops = { .dt_free_map = mvebu_pinctrl_dt_free_map, }; -static int _add_function(struct mvebu_pinctrl_function *funcs, const char *name) +static int _add_function(struct mvebu_pinctrl_function *funcs, int *funcsize, + const char *name) { + if (*funcsize <= 0) + return -EOVERFLOW; + while (funcs->num_groups) { /* function already there */ if (strcmp(funcs->name, name) == 0) { @@ -488,8 +492,12 @@ static int _add_function(struct mvebu_pinctrl_function *funcs, const char *name) } funcs++; } + + /* append new unique function */ funcs->name = name; funcs->num_groups = 1; + (*funcsize)--; + return 0; } @@ -497,12 +505,12 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev, struct mvebu_pinctrl *pctl) { struct mvebu_pinctrl_function *funcs; - int num = 0; + int num = 0, funcsize = pctl->desc.npins; int n, s; /* we allocate functions for number of pins and hope - * there are less unique functions than pins available */ - funcs = devm_kzalloc(&pdev->dev, pctl->desc.npins * + * there are fewer unique functions than pins available */ + funcs = devm_kzalloc(&pdev->dev, funcsize * sizeof(struct mvebu_pinctrl_function), GFP_KERNEL); if (!funcs) return -ENOMEM; @@ -510,26 +518,27 @@ static int mvebu_pinctrl_build_functions(struct platform_device *pdev, for (n = 0; n < pctl->num_groups; n++) { struct mvebu_pinctrl_group *grp = &pctl->groups[n]; for (s = 0; s < grp->num_settings; s++) { + int ret; + /* skip unsupported settings on this variant */ if (pctl->variant && !(pctl->variant & grp->settings[s].variant)) continue; /* check for unique functions and count groups */ - if (_add_function(funcs, grp->settings[s].name)) + ret = _add_function(funcs, &funcsize, + grp->settings[s].name); + if (ret == -EOVERFLOW) + dev_err(&pdev->dev, + "More functions than pins(%d)\n", + pctl->desc.npins); + if (ret < 0) continue; num++; } } - /* with the number of unique functions and it's groups known, - reallocate functions and assign group names */ - funcs = krealloc(funcs, num * sizeof(struct mvebu_pinctrl_function), - GFP_KERNEL); - if (!funcs) - return -ENOMEM; - pctl->num_functions = num; pctl->functions = funcs;