From patchwork Thu Dec 28 19:39:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Wahren X-Patchwork-Id: 13506181 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A7721C3DA6E for ; Thu, 28 Dec 2023 19:40:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=y6vTld0MGDPAbR0J10d0Mpx5jbfwelHmv3WfTgptE40=; b=XkZcYpAva0QMie tkI4v2u/b8bcKceeqCXoGHpoVMFyLBo8QWFiCQTNHqkg+1STBMIKYDet5wWj2fHjJxslSG8D5TXaA 3p6VpLuEKMt3wK57zVRzYyeM4Vuvh/6B7cYjK4ayXua7b988KgXbh1Q1ueuTPw7vDI5UjOpCDfvgh TG3wFhWmrFXrbwxPJhPgy3qe71j2nckyL/rieUKnvAZCthHUxYE84AGbvDEPHqvxRQNktzTohFpB5 VyfehnfxDF9QyoRWBMDOUsk6DP9/ZX7Tmz9QeolsfFMrG24S+rKyqaFCEuJ3HCtHS9PIUScoQselx y8ahU7QFj3TEpcr+/brw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rIwEQ-00HJjK-17; Thu, 28 Dec 2023 19:39:50 +0000 Received: from mout.gmx.net ([212.227.15.19]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rIwEO-00HJiZ-06 for linux-arm-kernel@lists.infradead.org; Thu, 28 Dec 2023 19:39:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1703792376; x=1704397176; i=wahrenst@gmx.net; bh=O5ulGC/E+pkbJaH3m3FickjdmSA72Lqn3/s8w/8jwD8=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=R7xB1Creaf/m5vUFWuAv0q8ULOFXcU7Vx/rnpwHrC048R62sKJpcNYSKxLM4OXf+ maLDIrb8Il+aXUlMHeomZzT9bJ3WJO1Qsb47U+3vPn4AsHP2elC9MYwqIVzUUs5RC 6Gmeks8gcMn+MDpO7lcvr9BigI/RBS8QEYjNBZFmX0tX5u1LwJe6AX70bejvCX25T jRbQv4TKtjHbgNhpIlPevGXdb8jeerLonZzuoqrcle9VTN+7q1CicYwZIZwsFoUKN gM7snvQChjzzOAtIXMTcPgSovdUsDCGN+W9lJt9Ya0PH5rspnvyg8MLyaMvatxUPM FfM2CFDhtDC+/dCVjA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from stefanw-SCHENKER ([37.4.248.43]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MbAcs-1qhOUJ452O-00bbWi; Thu, 28 Dec 2023 20:39:36 +0100 From: Stefan Wahren To: Chen-Yu Tsai , Jernej Skrabec , Samuel Holland Cc: Maxime Ripard , =?utf-8?q?Myl=C3=A8ne_Josserand?= , linux-sunxi@lists.linux.dev, soc@kernel.org, Florian Fainelli , Arnd Bergmann , linux-arm-kernel@lists.infradead.org, Stefan Wahren Subject: [PATCH V2 1/2] ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init Date: Thu, 28 Dec 2023 20:39:02 +0100 Message-Id: <20231228193903.9078-1-wahrenst@gmx.net> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:QXumkr2GEgs4aBLmHE2c+e2mWHTCzqDtFafwQoth9VRlL7aNXdn J5GrPmdE5T31zLLWMBDHIIJN8SEhd3LkKf/e2e50TWGyAn8yulMA9H40atnRF9PZutkn1lK J05QSgRiX5LSlghBC0QXdq7kJM5xpE7mICuLPiqm8FNvdIuiOpAxGnMxWWF8eb9eWKFOmQR 2w1Gw8v5hCxt56h3r+7cQ== UI-OutboundReport: notjunk:1;M01:P0:F2lq3oHs+1Y=;G3LbDeFTbXDRBFDi8EPrFbtFZjv HWrUMfhbm3uGyzEck+hp+uS7o+GfB48UIRTLJ0aCx0HVjsDXxAMdvbys768NLI+xUh4Ln504e /OLmvK8Qtx3oDLm6rzHb7bsk3ZqIoM2fygj01FXKAjCZByWbHxQEn1OMsWCjUvMJQEYys+fBc VWl6MjyQ+pnrB2GpaxZnmrs6N6gJbQWHiH7mvrA1IImNyHWWhtYR3PxGwnFKeqZrIq2P+vKsM sAz7bBa4lS+G+GhVhNDSQKEW/KKFpepwm9gBa8D6637qzWhjHhi7yUwS6UywWlqNZCip/vZSZ FAKMbTd9rlPD0GNemOrZSKzlNBXHQO4PQs3cvSGjzGh70BFNcWVOcy3YdsrBIJpZbEFaZT4Ev WfWkh5AavrULPDJMhvfFFeYVpdo16QIUeWW13Zp6a9XrY6a7hj5IlSie+/xVZ20+Mn7Dv019o TrLMH73DLjpFv7mHvJdKO1BQw9+PAkOupnIxPPLYxKxpPPXFH6VPhG35guyO7A4hhAgGaekY+ MYgoz8hD5CzmSPCoNnM8HaJ2ANzftZS/zamGFZKzEmM6WIrYddKF75jjbwqqRaf+UaP2+K7iG zvznHqfVIHaWlfb3pW+UciujcU+c+M3l8HrGTGTyRSsvBqgotTayfC1nQ1eUaCsAQ5t9XxEaQ TmjF68tJEEu+rpbAh/ETLIIlnSXIpbIKd5Ai2tKRMG/Dg7X5d1sC2qgqJMP9OAHxm3BV35yzC m8ZQlqR49e5wNvxrz0GgIJTyfJIdK/GMeM91k8vhzDzifBN60MEVDLBDFP1Kt25OWLc0CmkJz D8SnW/75844RJWIdqXcDCLj0tszve0yHEhcSDewa2CuNA/7bxepxEVKxlIsBftx4mkRWlha9d 50gbpgqnFlIZsWztl5ZIB/OoDh0TWO6Bi9Gt4LB+vPUDKKvg/2/jnCWeZuiOxDtFvGtWdDVDt kGIgce/CW4/4qEMJ6pmjkawvnh6HPRS6i8QMHsQ6lBlhcrQD X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231228_113948_354357_F4CACF0C X-CRM114-Status: GOOD ( 13.22 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Running a multi-arch kernel (multi_v7_defconfig) on a Raspberry Pi 3B+ with enabled CONFIG_UBSAN triggers the following warning: UBSAN: array-index-out-of-bounds in arch/arm/mach-sunxi/mc_smp.c:810:29 index 2 is out of range for type 'sunxi_mc_smp_data [2]' CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc6-00248-g5254c0cbc92d Hardware name: BCM2835 unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x40/0x4c dump_stack_lvl from ubsan_epilogue+0x8/0x34 ubsan_epilogue from __ubsan_handle_out_of_bounds+0x78/0x80 __ubsan_handle_out_of_bounds from sunxi_mc_smp_init+0xe4/0x4cc sunxi_mc_smp_init from do_one_initcall+0xa0/0x2fc do_one_initcall from kernel_init_freeable+0xf4/0x2f4 kernel_init_freeable from kernel_init+0x18/0x158 kernel_init from ret_from_fork+0x14/0x28 Since the enabled method couldn't match with any entry from sunxi_mc_smp_data, the value of the index shouldn't be used right after the loop. So move it after the check of ret in order to have a valid index. Fixes: 1631090e34f5 ("ARM: sun9i: smp: Add is_a83t field") Signed-off-by: Stefan Wahren Reviewed-by: Chen-Yu Tsai --- Changes in V2: - append another patch to fix return code check arch/arm/mach-sunxi/mc_smp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.34.1 diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c index cb63921232a6..6ec3445f3c72 100644 --- a/arch/arm/mach-sunxi/mc_smp.c +++ b/arch/arm/mach-sunxi/mc_smp.c @@ -807,12 +807,12 @@ static int __init sunxi_mc_smp_init(void) break; } - is_a83t = sunxi_mc_smp_data[i].is_a83t; - of_node_put(node); if (ret) return -ENODEV; + is_a83t = sunxi_mc_smp_data[i].is_a83t; + if (!sunxi_mc_smp_cpu_table_init()) return -EINVAL;