From patchwork Sat Dec 23 12:35:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Wahren X-Patchwork-Id: 13503981 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7F02EC3DA6E for ; Sat, 23 Dec 2023 12:37:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=/P7hxwO+avDuqrFnXWlO+Zq2FhXVZzFFXtPIoMzmZno=; b=10hHU9qSP4BPGC nU90D4M58WxbBGdPg+/oTz80OBi4K/W489iqIbg4GSo9g+k+Fp11Z5EjqQ+VYUQ1OeJV3Tjr3ctDA xtAVNJApc9sRRMGEBVUOSxPO+votlsMfOdzOSj5KV133xv8bSDWUyns9QurSvz4kH5MA8FEOtgIZW wbQlgnyCXfRTsdAMgeGE4Ml+b67iDYSHFxFq6ASPN5bqO++Y8UmbHQ9K6sCWmvlDr2x/YUnsLqShG bTDkGnCpv1KL9ysfW5DNFuvaGDa++k2LxOo7gq9NH9AvGw7Tpry51MS7AP1fXLX3LUZf32q77c/uj l98qFRroFGmxzIaPxsbg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rH1F3-007uJL-2H; Sat, 23 Dec 2023 12:36:33 +0000 Received: from mout.gmx.net ([212.227.17.21]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rH1F0-007uId-1s for linux-arm-kernel@lists.infradead.org; Sat, 23 Dec 2023 12:36:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1703334972; x=1703939772; i=wahrenst@gmx.net; bh=JncPf9nLdRLwEx36h3QEDk4/crDt/APzy8lf02Z8TQw=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=hinBr81f0IvByakeNxCYzE1O4QipIv+zRyT0kLjhOslFtlHv5bh1YwMCD8mkUmET /PmZGlZoJ9if3gEglWofUbHlk14WXjV0OJ/Bj+G2G0vViv+paHH5Dx0C/oHW+m3z2 /zQTiDPhikQ/rB/3v3e1dfr49tIGvw9/shDxU8orFmSQqPsY+TQVHC3Kk/kkfGj7S o4Y8UcPLmDeNnIcx3KwC0G/a6ugudIUf8AcjxLvWDx67KtkP5iI+raMRuuKq2fMjA ztvzDHbdCoHUW4kJp99SIl9jzaiZny3MeGeeXTVd+gpZlJxeJoXfrQ27YwECfXPbR U2WLIfatUzznQDSpCQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from stefanw-SCHENKER ([37.4.248.43]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MvK0X-1qzUU90pCD-00rKnD; Sat, 23 Dec 2023 13:36:12 +0100 From: Stefan Wahren To: Chen-Yu Tsai , Jernej Skrabec , Samuel Holland Cc: Maxime Ripard , =?utf-8?q?Myl=C3=A8ne_Josserand?= , linux-sunxi@lists.linux.dev, soc@kernel.org, Arnd Bergmann , linux-arm-kernel@lists.infradead.org, Stefan Wahren Subject: [PATCH] ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init Date: Sat, 23 Dec 2023 13:35:46 +0100 Message-Id: <20231223123546.88125-1-wahrenst@gmx.net> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:sZWTjmyHvO3Pwx9sSZDiG/Y9Hvhu5VgjYKLEdc7HJpuvZcoVwqq gEu0rPOAqmDAEjVM/679zu2losBRdkPeYk21Fymq/2Dvtpx6YYP7IoYccQgcn1Lw6JqYs0Z ZUpyCtzIZYE3khgqgj6xhmrtzvleGMIL3tD9jjKiO8uqS2+/hbsveCcL//ijsraX326cSbn g8+C+9K5Cm4LXwbF5lGOg== UI-OutboundReport: notjunk:1;M01:P0:6IlSc1pTTNo=;mt8A1lHede827k8Qu5kuBxmJF7h NY+vjrvcGkfNl4OF7gp0B9FucfJr9WcjivQghrokqNH+pLVa74MIg1HPDAgerVy7zO7uo+Qbl NkeNEV+/5M4kMuPQlNFwQD2AtdbyHTKhxF7KI5EaLCwDbrUvMpuy6pr5wfJcEecRBbk5Kg1CQ iSaUsTBqAPKXXS0dZDxr/Jy4ElEEn9qZI2AnNCAXXUuAnaM2l6lnUVuMvTNXop60jnBffo8zj NpzcvO64v5au3ac36MYTAQQpy/V9btAsYCKdJRd58b1ibG6Yd7RSROa31JTyUhuf1YxdfWgWC 9llucUx8RyhM001tARtl4YrK7Tw/bJb0mc69lgJ7R25qebFXI6sZSOln5wwHd0idMLtL0Tvoh TAOs+AtRGOVkySR64mB+1ajLoBjWjSEIvu62Empg0+BYz81VqzNZZ/M5DFCGR4XangXCz1QZV ClX5jC23Egml8pX4E7iCSwYEIzd5XfC6qq/lhKEYdInGPW5Z/F8x8bTi7XBJKP8L/YGn7BWli uEScNTe4E12qbgf0Rp8ULAxdG6GsKTiOua8yK/6P8X6NTVomje7SrxEtoZtc3SrG31utqw4jh MaNhKeGkykDZBVQkKnBoVrt+a229T6olYW/qFFop2zNDu2liOCFe8a1aBSdlTXKOwui56goqD IDw2sYwsHSsPppq3/zqCKcRIyN4Goh/pNXqmt02qAyAQrbR0sCg7iOpZcSZHRqhYdrI9h4o9c Fl6lQJEB+M6gWk01VvY2rq1xL3TQISAf1IHtvNFpeb+EoE+9yOHdH45VUxjn2/sDtpHFxIRLN DFhIuL+ZpnW/Ywu4llrb2H/l+s8z9gwX1XOG+iEmsnnoTQT4KjpPxfyF9+mBNhAVgV7+mZamD Aq9L0SgR7Z//D61OaCGMKzhti6s3YEJyz9TT1PqAJP31CwVzdoVY8kYL4JotMqd+i4AwNOj3u Eg6rdZ2+Uk/4/zdzmUJcLEai09I= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231223_043631_091679_8EA1F2E8 X-CRM114-Status: GOOD ( 12.19 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Running a multi-arch kernel (multi_v7_defconfig) on a Raspberry Pi 3B+ with enabled CONFIG_UBSAN triggers the following warning: UBSAN: array-index-out-of-bounds in arch/arm/mach-sunxi/mc_smp.c:810:29 index 2 is out of range for type 'sunxi_mc_smp_data [2]' CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc6-00248-g5254c0cbc92d Hardware name: BCM2835 unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x40/0x4c dump_stack_lvl from ubsan_epilogue+0x8/0x34 ubsan_epilogue from __ubsan_handle_out_of_bounds+0x78/0x80 __ubsan_handle_out_of_bounds from sunxi_mc_smp_init+0xe4/0x4cc sunxi_mc_smp_init from do_one_initcall+0xa0/0x2fc do_one_initcall from kernel_init_freeable+0xf4/0x2f4 kernel_init_freeable from kernel_init+0x18/0x158 kernel_init from ret_from_fork+0x14/0x28 Since the enabled method couldn't match with any entry from sunxi_mc_smp_data, the value of the index shouldn't be used right after the loop. So move it after the check of ret in order to have a valid index. Fixes: 1631090e34f5 ("ARM: sun9i: smp: Add is_a83t field") Signed-off-by: Stefan Wahren --- arch/arm/mach-sunxi/mc_smp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.34.1 diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c index cb63921232a6..6ec3445f3c72 100644 --- a/arch/arm/mach-sunxi/mc_smp.c +++ b/arch/arm/mach-sunxi/mc_smp.c @@ -807,12 +807,12 @@ static int __init sunxi_mc_smp_init(void) break; } - is_a83t = sunxi_mc_smp_data[i].is_a83t; - of_node_put(node); if (ret) return -ENODEV; + is_a83t = sunxi_mc_smp_data[i].is_a83t; + if (!sunxi_mc_smp_cpu_table_init()) return -EINVAL;