From patchwork Thu Dec 28 19:39:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Wahren X-Patchwork-Id: 13506181 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A7721C3DA6E for ; Thu, 28 Dec 2023 19:40:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=y6vTld0MGDPAbR0J10d0Mpx5jbfwelHmv3WfTgptE40=; b=XkZcYpAva0QMie tkI4v2u/b8bcKceeqCXoGHpoVMFyLBo8QWFiCQTNHqkg+1STBMIKYDet5wWj2fHjJxslSG8D5TXaA 3p6VpLuEKMt3wK57zVRzYyeM4Vuvh/6B7cYjK4ayXua7b988KgXbh1Q1ueuTPw7vDI5UjOpCDfvgh TG3wFhWmrFXrbwxPJhPgy3qe71j2nckyL/rieUKnvAZCthHUxYE84AGbvDEPHqvxRQNktzTohFpB5 VyfehnfxDF9QyoRWBMDOUsk6DP9/ZX7Tmz9QeolsfFMrG24S+rKyqaFCEuJ3HCtHS9PIUScoQselx y8ahU7QFj3TEpcr+/brw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rIwEQ-00HJjK-17; Thu, 28 Dec 2023 19:39:50 +0000 Received: from mout.gmx.net ([212.227.15.19]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rIwEO-00HJiZ-06 for linux-arm-kernel@lists.infradead.org; Thu, 28 Dec 2023 19:39:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1703792376; x=1704397176; i=wahrenst@gmx.net; bh=O5ulGC/E+pkbJaH3m3FickjdmSA72Lqn3/s8w/8jwD8=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=R7xB1Creaf/m5vUFWuAv0q8ULOFXcU7Vx/rnpwHrC048R62sKJpcNYSKxLM4OXf+ maLDIrb8Il+aXUlMHeomZzT9bJ3WJO1Qsb47U+3vPn4AsHP2elC9MYwqIVzUUs5RC 6Gmeks8gcMn+MDpO7lcvr9BigI/RBS8QEYjNBZFmX0tX5u1LwJe6AX70bejvCX25T jRbQv4TKtjHbgNhpIlPevGXdb8jeerLonZzuoqrcle9VTN+7q1CicYwZIZwsFoUKN gM7snvQChjzzOAtIXMTcPgSovdUsDCGN+W9lJt9Ya0PH5rspnvyg8MLyaMvatxUPM FfM2CFDhtDC+/dCVjA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from stefanw-SCHENKER ([37.4.248.43]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MbAcs-1qhOUJ452O-00bbWi; Thu, 28 Dec 2023 20:39:36 +0100 From: Stefan Wahren To: Chen-Yu Tsai , Jernej Skrabec , Samuel Holland Cc: Maxime Ripard , =?utf-8?q?Myl=C3=A8ne_Josserand?= , linux-sunxi@lists.linux.dev, soc@kernel.org, Florian Fainelli , Arnd Bergmann , linux-arm-kernel@lists.infradead.org, Stefan Wahren Subject: [PATCH V2 1/2] ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init Date: Thu, 28 Dec 2023 20:39:02 +0100 Message-Id: <20231228193903.9078-1-wahrenst@gmx.net> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Provags-ID: V03:K1:QXumkr2GEgs4aBLmHE2c+e2mWHTCzqDtFafwQoth9VRlL7aNXdn J5GrPmdE5T31zLLWMBDHIIJN8SEhd3LkKf/e2e50TWGyAn8yulMA9H40atnRF9PZutkn1lK J05QSgRiX5LSlghBC0QXdq7kJM5xpE7mICuLPiqm8FNvdIuiOpAxGnMxWWF8eb9eWKFOmQR 2w1Gw8v5hCxt56h3r+7cQ== UI-OutboundReport: notjunk:1;M01:P0:F2lq3oHs+1Y=;G3LbDeFTbXDRBFDi8EPrFbtFZjv HWrUMfhbm3uGyzEck+hp+uS7o+GfB48UIRTLJ0aCx0HVjsDXxAMdvbys768NLI+xUh4Ln504e /OLmvK8Qtx3oDLm6rzHb7bsk3ZqIoM2fygj01FXKAjCZByWbHxQEn1OMsWCjUvMJQEYys+fBc VWl6MjyQ+pnrB2GpaxZnmrs6N6gJbQWHiH7mvrA1IImNyHWWhtYR3PxGwnFKeqZrIq2P+vKsM sAz7bBa4lS+G+GhVhNDSQKEW/KKFpepwm9gBa8D6637qzWhjHhi7yUwS6UywWlqNZCip/vZSZ FAKMbTd9rlPD0GNemOrZSKzlNBXHQO4PQs3cvSGjzGh70BFNcWVOcy3YdsrBIJpZbEFaZT4Ev WfWkh5AavrULPDJMhvfFFeYVpdo16QIUeWW13Zp6a9XrY6a7hj5IlSie+/xVZ20+Mn7Dv019o TrLMH73DLjpFv7mHvJdKO1BQw9+PAkOupnIxPPLYxKxpPPXFH6VPhG35guyO7A4hhAgGaekY+ MYgoz8hD5CzmSPCoNnM8HaJ2ANzftZS/zamGFZKzEmM6WIrYddKF75jjbwqqRaf+UaP2+K7iG zvznHqfVIHaWlfb3pW+UciujcU+c+M3l8HrGTGTyRSsvBqgotTayfC1nQ1eUaCsAQ5t9XxEaQ TmjF68tJEEu+rpbAh/ETLIIlnSXIpbIKd5Ai2tKRMG/Dg7X5d1sC2qgqJMP9OAHxm3BV35yzC m8ZQlqR49e5wNvxrz0GgIJTyfJIdK/GMeM91k8vhzDzifBN60MEVDLBDFP1Kt25OWLc0CmkJz D8SnW/75844RJWIdqXcDCLj0tszve0yHEhcSDewa2CuNA/7bxepxEVKxlIsBftx4mkRWlha9d 50gbpgqnFlIZsWztl5ZIB/OoDh0TWO6Bi9Gt4LB+vPUDKKvg/2/jnCWeZuiOxDtFvGtWdDVDt kGIgce/CW4/4qEMJ6pmjkawvnh6HPRS6i8QMHsQ6lBlhcrQD X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231228_113948_354357_F4CACF0C X-CRM114-Status: GOOD ( 13.22 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Running a multi-arch kernel (multi_v7_defconfig) on a Raspberry Pi 3B+ with enabled CONFIG_UBSAN triggers the following warning: UBSAN: array-index-out-of-bounds in arch/arm/mach-sunxi/mc_smp.c:810:29 index 2 is out of range for type 'sunxi_mc_smp_data [2]' CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc6-00248-g5254c0cbc92d Hardware name: BCM2835 unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x40/0x4c dump_stack_lvl from ubsan_epilogue+0x8/0x34 ubsan_epilogue from __ubsan_handle_out_of_bounds+0x78/0x80 __ubsan_handle_out_of_bounds from sunxi_mc_smp_init+0xe4/0x4cc sunxi_mc_smp_init from do_one_initcall+0xa0/0x2fc do_one_initcall from kernel_init_freeable+0xf4/0x2f4 kernel_init_freeable from kernel_init+0x18/0x158 kernel_init from ret_from_fork+0x14/0x28 Since the enabled method couldn't match with any entry from sunxi_mc_smp_data, the value of the index shouldn't be used right after the loop. So move it after the check of ret in order to have a valid index. Fixes: 1631090e34f5 ("ARM: sun9i: smp: Add is_a83t field") Signed-off-by: Stefan Wahren Reviewed-by: Chen-Yu Tsai --- Changes in V2: - append another patch to fix return code check arch/arm/mach-sunxi/mc_smp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.34.1 diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c index cb63921232a6..6ec3445f3c72 100644 --- a/arch/arm/mach-sunxi/mc_smp.c +++ b/arch/arm/mach-sunxi/mc_smp.c @@ -807,12 +807,12 @@ static int __init sunxi_mc_smp_init(void) break; } - is_a83t = sunxi_mc_smp_data[i].is_a83t; - of_node_put(node); if (ret) return -ENODEV; + is_a83t = sunxi_mc_smp_data[i].is_a83t; + if (!sunxi_mc_smp_cpu_table_init()) return -EINVAL; From patchwork Thu Dec 28 19:39:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Wahren X-Patchwork-Id: 13506182 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CE84BC3DA6E for ; Thu, 28 Dec 2023 19:40:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=1f/UPhcM/fD3cT+ejkX/cZDfq/MWc56wnv+wP25PXdM=; b=uYNZ73Zq0/Tatq NSAOpMTUNNDnLEiY6fpA2JwOhmm03r8nKoI9GsVrJHe0m7sKzlKY8rr5KKJ4laLxddr2fwrEJFVai BAChx3NnliTIKF02HaEmDsEcFH673sWKvs8AFX2CiTDGSrnkdIPu9TLoQCOnWJGJAzzlQILaUnmRJ FVnagtba+5QWVH2zj3xe5aNFq8zgx40NBSMWiQKpvw7dTwgeokwZaKBqihsaunLf39Jk+IfD9+XqA E7ZDiwvdNHkNgaw/aWJUrT6TQdwy4fVwPgsSx4x3C57f/AEEp44WqgpwPVPXApVtLJX63vMrqSRti xuJ3LDmbeG6QWIblbU4A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rIwEZ-00HJjn-0G; Thu, 28 Dec 2023 19:39:59 +0000 Received: from mout.gmx.net ([212.227.15.15]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rIwEP-00HJie-1w for linux-arm-kernel@lists.infradead.org; Thu, 28 Dec 2023 19:39:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1703792376; x=1704397176; i=wahrenst@gmx.net; bh=b0edislHopr8EPtQ1enGkNrsXXNvjXTznHe/lchgmc4=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To: References; b=YU5K7KC9H4sIXdlU0G4CpXOyiPS8GzyjLpsyfO73x8/Y6ko2MAyIS2Q5t6sImetj F6HtzPrGFpKd3zZ9CMaEspdHEbWWV89if6iwEXDVr/daNIENZzfRiqt7lvxOSRCT5 M/EGmaYfO28KNr6qxylFFuS2E9JS2xUVv/jIzQOcAz2yKKpS7f9eAHwHDCTbNhXVa pmZdEDjb14Bh6za5dUegqBrTSjVQ7PkNkfHMv2Y3D5VFri4g3AqVekFQrflHummzH 325CDW5QoOJVNvX0xpdcHnKocAyRyUNdJf+XXx1bgvVaMppb2AVnu19YrJOqBryAA XRMURhUfJEsDn3V/1w== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from stefanw-SCHENKER ([37.4.248.43]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MD9X9-1rRUvx1okz-009BbN; Thu, 28 Dec 2023 20:39:36 +0100 From: Stefan Wahren To: Chen-Yu Tsai , Jernej Skrabec , Samuel Holland Cc: Maxime Ripard , =?utf-8?q?Myl=C3=A8ne_Josserand?= , linux-sunxi@lists.linux.dev, soc@kernel.org, Florian Fainelli , Arnd Bergmann , linux-arm-kernel@lists.infradead.org, Stefan Wahren , Nick Desaulniers Subject: [PATCH V2 2/2] ARM: sun9i: smp: fix return code check of of_property_match_string Date: Thu, 28 Dec 2023 20:39:03 +0100 Message-Id: <20231228193903.9078-2-wahrenst@gmx.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231228193903.9078-1-wahrenst@gmx.net> References: <20231228193903.9078-1-wahrenst@gmx.net> MIME-Version: 1.0 X-Provags-ID: V03:K1:ZkFHk/GUAFOj07mCKAFPN53ViYLKkHX2XMWirbFXT9iQfryqjfL xl73iQC00/oPWxShovRgVxTMrp6/uvMWaWRwwIRI09tmlSSTDrYrRN/sqP7J79olzMqS93O 7hX92IA2L52CefjNho2LxNZ33+/0DiTMYrcFnDqMSUbhLoy0zy1fbd6a2V6nnYU1uZN4CkB gXacDgawQLX0u8f8XAkCA== UI-OutboundReport: notjunk:1;M01:P0:mYahOp04Ofk=;SLmGj1svWcfzqHdMPlyxU1A+3FI dR/KpOtTiegOsXoIGmOmlmuZUeGH8yJCN015v9FKW4arSfrw5dJXrGI+tv762zsHAG17c1sVp E577DKQjSuf0GcFn+hV/kR67wpPU3HD29u/MZex+QGSKccVP1rJqhMrFV5vE68AnkevDVoBwi 0fcOh7xj1ENxJeQ+AX62h9oebphIgqVvR49BL3kVZA0nFsPvew6F2TNU2M+9jFbcZA98YtBJo 1KXH7fCCrziFqrAKG/OKbszgeTT5+Q6TfvnKv4pAmqYjGVdI11/03nHmEmOMX+Qv8VIClkROD eDrLJv9sit1DfxIFz07DX5m5nUo1rdpzBGrgDF/RJHBsqT1XmPb8HVVFr49ymeY0oextr/Pfr f2YaZR2IFTiFAv3Sdks2hwelnTKMcWnWWmRJc96Rq+wlSV0ZsvgcAU20nhDv9Rkzglj987NP5 8u6ZuGm/TeZRHzmcKJNMb8f88Z7q1JKRB9vOx8Pw5i3KB69jBgYc12QJfSlXt7kiJxsrw9gTE RuMnLr3HW7wXeuDnsZIuUjkia9NhhXnln7l1mjofz4X/n1Zx0rqfedc7nCGuxkANZIVKvzAKG TVu7UzvMeAgre2uK8FF0RIzaKLwjFwb9Gstx9Ef0ZuZdoGUOY9lvUtfqOQ+o9P21IMxcvlYSL cHfx0N7ScWrxJC9R+I9trLvvCppNTvuH0TU+DpysWSOIX9Q+g2bIvJ//4v4RWqb2/Lb0Kw6zn ducg8x+zUq61hONnrjemQQH/UBqGM8xE1Qc0H7b/1URh5/9EYCrpArzONhe7LwoUXHc5nay0Z HGejECeO7ZG0kkw+Un9s8W5sA6MgnGy4rfS4ZwZKGN1+4bZGRn5C5ur9zxt+Kv9O+TmEn3S5G hOp6jEAVhjXLVxdq5tN8BMUVM4+2qvCWXigNa3FKSbwhACG3bqQG0Yaq3EcEyZAHnGU8fiBSq aJX1JqC37XnZyFJbG3pWotCq7ryFEZ5x35VFBvKjEEyC1GBM X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231228_113949_918806_C35F0129 X-CRM114-Status: GOOD ( 12.19 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org of_property_match_string returns an int; either an index from 0 or greater if successful or negative on failure. Even it's very unlikely that the DT CPU node contains multiple enable-methods these checks should be fixed. This patch was inspired by the work of Nick Desaulniers. Link: https://lore.kernel.org/lkml/20230516-sunxi-v1-1-ac4b9651a8c1@google.com/T/ Cc: Nick Desaulniers Signed-off-by: Stefan Wahren Reviewed-by: Chen-Yu Tsai --- arch/arm/mach-sunxi/mc_smp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.34.1 diff --git a/arch/arm/mach-sunxi/mc_smp.c b/arch/arm/mach-sunxi/mc_smp.c index 6ec3445f3c72..277f6aa8e6c2 100644 --- a/arch/arm/mach-sunxi/mc_smp.c +++ b/arch/arm/mach-sunxi/mc_smp.c @@ -803,12 +803,12 @@ static int __init sunxi_mc_smp_init(void) for (i = 0; i < ARRAY_SIZE(sunxi_mc_smp_data); i++) { ret = of_property_match_string(node, "enable-method", sunxi_mc_smp_data[i].enable_method); - if (!ret) + if (ret >= 0) break; } of_node_put(node); - if (ret) + if (ret < 0) return -ENODEV; is_a83t = sunxi_mc_smp_data[i].is_a83t;