• Russell King's avatar
    ARM: keystone: fix platform_domain_notifier array overrun · 7416dd78
    Russell King authored
    [ Upstream commit 9954b80b ]
    
    platform_domain_notifier contains a variable sized array, which the
    pm_clk_notify() notifier treats as a NULL terminated array:
    
         for (con_id = clknb->con_ids; *con_id; con_id++)
                 pm_clk_add(dev, *con_id);
    
    Omitting the initialiser for con_ids means that the array is zero
    sized, and there is no NULL terminator.  This leads to pm_clk_notify()
    overrunning into what ever structure follows, which may not be NULL.
    This leads to an oops:
    
    Unable to handle kernel NULL pointer dereference at virtual address 0000008c
    pgd = c0003000
    [0000008c] *pgd=80000800004003c, *pmd=00000000c
    Internal error: Oops: 206 [#1] PREEMPT SMP ARM
    Modules linked in:c
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9
    Hardware name: Keystone
    PC is at strlen+0x0/0x34
    LR is at kstrdup+0x18/0x54
    pc : [<c0623340>]    lr : [<c0111d6c>]    psr: 20000013
    sp : eec73dc0  ip : eed780c0  fp : 00000001
    r10: 00000000  r9 : 00000000  r8 : eed71e10
    r7 : 0000008c  r6 : 0000008c  r5 : 014000c0  r4 : c03a6ff4
    r3 : c09445d0  r2 : 00000000  r1 : 014000c0  r0 : 0000008c
    Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 30c5387d  Table: 00003000  DAC: fffffffd
    Process swapper/0 (pid: 1, stack limit = 0xeec72210)
    Stack: (0xeec73dc0 to 0xeec74000)
    ...
    [<c0623340>] (strlen) from [<c0111d6c>] (kstrdup+0x18/0x54)
    [<c0111d6c>] (kstrdup) from [<c03a6ff4>] (__pm_clk_add+0x58/0x120)
    [<c03a6ff4>] (__pm_clk_add) from [<c03a731c>] (pm_clk_notify+0x64/0xa8)
    [<c03a731c>] (pm_clk_notify) from [<c004614c>] (notifier_call_chain+0x44/0x84)
    [<c004614c>] (notifier_call_chain) from [<c0046320>] (__blocking_notifier_call_chain+0x48/0x60)
    [<c0046320>] (__blocking_notifier_call_chain) from [<c0046350>] (blocking_notifier_call_chain+0x18/0x20)
    [<c0046350>] (blocking_notifier_call_chain) from [<c0390234>] (device_add+0x36c/0x534)
    [<c0390234>] (device_add) from [<c047fc00>] (of_platform_device_create_pdata+0x70/0xa4)
    [<c047fc00>] (of_platform_device_create_pdata) from [<c047fea0>] (of_platform_bus_create+0xf0/0x1ec)
    [<c047fea0>] (of_platform_bus_create) from [<c047fff8>] (of_platform_populate+0x5c/0xac)
    [<c047fff8>] (of_platform_populate) from [<c08b1f04>] (of_platform_default_populate_init+0x8c/0xa8)
    [<c08b1f04>] (of_platform_default_populate_init) from [<c000a78c>] (do_one_initcall+0x3c/0x164)
    [<c000a78c>] (do_one_initcall) from [<c087bd9c>] (kernel_init_freeable+0x10c/0x1d0)
    [<c087bd9c>] (kernel_init_freeable) from [<c0628db0>] (kernel_init+0x8/0xf0)
    [<c0628db0>] (kernel_init) from [<c00090d8>] (ret_from_fork+0x14/0x3c)
    Exception stack(0xeec73fb0 to 0xeec73ff8)
    3fa0:                                     00000000 00000000 00000000 00000000
    3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
    Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000)
    ---[ end trace cafa8f148e262e80 ]---
    
    Fix this by adding the necessary initialiser.
    
    Fixes: fc20ffe1 ("ARM: keystone: add PM domain support for clock management")
    Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
    Acked-by: default avatarSantosh Shilimkar <ssantosh@kernel.org>
    Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
    Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    7416dd78
pm_domain.c 1.21 KB