• Marc Zyngier's avatar
    net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array · f0212a5e
    Marc Zyngier authored
    Running with KASAN on a VIM3L systems leads to the following splat
    when probing the Ethernet device:
    
    ==================================================================
    BUG: KASAN: global-out-of-bounds in _get_maxdiv+0x74/0xd8
    Read of size 4 at addr ffffa000090615f4 by task systemd-udevd/139
    CPU: 1 PID: 139 Comm: systemd-udevd Tainted: G            E     5.7.0-rc1-00101-g8624b7577b9c #781
    Hardware name: amlogic w400/w400, BIOS 2020.01-rc5 03/12/2020
    Call trace:
     dump_backtrace+0x0/0x2a0
     show_stack+0x20/0x30
     dump_stack+0xec/0x148
     print_address_description.isra.12+0x70/0x35c
     __kasan_report+0xfc/0x1d4
     kasan_report+0x4c/0x68
     __asan_load4+0x9c/0xd8
     _get_maxdiv+0x74/0xd8
     clk_divider_bestdiv+0x74/0x5e0
     clk_divider_round_rate+0x80/0x1a8
     clk_core_determine_round_nolock.part.9+0x9c/0xd0
     clk_core_round_rate_nolock+0xf0/0x108
     clk_hw_round_rate+0xac/0xf0
     clk_factor_round_rate+0xb8/0xd0
     clk_core_determine_round_nolock.part.9+0x9c/0xd0
     clk_core_round_rate_nolock+0xf0/0x108
     clk_core_round_rate_nolock+0xbc/0x108
     clk_core_set_rate_nolock+0xc4/0x2e8
     clk_set_rate+0x58/0xe0
     meson8b_dwmac_probe+0x588/0x72c [dwmac_meson8b]
     platform_drv_probe+0x78/0xd8
     really_probe+0x158/0x610
     driver_probe_device+0x140/0x1b0
     device_driver_attach+0xa4/0xb0
     __driver_attach+0xcc/0x1c8
     bus_for_each_dev+0xf4/0x168
     driver_attach+0x3c/0x50
     bus_add_driver+0x238/0x2e8
     driver_register+0xc8/0x1e8
     __platform_driver_register+0x88/0x98
     meson8b_dwmac_driver_init+0x28/0x1000 [dwmac_meson8b]
     do_one_initcall+0xa8/0x328
     do_init_module+0xe8/0x368
     load_module+0x3300/0x36b0
     __do_sys_finit_module+0x120/0x1a8
     __arm64_sys_finit_module+0x4c/0x60
     el0_svc_common.constprop.2+0xe4/0x268
     do_el0_svc+0x98/0xa8
     el0_svc+0x24/0x68
     el0_sync_handler+0x12c/0x318
     el0_sync+0x158/0x180
    
    The buggy address belongs to the variable:
     div_table.63646+0x34/0xfffffffffffffa40 [dwmac_meson8b]
    
    Memory state around the buggy address:
     ffffa00009061480: fa fa fa fa 00 00 00 01 fa fa fa fa 00 00 00 00
     ffffa00009061500: 05 fa fa fa fa fa fa fa 00 04 fa fa fa fa fa fa
    >ffffa00009061580: 00 03 fa fa fa fa fa fa 00 00 00 00 00 00 fa fa
                                                                 ^
     ffffa00009061600: fa fa fa fa 00 01 fa fa fa fa fa fa 01 fa fa fa
     ffffa00009061680: fa fa fa fa 00 01 fa fa fa fa fa fa 04 fa fa fa
    ==================================================================
    
    Digging into this indeed shows that the clock divider array is
    lacking a final fence, and that the clock subsystems goes in the
    weeds. Oh well.
    
    Let's add the empty structure that indicates the end of the array.
    
    Fixes: bd6f4854 ("net: stmmac: dwmac-meson8b: Fix the RGMII TX delay on Meson8b/8m2 SoCs")
    Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
    Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    Reviewed-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    f0212a5e
dwmac-meson8b.c 11 KB