iMX8MP BSP 6.1.1 array index out of bounds

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

iMX8MP BSP 6.1.1 array index out of bounds

1,162件の閲覧回数
mogenslauridsen
Contributor III

HI,

When running kasan on NXP BSP 6.1.1-1.0.0 on iMX8MP we get the following error:

[ 3.763243] ==================================================================
[ 3.770511] BUG: KASAN: slab-out-of-bounds in imx_blk_ctrl_probe+0x22c/0x710
[ 3.777621] Write of size 8 at addr ffff0000d7029a58 by task kworker/u8:1/49
[ 3.784694]
[ 3.786201] CPU: 2 PID: 49 Comm: kworker/u8:1 Not tainted 6.1.1+g29549c7073bf #15
[ 3.793713] Hardware name: NXP i.MX8MPlus Blackbird board (DT)
[ 3.799567] Workqueue: events_unbound deferred_probe_work_func
[ 3.805452] Call trace:
[ 3.807912] dump_backtrace+0xdc/0x130
[ 3.811700] show_stack+0x18/0x40
[ 3.815054] dump_stack_lvl+0x64/0x80
[ 3.818755] print_report+0x188/0x48c
[ 3.822449] kasan_report+0xb8/0x100
[ 3.826054] __asan_store8+0x80/0xa4
[ 3.829660] imx_blk_ctrl_probe+0x22c/0x710
[ 3.833882] platform_probe+0x8c/0xf0
[ 3.837582] really_probe+0x114/0x5bc
[ 3.841276] __driver_probe_device+0xbc/0x220
[ 3.845674] driver_probe_device+0x5c/0x150
[ 3.849893] __device_attach_driver+0xec/0x1a0
[ 3.854371] bus_for_each_drv+0xf0/0x15c
[ 3.858326] __device_attach+0x114/0x280
[ 3.862281] device_initial_probe+0x14/0x20
[ 3.866498] bus_probe_device+0xe8/0xfc
[ 3.870366] deferred_probe_work_func+0xf4/0x150
[ 3.875019] process_one_work+0x398/0x5e0
[ 3.879066] worker_thread+0x3c8/0x6a0
[ 3.882843] kthread+0x188/0x190
[ 3.886099] ret_from_fork+0x10/0x20
[ 3.889706]
[ 3.891208] Allocated by task 49:
[ 3.895223]
[ 3.896728] The buggy address belongs to the object at ffff0000d7029800
[ 3.896728] which belongs to the cache kmalloc-1k of size 1024
[ 3.909272] The buggy address is located 600 bytes inside of
[ 3.909272] 1024-byte region [ffff0000d7029800, ffff0000d7029c00)
[ 3.921123]
[ 3.922627] The buggy address belongs to the physical page:
[ 3.928217] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117028
[ 3.937640] head:(____ptrval____) order:3 compound_mapcount:0 compound_pincount:0
[ 3.945144] flags: 0xbfffc0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff)
[ 3.952500] raw: 0bfffc0000010200 0000000000000000 dead000000000122 ffff0000d0002780
[ 3.960271] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 3.968035] page dumped because: kasan: bad access detected
[ 3.973622]
[ 3.975121] Memory state around the buggy address:
[ 3.979929] ffff0000d7029900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.987176] ffff0000d7029980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.994421] >ffff0000d7029a00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[ 4.001660] ^
[ 4.007771] ffff0000d7029a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4.015015] ffff0000d7029b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4.022255] ==================================================================

This seem to be caused by the commit 4a9a20d77156545d6c25fe60cb598355210880cf (https://github.com/nxp-imx/linux-imx.git) "MLK-23680-1: clk: imx: clk-audiomix: remove sdma root clock" where these lines are removed:

include/dt-bindings/clock/imx8mp-clock.h:

#define IMX8MP_CLK_AUDIO_BLK_CTRL_SDMA2_ROOT 26


drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c:
IMX_BLK_CTRL_CLK_GATE("sdma2_root_clk", IMX8MP_CLK_AUDIO_BLK_CTRL_SDMA2_ROOT, 0, 26, "audio_ahb_root"),

After this change the array imx8mp_audio_blk_ctrl_hws (drivers/clk/imx/clk-imx8mp.c) has decreased the the size from 58 to 57, but since the value of the defines IMX8MP_CLK_AUDIO_BLK_CTRL_.... after IMX8MP_CLK_AUDIO_BLK_CTRL_SDMA2_ROOT hasn't been renumbered, the ".id" number from 27 to 58 are one too big.
Since the function imx_blk_ctrl_register_clock_controller (drivers/clk/imx/clk-blk-ctrl.c) uses the ".id" for index in the allocated array (hws[hw->id] = tmp;), 58 will be out of bounds.

Can you confirm that the defines IMX8MP_CLK_AUDIO_BLK_CTRL_.... after IMX8MP_CLK_AUDIO_BLK_CTRL_SDMA2_ROOT should be renumbered as done in the attached patch?

0 件の賞賛
返信
6 返答(返信)

1,145件の閲覧回数
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

It has sense your workaround to adapt the index size on your patch, but could you please help me with the code that you are using as a reference to say that those lines were removed? Reviewing previous versions I found almost the same code on those parts.

Best regards.

0 件の賞賛
返信

1,142件の閲覧回数
mogenslauridsen
Contributor III

Hi,

I use the code from https://github.com/nxp-imx/linux-imx.git and tag lf-6.1.1-1.0.0.

The defines are in the file: include/dt-bindings/clock/imx8mp-clock.h. In this file you will see "26" is missing:
....
#define IMX8MP_CLK_AUDIO_BLK_CTRL_ASRC_IPG 24
#define IMX8MP_CLK_AUDIO_BLK_CTRL_PDM_IPG 25
#define IMX8MP_CLK_AUDIO_BLK_CTRL_SDMA3_ROOT 27
#define IMX8MP_CLK_AUDIO_BLK_CTRL_SPBA2_ROOT 28
#define IMX8MP_CLK_AUDIO_BLK_CTRL_DSP_ROOT 29
...

 

I compile it using gnu gcc 12.2.1.

Best regards,

Mogens

 

0 件の賞賛
返信

1,136件の閲覧回数
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

Unfortunately, the link that you shared is not working.

Best regards.

0 件の賞賛
返信

1,132件の閲覧回数
mogenslauridsen
Contributor III

Hi,

Sorry, https://github.com/nxp-imx/linux-imx.git is directly link to the git repo for use with "git clone". If you want to look at the code via a web browser you can use this link:
https://github.com/nxp-imx/linux-imx
More specifically around line 366-367 in:
https://github.com/nxp-imx/linux-imx/blob/lf-6.1.y/include/dt-bindings/clock/imx8mp-clock.h

Best regards

0 件の賞賛
返信

1,115件の閲覧回数
JorgeCas
NXP TechSupport
NXP TechSupport

Hello,

Got it, that is the code that I used as a reference, searching for previous versions it seems that did not change on those code lines that you consider as removed, still almost the same.

Best regards.

0 件の賞賛
返信

1,055件の閲覧回数
mogenslauridsen
Contributor III

Hello,

Yes, this change has been in the repo for quite some time. (2020-03-26).

I also see this kasan message in NXP BSP lf-5.15.71-2.2.0.

Best regards

0 件の賞賛
返信