• Suzuki K Poulose's avatar
    coresight: Fix support for sparsely populated ports · d375b356
    Suzuki K Poulose authored
    On some systems the firmware may not describe all the ports
    connected to a component (e.g, for security reasons). This
    could be especially problematic for "funnels" where we could
    end up in modifying memory beyond the allocated space for
    refcounts.
    
    e.g, for a funnel with input ports listed 0, 3, 5, nr_inport = 3.
    However the we could access refcnts[5] while checking for
    references, like :
    
     [  526.110401] ==================================================================
     [  526.117988] BUG: KASAN: slab-out-of-bounds in funnel_enable+0x54/0x1b0
     [  526.124706] Read of size 4 at addr ffffff8135f9549c by task bash/1114
     [  526.131324]
     [  526.132886] CPU: 3 PID: 1114 Comm: bash Tainted: G S                5.4.25 #232
     [  526.140397] Hardware name: Qualcomm Technologies, Inc. SC7180 IDP (DT)
     [  526.147113] Call trace:
     [  526.149653]  dump_backtrace+0x0/0x188
     [  526.153431]  show_stack+0x20/0x2c
     [  526.156852]  dump_stack+0xdc/0x144
     [  526.160370]  print_address_description+0x3c/0x494
     [  526.165211]  __kasan_report+0x144/0x168
     [  526.169170]  kasan_report+0x10/0x18
     [  526.172769]  check_memory_region+0x1a4/0x1b4
     [  526.177164]  __kasan_check_read+0x18/0x24
     [  526.181292]  funnel_enable+0x54/0x1b0
     [  526.185072]  coresight_enable_path+0x104/0x198
     [  526.189649]  coresight_enable+0x118/0x26c
    
      ...
    
     [  526.237782] Allocated by task 280:
     [  526.241298]  __kasan_kmalloc+0xf0/0x1ac
     [  526.245249]  kasan_kmalloc+0xc/0x14
     [  526.248849]  __kmalloc+0x28c/0x3b4
     [  526.252361]  coresight_register+0x88/0x250
     [  526.256587]  funnel_probe+0x15c/0x228
     [  526.260365]  dynamic_funnel_probe+0x20/0x2c
     [  526.264679]  amba_probe+0xbc/0x158
     [  526.268193]  really_probe+0x144/0x408
     [  526.271970]  driver_probe_device+0x70/0x140
    
     ...
    
     [  526.316810]
     [  526.318364] Freed by task 0:
     [  526.321344] (stack is not available)
     [  526.325024]
     [  526.326580] The buggy address belongs to the object at ffffff8135f95480
     [  526.326580]  which belongs to the cache kmalloc-128 of size 128
     [  526.339439] The buggy address is located 28 bytes inside of
     [  526.339439]  128-byte region [ffffff8135f95480, ffffff8135f95500)
     [  526.351399] The buggy address belongs to the page:
     [  526.356342] page:ffffffff04b7e500 refcount:1 mapcount:0 mapping:ffffff814b00c380 index:0x0 compound_mapcount: 0
     [  526.366711] flags: 0x4000000000010200(slab|head)
     [  526.371475] raw: 4000000000010200 ffffffff05034008 ffffffff0501eb08 ffffff814b00c380
     [  526.379435] raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000
     [  526.387393] page dumped because: kasan: bad access detected
     [  526.393128]
     [  526.394681] Memory state around the buggy address:
     [  526.399619]  ffffff8135f95380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     [  526.407046]  ffffff8135f95400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     [  526.414473] >ffffff8135f95480: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     [  526.421900]                             ^
     [  526.426029]  ffffff8135f95500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     [  526.433456]  ffffff8135f95580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     [  526.440883] ==================================================================
    
    To keep the code simple, we now track the maximum number of
    possible input/output connections to/from this component
    @ nr_inport and nr_outport in platform_data, respectively.
    Thus the output connections could be sparse and code is
    adjusted to skip the unspecified connections.
    
    Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
    Cc: Mike Leach <mike.leach@linaro.org>
    Reported-by: default avatarSai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
    Tested-by: default avatarSai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
    Tested-by: default avatarStephen Boyd <swboyd@chromium.org>
    Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: default avatarMathieu Poirier <mathieu.poirier@linaro.org>
    Link: https://lore.kernel.org/r/20200518180242.7916-13-mathieu.poirier@linaro.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    d375b356
coresight.c 34.3 KB