leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
614be38552
linux/drivers/irqchip
History
Vladimir Murzin 614be38552 irqchip: gic-v3: Fix out of bounds access to cpu_logical_map 
While playing with KASan support for arm64/arm the following appeared on boot:

==================================================================
BUG: AddressSanitizer: out of bounds access in __asan_load8+0x14/0x1c at addr ffffffc000ad0dc0
Read of size 8 by task swapper/0/1
page:ffffffbdc202b400 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x400(reserved)
page dumped because: kasan: bad access detected
Address belongs to variable __cpu_logical_map+0x200/0x220
CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.19.0-rc6-next-20150129+ #481
Hardware name: FVP Base (DT)
Call trace:
[<ffffffc00008a794>] dump_backtrace+0x0/0x184
[<ffffffc00008a928>] show_stack+0x10/0x1c
[<ffffffc00075e46c>] dump_stack+0xa0/0xf8
[<ffffffc0001df490>] kasan_report_error+0x23c/0x264
[<ffffffc0001e0188>] check_memory_region+0xc0/0xe4
[<ffffffc0001dedf0>] __asan_load8+0x10/0x1c
[<ffffffc000431294>] gic_raise_softirq+0xc4/0x1b4
[<ffffffc000091fc0>] smp_send_reschedule+0x30/0x3c
[<ffffffc0000f0d1c>] try_to_wake_up+0x394/0x434
[<ffffffc0000f0de8>] wake_up_process+0x2c/0x6c
[<ffffffc0000d9570>] wake_up_worker+0x38/0x48
[<ffffffc0000dbb50>] insert_work+0xac/0xec
[<ffffffc0000dbd38>] __queue_work+0x1a8/0x374
[<ffffffc0000dbf60>] queue_work_on+0x5c/0x7c
[<ffffffc0000d8a78>] call_usermodehelper_exec+0x170/0x188
[<ffffffc0004037b8>] kobject_uevent_env+0x650/0x6bc
[<ffffffc000403830>] kobject_uevent+0xc/0x18
[<ffffffc00040292c>] kset_register+0xa8/0xc8
[<ffffffc0004d6c88>] bus_register+0x134/0x2e8
[<ffffffc0004d73b4>] subsys_virtual_register+0x2c/0x5c
[<ffffffc000a76a4c>] wq_sysfs_init+0x14/0x20
[<ffffffc000082a28>] do_one_initcall+0xa8/0x1fc
[<ffffffc000a70db4>] kernel_init_freeable+0x1ec/0x294
[<ffffffc00075aa5c>] kernel_init+0xc/0xec
Memory state around the buggy address:
 ffffff80003e0820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffff80003e0830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffff80003e0840: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffffff80003e0850: 00 00 fa fa fa fa fa fa 00 00 00 00 00 00 00 00
==================================================================

The reason for that cpumask_next() returns >= nr_cpu_ids if no further cpus
set, but "==" condition is checked only, so we end up with out-of-bounds
access to cpu_logical_map.

Fix is by using the condition check for cpumask_next.

Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Link: https://lkml.kernel.org/r/1425659870-11832-7-git-send-email-marc.zyngier@arm.com
Signed-off-by: Jason Cooper <jason@lakedaemon.net>
2015-03-08 05:33:29 +00:00
..
exynos-combiner.c irqchip: exynos-combiner: Fix compilation error on ARM64 2014-09-03 11:56:39 +00:00
irq-armada-370-xp.c Merge branch 'irq-irqdomain-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-10 09:01:01 -08:00
irq-atmel-aic5.c genirq: Generic chip: Change irq_reg_{readl,writel} arguments 2014-11-09 04:01:22 +00:00
irq-atmel-aic-common.c irqchip: atmel-aic-common: Prevent clobbering of priority when changing IRQ type 2015-01-07 12:41:45 +00:00
irq-atmel-aic-common.h irqchip: atmel-aic: Add irq fixup for RTT block 2014-11-09 04:36:38 +00:00
irq-atmel-aic.c Merge branch 'irqchip/atmel' into irqchip/core 2014-11-26 07:02:27 +00:00
irq-bcm2835.c irqchip: Remove asmlinkage from static functions 2014-03-12 13:00:41 +01:00
irq-bcm7120-l2.c Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-10 08:38:57 -08:00
irq-brcmstb-l2.c Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-10 08:38:57 -08:00
irq-clps711x.c irqchip: clps711x: Convert to handle_domain_irq 2014-09-03 13:10:32 +00:00
irq-crossbar.c irqchip: crossbar: Off by one bugs in init 2014-08-18 11:48:11 +00:00
irq-digicolor.c irqchip: Conexant CX92755 interrupts controller driver 2015-01-26 11:38:23 +01:00
irq-dw-apb-ictl.c irqchip: dw-apb-ictl: Add PM support 2014-11-26 16:08:03 +00:00
irq-gic-common.c irqchip: gic: Allow interrupt level to be set for PPIs 2015-01-26 11:38:23 +01:00
irq-gic-common.h irqchip: gic: Allow interrupt level to be set for PPIs 2015-01-26 11:38:23 +01:00
irq-gic-v2m.c irqchip: gic-v2m: Add support for ARM GICv2m MSI(-X) doorbell 2014-11-26 15:55:18 +00:00
irq-gic-v3-its.c irqchip: gicv3-its: Fix unsafe locking reported by lockdep 2015-03-08 05:33:00 +00:00
irq-gic-v3.c irqchip: gic-v3: Fix out of bounds access to cpu_logical_map 2015-03-08 05:33:29 +00:00
irq-gic.c irqchip: gic: Fix unsafe locking reported by lockdep 2015-03-08 05:33:06 +00:00
irq-hip04.c irqchip: gic: Allow interrupt level to be set for PPIs 2015-01-26 11:38:23 +01:00
irq-imgpdc.c
irq-keystone.c irqchip: drop owner assignment from platform_drivers 2014-10-20 16:20:42 +02:00
irq-metag-ext.c irq-metag*: stop set_affinity vectoring to offline cpus 2014-02-25 22:35:06 +00:00
irq-metag.c irq-metag*: stop set_affinity vectoring to offline cpus 2014-02-25 22:35:06 +00:00
irq-mips-gic.c Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2015-02-21 19:41:38 -08:00
irq-mmp.c irqchip: mmp: Convert to handle_domain_irq 2014-09-03 13:10:34 +00:00
irq-moxart.c irqchip: Remove asmlinkage from static functions 2014-03-12 13:00:41 +01:00
irq-mtk-sysirq.c irqchip: mtk-sysirq: Get irq number from register resource size 2015-01-26 11:38:22 +01:00
irq-mxs.c irqchip: mxs: Convert to handle_domain_irq 2014-09-03 13:10:35 +00:00
irq-nvic.c irqchip: nvic: Use the generic noop function 2014-06-21 02:12:42 +00:00
irq-omap-intc.c irqchip: omap-intc: Remove unused legacy interface for omap2 2015-01-26 11:38:23 +01:00
irq-or1k-pic.c irqchip: or1k-pic: Convert to handle_domain_irq 2014-09-03 13:10:54 +00:00
irq-orion.c irqchip: orion: Convert to handle_domain_irq 2014-09-03 13:10:37 +00:00
irq-renesas-intc-irqpin.c irqchip: renesas-intc-irqpin: r8a7779 IRLM setup support 2015-01-26 11:38:22 +01:00
irq-renesas-irqc.c irqchip: drop owner assignment from platform_drivers 2014-10-20 16:20:42 +02:00
irq-s3c24xx.c irqchip: s3c24xx: Convert to handle_domain_irq 2014-09-03 13:10:38 +00:00
irq-sirfsoc.c irqchip: sirfsoc: Convert to handle_domain_irq 2014-09-03 13:10:40 +00:00
irq-sun4i.c irqchip: sun4i: Convert to handle_domain_irq 2014-09-03 13:10:42 +00:00
irq-sunxi-nmi.c genirq: Generic chip: Change irq_reg_{readl,writel} arguments 2014-11-09 04:01:22 +00:00
irq-tb10x.c genirq: Generic chip: Change irq_reg_{readl,writel} arguments 2014-11-09 04:01:22 +00:00
irq-versatile-fpga.c irqchip: versatile-fpga: Convert to handle_domain_irq 2014-09-03 13:10:43 +00:00
irq-vic.c irqchip: vic: Convert to handle_domain_irq 2014-09-03 13:10:45 +00:00
irq-vt8500.c irqchip: vt8500: Convert to handle_domain_irq 2014-09-03 13:10:46 +00:00
irq-xtensa-mx.c irqchip: xtensa: Select only an online cpu 2014-03-04 17:37:55 +01:00
irq-xtensa-pic.c xtensa: move built-in PIC to drivers/irqchip 2014-01-14 10:19:56 -08:00
irq-zevio.c irqchip: zevio: Convert to handle_domain_irq 2014-09-03 13:10:48 +00:00
irqchip.c irqchip: align irqchip OF match table section naming 2014-05-20 14:24:40 -05:00
irqchip.h of: consolidate linker section OF match table declarations 2014-05-20 14:25:24 -05:00
Kconfig Merge branch 'irq-irqdomain-arm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-12-15 17:30:09 -08:00
Makefile irqchip: Conexant CX92755 interrupts controller driver 2015-01-26 11:38:23 +01:00
spear-shirq.c irqchip: spear_shirq: Simplify register access code 2014-06-24 12:38:45 +00:00