Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers/spi
History
Han Xu cf311de33d spi: nxp-fspi: fix the KASAN report out-of-bounds bug 
commit 2a8787c1cdc7be24fdd8953ecd1a8743a1006235 upstream.

Change the memcpy length to fix the out-of-bounds issue when writing the
data that is not 4 byte aligned to TX FIFO.

To reproduce the issue, write 3 bytes data to NOR chip.

dd if=3b of=/dev/mtd0
[   36.926103] ==================================================================
[   36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838
[   36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455
[   36.946721]
[   36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070
[   36.956185] Hardware name: Freescale i.MX8QM MEK (DT)
[   36.961260] Call trace:
[   36.963723]  dump_backtrace+0x90/0xe8
[   36.967414]  show_stack+0x18/0x24
[   36.970749]  dump_stack_lvl+0x78/0x90
[   36.974451]  print_report+0x114/0x5cc
[   36.978151]  kasan_report+0xa4/0xf0
[   36.981670]  __asan_report_load_n_noabort+0x1c/0x28
[   36.986587]  nxp_fspi_exec_op+0x26ec/0x2838
[   36.990800]  spi_mem_exec_op+0x8ec/0xd30
[   36.994762]  spi_mem_no_dirmap_read+0x190/0x1e0
[   36.999323]  spi_mem_dirmap_write+0x238/0x32c
[   37.003710]  spi_nor_write_data+0x220/0x374
[   37.007932]  spi_nor_write+0x110/0x2e8
[   37.011711]  mtd_write_oob_std+0x154/0x1f0
[   37.015838]  mtd_write_oob+0x104/0x1d0
[   37.019617]  mtd_write+0xb8/0x12c
[   37.022953]  mtdchar_write+0x224/0x47c
[   37.026732]  vfs_write+0x1e4/0x8c8
[   37.030163]  ksys_write+0xec/0x1d0
[   37.033586]  __arm64_sys_write+0x6c/0x9c
[   37.037539]  invoke_syscall+0x6c/0x258
[   37.041327]  el0_svc_common.constprop.0+0x160/0x22c
[   37.046244]  do_el0_svc+0x44/0x5c
[   37.049589]  el0_svc+0x38/0x78
[   37.052681]  el0t_64_sync_handler+0x13c/0x158
[   37.057077]  el0t_64_sync+0x190/0x194
[   37.060775]
[   37.062274] Allocated by task 455:
[   37.065701]  kasan_save_stack+0x2c/0x54
[   37.069570]  kasan_save_track+0x20/0x3c
[   37.073438]  kasan_save_alloc_info+0x40/0x54
[   37.077736]  __kasan_kmalloc+0xa0/0xb8
[   37.081515]  __kmalloc_noprof+0x158/0x2f8
[   37.085563]  mtd_kmalloc_up_to+0x120/0x154
[   37.089690]  mtdchar_write+0x130/0x47c
[   37.093469]  vfs_write+0x1e4/0x8c8
[   37.096901]  ksys_write+0xec/0x1d0
[   37.100332]  __arm64_sys_write+0x6c/0x9c
[   37.104287]  invoke_syscall+0x6c/0x258
[   37.108064]  el0_svc_common.constprop.0+0x160/0x22c
[   37.112972]  do_el0_svc+0x44/0x5c
[   37.116319]  el0_svc+0x38/0x78
[   37.119401]  el0t_64_sync_handler+0x13c/0x158
[   37.123788]  el0t_64_sync+0x190/0x194
[   37.127474]
[   37.128977] The buggy address belongs to the object at ffff00081037c2a0
[   37.128977]  which belongs to the cache kmalloc-8 of size 8
[   37.141177] The buggy address is located 0 bytes inside of
[   37.141177]  allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3)
[   37.153465]
[   37.154971] The buggy address belongs to the physical page:
[   37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c
[   37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[   37.175149] page_type: 0xfdffffff(slab)
[   37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000
[   37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000
[   37.194553] page dumped because: kasan: bad access detected
[   37.200144]
[   37.201647] Memory state around the buggy address:
[   37.206460]  ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
[   37.213701]  ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc
[   37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc
[   37.228186]                                ^
[   37.232473]  ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.239718]  ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   37.246962] ==================================================================
[   37.254394] Disabling lock debugging due to kernel taint
0+1 records in
0+1 records out
3 bytes copied, 0.335911 s, 0.0 kB/s

Fixes: a5356aef6a90 ("spi: spi-mem: Add driver for NXP FlexSPI controller")
Cc: stable@kernel.org
Signed-off-by: Han Xu <han.xu@nxp.com>
Link: https://patch.msgid.link/20240911211146.3337068-1-han.xu@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-23 23:21:13 +01:00
..
atmel-quadspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
internals.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Kconfig spi: spi-zynqmp-gqspi: fix driver kconfig dependencies 2024-11-18 12:12:20 +01:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-altera.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-amd.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-ar934x.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-armada-3700.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-at91-usart.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-ath79.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-atmel.c spi: atmel: Fix PDC transfer setup bug 2024-11-18 12:12:04 +01:00
spi-au1550.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-axi-spi-engine.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-bcm-qspi.c spi: bcm-qspi: fix SFDP BFPT read by usig mspi read 2024-11-18 12:13:07 +01:00
spi-bcm-qspi.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-bcm63xx-hsspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-bcm63xx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-bcm2835.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-bcm2835aux.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-bitbang-txrx.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-bitbang.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-brcmstb-qspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-butterfly.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-cadence-quadspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-cadence.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-cavium-octeon.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-cavium-thunderx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-cavium.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-cavium.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-clps711x.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-coldfire-qspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-davinci.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-dln2.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-dw-bt1.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-dw-core.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-dw-dma.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-dw-mmio.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-dw-pci.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-dw.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-efm32.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-ep93xx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-falcon.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-cpm.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-cpm.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-dspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-espi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-lib.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-lib.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-lpspi.c spi: spi-fsl-lpspi: Fix scldiv calculation 2024-11-23 23:20:27 +01:00
spi-fsl-qspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-spi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-fsl-spi.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-geni-qcom.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-gpio.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-hisi-sfc-v3xx.c spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected 2024-11-18 22:25:32 +01:00
spi-img-spfi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-imx.c spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices 2024-11-19 14:19:50 +01:00
spi-iproc-qspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-jcore.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-lantiq-ssc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-lm70llp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-loopback-test.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-lp8841-rtc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-mem.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-meson-spicc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-meson-spifc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-mpc52xx-psc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-mpc52xx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-mpc512x-psc.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-mt65xx.c spi: spi-mt65xx: Fix NULL pointer access in interrupt handler 2024-11-19 08:45:00 +01:00
spi-mt7621.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-mtk-nor.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-mux.c spi: mux: set ctlr->bits_per_word_mask 2024-11-19 14:19:50 +01:00
spi-mxic.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-mxs.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-npcm-fiu.c spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 2024-11-18 10:58:46 +01:00
spi-npcm-pspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-nxp-fspi.c spi: nxp-fspi: fix the KASAN report out-of-bounds bug 2024-11-23 23:21:13 +01:00
spi-oc-tiny.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-omap-100k.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-omap-uwire.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-omap2-mcspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-orion.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-pic32-sqi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-pic32.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-pl022.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-ppc4xx.c spi: ppc4xx: Drop write-only variable 2024-11-18 12:13:28 +01:00
spi-pxa2xx-dma.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-pxa2xx-pci.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-pxa2xx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-pxa2xx.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-qcom-qspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-qup.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-rb4xx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-rockchip.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-rpc-if.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-rspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-s3c24xx-regs.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-s3c24xx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-s3c64xx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sc18is602.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sh-hspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sh-msiof.c spi: sh-msiof: avoid integer overflow in constants 2024-11-18 22:25:33 +01:00
spi-sh-sci.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sh.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sifive.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sirf.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-slave-mt27xx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-slave-system-control.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-slave-time.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sprd-adi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sprd.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-st-ssc4.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-stm32-qspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-stm32.c spi: stm32: Don't warn about spurious interrupts 2024-11-19 12:27:10 +01:00
spi-sun4i.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-sun6i.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-synquacer.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-tegra20-sflash.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-tegra20-slink.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-tegra114.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-test.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-ti-qspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-tle62x0.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-topcliff-pch.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-txx9.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-uniphier.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-xcomm.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-xilinx.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-xlp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-xtensa-xtfpga.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-zynq-qspi.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi-zynqmp-gqspi.c Revert "spi: spi-zynqmp-gqspi: Fix runtime PM imbalance in zynqmp_qspi_probe" 2024-11-08 11:25:47 +01:00
spi.c spi: Don't mark message DMA mapped when no transfer in it is 2024-11-19 12:27:10 +01:00
spidev.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00