diff options
| author | Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org> | 2017-03-07 17:13:44 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-03-07 04:37:23 -0800 |
| commit | db2c9496c893c1df816274cdb4ddd880f5b3e5e4 (patch) | |
| tree | 668d5e4b668c7b5748ae657ad9b7d965ddaa712c /drivers/thermal | |
| parent | ec2354506c7753905505cf442ba3cee7db6a8fe6 (diff) | |
drivers: lmh_dcvsh: Use allocated variable for LMH DCVSh sensor name
LMH DCVSh device uses stack memory for sensor name and passes
this stack variable pointer as devname argument while registering
LMH DCVSh interrupt. But interrupt framework saves this pointer and
try to dereference data in a different context. It leads to a
stack-out-of-bounds issue.
To fix this issue, use allocated memory variable to store sensor
name and pass the same while registering interrupt.
==================================================================
BUG: KASAN: stack-out-of-bounds in strcpy+0x24/0x50 at
addr ffffffc0d37e3ac0
Read of size 1 by task kworker/0:1H/593
==================================================================
page dumped because: kasan: bad access detected
kworker/0:1H Tainted: G W 4.4.21+ #1
------------------------------------------------------------------
Call trace:
[<ffffff900808a78c>] dump_backtrace+0x0/0x2c0
[<ffffff900808aa70>] show_stack+0x24/0x30
[<ffffff90084bd8c4>] dump_stack+0xbc/0xf8
[<ffffff9008263ce8>] kasan_report+0x3b0/0x4f8
[<ffffff900826308c>] __asan_load1+0x24/0x50
[<ffffff90084c8c54>] strcpy+0x24/0x50
[<ffffff90080b2fc8>]
trace_event_raw_event_irq_handler_entry+0x134/0x180
[<ffffff900813e718>] handle_irq_event_percpu+0x33c/0x3e0
[<ffffff900813e828>] handle_irq_event+0x6c/0xb0
[<ffffff9008143bf4>] handle_fasteoi_irq+0x10c/0x1d4
[<ffffff900813d750>] generic_handle_irq+0x40/0x50
[<ffffff900813dbcc>] __handle_domain_irq+0xb0/0xe4
[<ffffff9008081ab8>] gic_handle_irq+0xd8/0x1a0
Memory state around the buggy address:
ffffffc0d37e3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
ffffffc0d37e3a00: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
ffffffc0d37e3a80: f2 f2 00 00 00 00 00 00 f4 f4 f2 f2 f2 f2 00 00
^
ffffffc0d37e3b00: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
ffffffc0d37e3b80: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
==================================================================
CRs-Fixed: 2015855
Change-Id: I22bd8ff4cd6d6a2389be37c35e23fb86221de5c6
Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
Diffstat (limited to 'drivers/thermal')
| -rw-r--r-- | drivers/thermal/msm_lmh_dcvs.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/thermal/msm_lmh_dcvs.c b/drivers/thermal/msm_lmh_dcvs.c index 4ebfc713cb28..cff5b6e3fc63 100644 --- a/drivers/thermal/msm_lmh_dcvs.c +++ b/drivers/thermal/msm_lmh_dcvs.c @@ -78,6 +78,7 @@ enum lmh_hw_trips { }; struct msm_lmh_dcvs_hw { + char sensor_name[THERMAL_NAME_LENGTH]; uint32_t affinity; uint32_t temp_limits[LIMITS_TRIP_MAX]; struct sensor_threshold default_lo, default_hi; @@ -381,7 +382,6 @@ static int msm_lmh_dcvs_probe(struct platform_device *pdev) int ret; int affinity = -1; struct msm_lmh_dcvs_hw *hw; - char sensor_name[] = "limits_sensor-00"; struct thermal_zone_device *tzdev; struct thermal_cooling_device *cdev; struct device_node *dn = pdev->dev.of_node; @@ -450,9 +450,9 @@ static int msm_lmh_dcvs_probe(struct platform_device *pdev) * Let's register with thermal framework, so we have the ability * to set low/high thresholds. */ - snprintf(sensor_name, sizeof(sensor_name), "limits_sensor-%02d", + snprintf(hw->sensor_name, sizeof(hw->sensor_name), "limits_sensor-%02d", affinity); - tzdev = thermal_zone_device_register(sensor_name, LIMITS_TRIP_MAX, + tzdev = thermal_zone_device_register(hw->sensor_name, LIMITS_TRIP_MAX, (1 << LIMITS_TRIP_MAX) - 1, hw, &limits_sensor_ops, NULL, 0, 0); if (IS_ERR_OR_NULL(tzdev)) @@ -467,7 +467,7 @@ static int msm_lmh_dcvs_probe(struct platform_device *pdev) * Since we make a check for hi > lo value, set the hi threshold * before the low threshold */ - id = sensor_get_id(sensor_name); + id = sensor_get_id(hw->sensor_name); if (id < 0) return id; @@ -525,7 +525,7 @@ static int msm_lmh_dcvs_probe(struct platform_device *pdev) set_bit(1, hw->is_irq_enabled); ret = devm_request_threaded_irq(&pdev->dev, hw->irq_num, NULL, lmh_dcvs_handle_isr, IRQF_TRIGGER_HIGH | IRQF_ONESHOT - | IRQF_NO_SUSPEND, sensor_name, hw); + | IRQF_NO_SUSPEND, hw->sensor_name, hw); if (ret) { pr_err("Error registering for irq. err:%d\n", ret); return ret; |