github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-06 05:27:07 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
1a053f597f
linux/include/trace/events
History
David Collins dd02510fb4 spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 
commit 2af28b241e upstream.

trace_spmi_write_begin() and trace_spmi_read_end() both call
memcpy() with a length of "len + 1".  This leads to one extra
byte being read beyond the end of the specified buffer.  Fix
this out-of-bound memory access by using a length of "len"
instead.

Here is a KASAN log showing the issue:

BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234
Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314
...
Call trace:
 dump_backtrace+0x0/0x3e8
 show_stack+0x2c/0x3c
 dump_stack_lvl+0xdc/0x11c
 print_address_description+0x74/0x384
 kasan_report+0x188/0x268
 kasan_check_range+0x270/0x2b0
 memcpy+0x90/0xe8
 trace_event_raw_event_spmi_read_end+0x1d0/0x234
 spmi_read_cmd+0x294/0x3ac
 spmi_ext_register_readl+0x84/0x9c
 regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]
 _regmap_raw_read+0x40c/0x754
 regmap_raw_read+0x3a0/0x514
 regmap_bulk_read+0x418/0x494
 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]
 ...
 __arm64_sys_read+0x4c/0x60
 invoke_syscall+0x80/0x218
 el0_svc_common+0xec/0x1c8
 ...

addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:
 adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]

this frame has 1 object:
 [32, 33) 'status'

Memory state around the buggy address:
 ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00
                                           ^
 ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00
==================================================================

Fixes: a9fce37481 ("spmi: add command tracepoints for SPMI")
Cc: stable@vger.kernel.org
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: David Collins <quic_collinsd@quicinc.com>
Link: https://lore.kernel.org/r/20220627235512.2272783-1-quic_collinsd@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-21 15:16:15 +02:00
..
9p.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
afs.h afs: Fix tracepoint string placement with built-in AFS 2021-07-28 14:35:41 +02:00
alarmtimer.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
asoc.h ASoC: trace: remove snd_soc_codec 2018-04-16 11:53:35 +01:00
avc.h selinux: add basic filtering for audit trace events 2020-08-21 17:07:29 -04:00
bcache.h bcache: add set_uuid in struct cache_set 2020-10-02 14:25:30 -06:00
block.h block: remove the request_queue to argument request based tracepoints 2022-08-21 15:15:36 +02:00
bpf_test_run.h selftests: bpf: test writable buffers in raw tps 2019-04-26 19:04:19 -07:00
bridge.h net: bridge: fdb: br_fdb_update can take flags directly 2019-11-01 10:32:43 -07:00
btrfs.h btrfs: use own btree inode io_tree owner id 2020-10-07 12:13:22 +02:00
cachefiles.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00
cgroup.h cgroup: Trace event cgroup id fields should be u64 2022-01-27 10:53:52 +01:00
clk.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
cma.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
compaction.h mm/page_alloc: integrate classzone_idx and high_zoneidx 2020-06-03 20:09:44 -07:00
context_tracking.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cpuhp.h treewide: Switch printk users from %pf and %pF to %ps and %pS, respectively 2019-04-09 14:19:06 +02:00
devfreq.h trace: events: add devfreq trace event file 2019-04-16 09:29:18 +09:00
devlink.h devlink: Add a tracepoint for trap reports 2020-09-30 18:01:26 -07:00
dma_fence.h tracing: Fix header include guards in trace event headers 2019-07-30 21:49:06 -04:00
erofs.h erofs: fix up erofs_lookup tracepoint 2021-09-30 10:11:00 +02:00
ext4.h ext4: fix ext4_fc_stats trace point 2022-04-08 14:39:55 +02:00
f2fs.h f2fs: fix up f2fs_lookup tracepoints 2021-11-26 10:39:12 +01:00
fib.h net: Replace nhc_has_gw with nhc_gw_family 2019-04-08 15:22:40 -07:00
fib6.h ipv6: Add fib6_type and fib6_flags to fib6_result 2019-04-17 23:11:30 -07:00
filelock.h locks: Remove extra "0x" in tracepoint format specifier 2020-09-01 18:09:34 -04:00
filemap.h ftrace: Rework event_create_dir() 2019-11-27 07:44:25 +01:00
fs_dax.h libnvdimm for 4.15 2017-11-17 09:51:57 -08:00
fscache.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00
fsi_master_aspeed.h fsi: aspeed: Add trace points 2019-11-08 11:28:20 +01:00
fsi_master_ast_cf.h fsi: master-ast-cf: Add new FSI master using Aspeed ColdFire 2018-07-23 15:22:52 +10:00
fsi_master_gpio.h fsi: master-gpio: Add more tracepoints 2018-07-12 12:02:31 +10:00
fsi.h trace: fsi: Print transfer size unsigned 2019-11-08 11:23:37 +01:00
gpio.h tracing: stop making gpio tracing configurable 2019-04-08 15:11:48 +02:00
gpu_mem.h gpu/trace: Minor comment updates for gpu_mem_total tracepoint 2020-05-07 13:32:57 -04:00
host1x.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
huge_memory.h khugepaged: introduce 'max_ptes_shared' tunable 2020-06-03 20:09:46 -07:00
hwmon.h hwmon: (core) Add trace events to _attr_show/store functions 2018-10-11 20:07:35 -07:00
i2c.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00
ib_mad.h IB/MAD: Add SMP details to MAD tracing 2019-03-27 15:52:01 -03:00
ib_umad.h IB/UMAD: Add umad trace points 2019-03-27 15:52:01 -03:00
initcall.h tracing: initcall: Ordered comparison of function pointers 2018-04-26 15:02:46 -04:00
intel_iommu.h iommu/vt-d: trace: Extend map_sg trace event 2020-01-07 14:05:57 +01:00
intel_ish.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
intel-sst.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
io_uring.h io_uring: use poll driven retry for files that support it 2020-03-02 14:06:38 -07:00
iocost.h iocost: add iocg_forgive_debt tracepoint 2020-09-25 08:35:02 -06:00
iommu.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ipi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
irq_matrix.h
irq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iscsi.h scsi: iscsi: Capture iscsi debug messages using tracepoints 2018-12-20 20:03:55 -05:00
jbd2.h jbd2: Provide trace event for handle restarts 2019-11-05 16:00:49 -05:00
kmem.h mm, tracing: print symbol name for kmem_alloc_node call_site events 2020-01-31 10:30:38 -08:00
kvm.h KVM: x86: Allow deflecting unknown MSR accesses to user space 2020-09-28 07:58:04 -04:00
kyber.h kyber: fix wrong strlcpy() size in trace_kyber_latency() 2018-11-12 08:28:37 -07:00
libata.h ata: libata: add qc->flags in ata_qc_complete_template tracepoint 2022-06-29 08:59:45 +02:00
lock.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mce.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mdio.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
migrate.h mm/vmstat: add events for THP migration without split 2020-08-12 10:57:57 -07:00
mlxsw.h mlxsw: spectrum_acl: Rename rehash_dis trace 2019-03-31 11:01:23 -07:00
mmap.h mm: mmap: add trace point of vm_unmapped_area 2020-04-02 09:35:30 -07:00
mmc.h mmc: core: Fix tracepoint print of blk_addr and blksz 2018-03-15 11:15:22 +01:00
mmflags.h mm: Add PG_arch_2 page flag 2020-09-04 12:46:06 +01:00
module.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
napi.h tracing: Fix header include guards in trace event headers 2019-07-30 21:49:06 -04:00
nbd.h nbd: add tracepoints for send/receive timing 2019-04-26 19:04:19 -07:00
neigh.h neighbor: Add tracepoint to __neigh_create 2019-05-22 17:50:24 -07:00
net_probe_common.h net: dccp: Add DCCP sendmsg trace event 2018-01-02 14:27:30 -05:00
net.h net: add a generic tracepoint for TX queue timeout 2019-05-04 00:41:41 -04:00
nilfs2.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nmi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
objagg.h lib: introduce initial implementation of object aggregation manager 2018-11-15 14:43:43 -08:00
oom.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
page_isolation.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
page_pool.h page_pool: Add API to update numa node 2019-11-20 11:47:36 -08:00
page_ref.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pagemap.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
percpu.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
power_cpu_migrate.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
power.h PM: QoS: Simplify definitions of CPU latency QoS trace events 2020-02-13 11:26:39 +01:00
preemptirq.h tracing: Change offset type to s32 in preempt/irq tracepoints 2020-01-03 11:34:37 -05:00
printk.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pwc.h media: usb: pwc: Introduce TRACE_EVENTs for pwc_isoc_handler() 2019-01-16 11:15:11 -05:00
pwm.h pwm: Implement tracing for .get_state() and .apply_state() 2020-01-20 12:28:37 +01:00
qdisc.h net_sched: add a tracepoint for qdisc creation 2020-05-27 15:05:49 -07:00
qla.h scsi: qla2xxx: Suppress two recently introduced compiler warnings 2020-05-19 21:43:01 -04:00
qrtr.h net: qrtr: Add tracepoint support 2020-04-22 12:55:54 -07:00
rcu.h rcu/trace: Print negative GP numbers correctly 2020-08-24 18:36:04 -07:00
rdma_core.h RDMA/core: Add trace points to follow MR allocation 2020-01-07 16:10:53 -04:00
rdma.h RDMA/core: Move the rdma_show_ib_cm_event() macro 2020-08-24 16:01:47 -03:00
regulator.h regulator: core: Add regulator bypass trace points 2020-05-29 17:17:02 +01:00
rpcgss.h SUNRPC: Augment server-side rpcgss tracepoints 2020-07-13 17:28:24 -04:00
rpcrdma.h NFS Client Updates for Linux 5.10 2020-10-20 13:26:30 -07:00
rpm.h PM-runtime: add tracepoints for usage_count changes 2020-01-13 12:28:29 +01:00
rseq.h rseq: Introduce restartable sequences system call 2018-06-06 11:58:31 +02:00
rtc.h rtc: Add tracepoints for RTC system 2018-02-13 21:30:22 +01:00
rxrpc.h rxrpc: Fix decision on when to generate an IDLE ACK 2022-06-09 10:21:12 +02:00
sched.h sched/debug: Add new tracepoint to track cpu_capacity 2020-10-03 16:30:52 +02:00
scmi.h firmware: arm_scmi: Use signed integer to report transfer status 2020-06-30 14:07:08 +01:00
scsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sctp.h sctp: move trace_sctp_probe_path into sctp_outq_sack 2019-12-26 13:06:45 -08:00
signal.h signal: Distinguish between kernel_siginfo and siginfo 2018-10-03 16:47:43 +02:00
siox.h siox: add support for tracing 2017-12-19 10:56:24 +01:00
skb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
smbus.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00
sock.h net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer 2022-07-21 21:20:00 +02:00
spi.h spi/trace: Cap buffer contents at 64 bytes 2019-05-02 10:37:52 +09:00
spmi.h spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 2022-08-21 15:16:15 +02:00
sunrpc.h SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() 2022-05-18 10:23:48 +02:00
sunvnet.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
swiotlb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
syscalls.h syscalls: Remove start and number from syscall_get_arguments() args 2019-04-05 09:26:43 -04:00
target.h scsi: target: core: Add CONTROL field for trace events 2020-10-02 18:36:19 -04:00
task.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tcp.h tcp: remove redundant new line from tcp_event_sk_skb 2019-11-09 19:41:50 -08:00
tegra_apb_dma.h tracing: Fix header include guards in trace event headers 2019-07-30 21:49:06 -04:00
thermal_power_allocator.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
thermal.h cpu_cooling: Drop static-power related stuff 2017-12-07 22:52:01 +01:00
thp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
timer.h y2038: syscall implementation cleanups 2019-12-01 14:00:59 -08:00
tlb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ufs.h scsi: ufs: Add trace event for UIC commands 2020-06-15 23:35:06 -04:00
v4l2.h media: v4l2: abstract timeval handling in v4l2_buffer 2020-01-03 15:43:35 +01:00
vb2.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
vmscan.h tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate 2022-06-09 10:20:58 +02:00
vsock_virtio_transport_common.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wbt.h bdi: use bdi_dev_name() to get device name 2020-05-09 16:07:39 -06:00
workqueue.h workqueue: remove workqueue_work event class 2020-01-15 08:02:59 -08:00
writeback.h trace: fix potenial dangerous pointer 2020-11-25 13:03:44 +01:00
xdp.h bpf: cpumap: Implement XDP_REDIRECT for eBPF programs attached to map entries 2020-07-16 17:00:32 +02:00
xen.h x86/paravirt: Remove set_pte_at() pv-op 2020-08-15 13:52:12 +02:00