mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 22:54:01 +00:00
Code Issues Releases Wiki Activity
linux-stable/include/trace/events
History
David Collins bcc1b6b1ed spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 
commit 2af28b241e upstream.

trace_spmi_write_begin() and trace_spmi_read_end() both call
memcpy() with a length of "len + 1".  This leads to one extra
byte being read beyond the end of the specified buffer.  Fix
this out-of-bound memory access by using a length of "len"
instead.

Here is a KASAN log showing the issue:

BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234
Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314
...
Call trace:
 dump_backtrace+0x0/0x3e8
 show_stack+0x2c/0x3c
 dump_stack_lvl+0xdc/0x11c
 print_address_description+0x74/0x384
 kasan_report+0x188/0x268
 kasan_check_range+0x270/0x2b0
 memcpy+0x90/0xe8
 trace_event_raw_event_spmi_read_end+0x1d0/0x234
 spmi_read_cmd+0x294/0x3ac
 spmi_ext_register_readl+0x84/0x9c
 regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]
 _regmap_raw_read+0x40c/0x754
 regmap_raw_read+0x3a0/0x514
 regmap_bulk_read+0x418/0x494
 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]
 ...
 __arm64_sys_read+0x4c/0x60
 invoke_syscall+0x80/0x218
 el0_svc_common+0xec/0x1c8
 ...

addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:
 adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]

this frame has 1 object:
 [32, 33) 'status'

Memory state around the buggy address:
 ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00
                                           ^
 ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00
==================================================================

Fixes: a9fce37481 ("spmi: add command tracepoints for SPMI")
Cc: stable@vger.kernel.org
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: David Collins <quic_collinsd@quicinc.com>
Link: https://lore.kernel.org/r/20220627235512.2272783-1-quic_collinsd@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-17 14:42:20 +02:00
..
9p.h
afs.h netfs, 9p, afs, ceph: Use folios 2021-11-10 21:16:56 +00:00
alarmtimer.h
asoc.h ASoC: soc-core: tidyup jack.h 2020-11-30 12:54:01 +00:00
avc.h selinux: add basic filtering for audit trace events 2020-08-21 17:07:29 -04:00
bcache.h block: remove superfluous param in blk_fill_rwbs() 2021-02-22 06:37:41 -07:00
block.h block: introduce block_rq_error tracepoint 2022-02-11 10:00:16 -07:00
bpf_test_run.h
bridge.h net: bridge: fdb: br_fdb_update can take flags directly 2019-11-01 10:32:43 -07:00
btrfs.h btrfs: add code to support the block group root 2022-03-14 13:13:48 +01:00
cachefiles.h Netfs prep for write helpers 2022-03-31 15:49:36 -07:00
cgroup.h cgroup: Trace event cgroup id fields should be u64 2021-12-01 07:23:35 -10:00
clk.h clk: Trace clk_set_rate() "range" functions 2020-12-17 01:54:31 -08:00
cma.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
compaction.h mm: compaction: cleanup the compaction trace events 2022-03-22 15:57:09 -07:00
context_tracking.h
cpuhp.h
damon.h mm/damon: hide kernel pointer from tracepoint event 2022-01-15 16:30:33 +02:00
devfreq.h PM / devfreq: Add tracepoint for frequency changes 2020-10-26 10:52:37 +09:00
devlink.h devlink: Reduce struct devlink exposure 2021-10-12 16:29:16 -07:00
dlm.h fs: dlm: trace socket handling 2021-11-02 14:39:20 -05:00
dma_fence.h treewide: Add missing semicolons to __assign_str uses 2021-06-30 09:19:14 -04:00
erofs.h erofs: clean up erofs_map_blocks tracepoints 2021-12-09 10:02:10 +08:00
error_report.h panic: use error_report_end tracepoint on warnings 2022-01-20 08:52:55 +02:00
ext4.h Filesystem folio changes for 5.18 2022-03-22 18:26:56 -07:00
f2fs.h f2fs: change the current atomic write way 2022-08-17 14:42:13 +02:00
fib.h
fib6.h
filelock.h locks: Remove extra "0x" in tracepoint format specifier 2020-09-01 18:09:34 -04:00
filemap.h filemap: Convert tracing of page cache operations to folio 2022-01-04 13:15:33 -05:00
fs.h NFS: Move generic FS show macros to global header 2021-11-02 12:31:23 -04:00
fs_dax.h
fscache.h fscache: Add a tracepoint for cookie use/unuse 2022-01-11 22:13:01 +00:00
fsi.h fsi: Add trace events in initialization path 2022-02-21 19:38:54 +10:30
fsi_master_aspeed.h fsi: Add trace events in initialization path 2022-02-21 19:38:54 +10:30
fsi_master_ast_cf.h
fsi_master_gpio.h
gpio.h
gpu_mem.h gpu/trace: Minor comment updates for gpu_mem_total tracepoint 2020-05-07 13:32:57 -04:00
host1x.h
huge_memory.h mm/khugepaged: remove reuse_swap_page() usage 2022-03-24 19:06:51 -07:00
hwmon.h
i2c.h
i2c_slave.h i2c: add tracepoints for I2C slave events 2022-03-20 00:11:05 +01:00
ib_mad.h
ib_umad.h
initcall.h
intel-sst.h
intel_iommu.h iommu/vt-d: Add prq_report trace event 2021-06-10 09:06:13 +02:00
intel_ish.h
io_uring.h io_uring: fix ordering of args in io_uring_queue_async_work 2022-05-12 06:18:58 -06:00
iocost.h blk-iocost: Add iocg idle state tracepoint 2020-12-17 07:55:44 -07:00
iommu.h iommu: Log iova range in map/unmap trace events 2021-12-06 11:59:31 +01:00
ipi.h
irq.h
irq_matrix.h
iscsi.h
jbd2.h jbd2,ext4: add a shrinker to release checkpointed buffers 2021-06-24 10:54:49 -04:00
kmem.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
kvm.h KVM: x86/mmu: Drop trace_kvm_age_page() tracepoint 2021-04-17 08:30:56 -04:00
kyber.h kyber: avoid q->disk dereferences in trace points 2021-10-15 21:02:57 -06:00
libata.h ata: libata: add qc->flags in ata_qc_complete_template tracepoint 2022-06-29 09:04:27 +02:00
lock.h
mce.h
mctp.h mctp: Add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag control 2022-02-09 12:00:11 +00:00
mdio.h
migrate.h mm/migration: add trace events for base page and HugeTLB migrations 2022-03-24 19:06:45 -07:00
mlxsw.h
mmap.h mm: mmap: add trace point of vm_unmapped_area 2020-04-02 09:35:30 -07:00
mmap_lock.h mm: mmap_lock: use DECLARE_EVENT_CLASS and DEFINE_EVENT_FN 2021-11-06 13:30:36 -07:00
mmc.h
mmflags.h kasan, page_alloc: allow skipping memory init for HW_TAGS 2022-03-24 19:06:47 -07:00
module.h
mptcp.h mptcp: add tracepoint in mptcp_sendmsg_frag 2022-03-08 22:06:10 -08:00
napi.h
nbd.h
neigh.h
net.h net: dev: Makes sure netif_rx() can be invoked in any context. 2022-02-14 13:38:35 +00:00
net_probe_common.h
netfs.h netfs: Add a function to consolidate beginning a read 2022-03-18 09:29:05 +00:00
netlink.h netlink: add tracepoint at NL_SET_ERR_MSG 2021-02-04 18:05:59 -08:00
nfs.h NFS: Move NFS protocol display macros to global header 2021-11-02 12:31:23 -04:00
nilfs2.h
nmi.h
objagg.h
oom.h
osnoise.h tracing: Fix spelling in osnoise tracer "interferences" -> "interference" 2021-06-28 14:12:27 -04:00
page_isolation.h
page_pool.h mm, tracing: unify PFN format strings 2021-06-29 10:53:52 -07:00
page_ref.h mm: introduce PAGEFLAGS_MASK to replace ((1UL << NR_PAGEFLAGS) - 1) 2021-09-08 11:50:24 -07:00
pagemap.h mm/lru: Convert __pagevec_lru_add_fn to take a folio 2021-10-18 07:49:40 -04:00
percpu.h
power.h PM: QoS: Simplify definitions of CPU latency QoS trace events 2020-02-13 11:26:39 +01:00
power_cpu_migrate.h
preemptirq.h tracing: Change offset type to s32 in preempt/irq tracepoints 2020-01-03 11:34:37 -05:00
printk.h
pwc.h
pwm.h pwm: Implement tracing for .get_state() and .apply_state() 2020-01-20 12:28:37 +01:00
qdisc.h qdisc: add new field for qdisc_enqueue tracepoint 2021-07-27 14:16:38 +01:00
qla.h scsi: qla2xxx: Suppress two recently introduced compiler warnings 2020-05-19 21:43:01 -04:00
qrtr.h net: qrtr: Add tracepoint support 2020-04-22 12:55:54 -07:00
rcu.h rcu: Refactor rcu_barrier() empty-list handling 2022-02-08 10:12:28 -08:00
rdma.h RDMA/core: Move the rdma_show_ib_cm_event() macro 2020-08-24 16:01:47 -03:00
rdma_core.h RDMA/core: Add trace points to follow MR allocation 2020-01-07 16:10:53 -04:00
regulator.h regulator: core: Add regulator bypass trace points 2020-05-29 17:17:02 +01:00
rpcgss.h sunrpc: fix header include guard in trace header 2021-11-17 18:27:32 -05:00
rpcrdma.h A slow cycle for nfsd: mainly cleanup, including Neil's patch dropping 2021-11-10 16:45:54 -08:00
rpm.h PM-runtime: add tracepoints for usage_count changes 2020-01-13 12:28:29 +01:00
rseq.h
rtc.h
rxrpc.h rxrpc: Fix decision on when to generate an IDLE ACK 2022-06-09 10:30:20 +02:00
sched.h sched/tracing: Append prev_state to tp args instead 2022-05-12 00:37:11 +02:00
scmi.h include: trace: Add new scmi_xfer_response_wait event 2021-12-13 17:45:36 +00:00
scsi.h scsi: core: Kill message byte 2021-05-31 22:48:24 -04:00
sctp.h sctp: move trace_sctp_probe_path into sctp_outq_sack 2019-12-26 13:06:45 -08:00
signal.h
siox.h
skb.h net: tun: track dropped skb via kfree_skb_reason() 2022-03-06 11:04:01 +00:00
smbus.h
sock.h net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer 2022-07-22 10:21:19 +02:00
spi.h spi: Enable tracing of the SPI setup CS selection 2021-05-26 21:22:13 +01:00
spmi.h spmi: trace: fix stack-out-of-bound access in SPMI tracing functions 2022-08-17 14:42:20 +02:00
sunrpc.h NFSD bug fixes for 5.18-rc: 2022-04-12 14:23:19 -10:00
sunrpc_base.h SUNRPC: Tracepoints should display tk_pid and cl_clid as a fixed-size field 2021-10-20 18:09:54 -04:00
sunvnet.h
swiotlb.h
syscalls.h
target.h scsi: target: core: Add CONTROL field for trace events 2020-10-02 18:36:19 -04:00
task.h
tcp.h tcp: add accessors to read/set tp->snd_cwnd 2022-06-14 18:44:56 +02:00
tegra_apb_dma.h
thermal.h thermal: devfreq_cooling: change tracing function and arguments 2020-12-11 14:10:44 +01:00
thermal_power_allocator.h
thp.h mm/migration: add trace events for THP migrations 2022-03-24 19:06:45 -07:00
timer.h tracing: Fix various typos in comments 2021-03-23 14:08:18 -04:00
tlb.h
udp.h
ufs.h scsi: ufs: core: Enable power management for wlun 2021-05-10 22:28:20 -04:00
v4l2.h media: v4l2: abstract timeval handling in v4l2_buffer 2020-01-03 15:43:35 +01:00
vb2.h
vmscan.h tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate 2022-06-09 10:29:51 +02:00
vsock_virtio_transport_common.h virtio/vsock: update trace event for SEQPACKET 2021-06-11 13:32:47 -07:00
wbt.h bdi: use bdi_dev_name() to get device name 2020-05-09 16:07:39 -06:00
workqueue.h workqueue/tracing: Copy workqueue name to buffer in trace event 2021-03-18 12:57:37 -04:00
writeback.h remove congestion tracking framework 2022-03-22 15:57:01 -07:00
xdp.h xdp: Extend xdp_redirect_map with broadcast support 2021-05-26 09:46:16 +02:00
xen.h x86/mm/tlb: Flush remote and local TLBs concurrently 2021-03-06 12:59:10 +01:00