From: Xingang Wang wangxingang5@huawei.com
ascend inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I49RB2 CVE: NA
---------------------------------------------------
[ 0.596145] BUG: KASAN: global-out-of-bounds in __of_match_node.part.0+0xe0/0x110 [ 0.596731] Read of size 1 at addr ffff2000099a8288 by task swapper/0/1 [ 0.597247] [ 0.597372] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.90+ #34 [ 0.597858] Hardware name: linux,dummy-virt (DT) [ 0.598243] Call trace: [ 0.598443] dump_backtrace+0x0/0x360 [ 0.598734] show_stack+0x24/0x30 [ 0.599004] dump_stack+0xdc/0x128 [ 0.599323] print_address_description+0x184/0x278 [ 0.599771] kasan_report+0x204/0x330 [ 0.600117] __asan_report_load1_noabort+0x30/0x40 [ 0.600566] __of_match_node.part.0+0xe0/0x110 [ 0.600980] of_match_node+0x6c/0xa8 [ 0.601316] of_match_device+0x48/0x70 [ 0.601669] platform_match+0xa4/0x260 [ 0.602037] __driver_attach+0x68/0x128 [ 0.602397] bus_for_each_dev+0x118/0x198 [ 0.602773] driver_attach+0x48/0x60 [ 0.603112] bus_add_driver+0x330/0x658 [ 0.603472] driver_register+0x148/0x398 [ 0.603839] __platform_driver_register+0xd4/0x108 [ 0.604288] arm_mpam_driver_init+0x64/0x78 [ 0.604680] do_one_initcall+0xbc/0x488 [ 0.605039] kernel_init_freeable+0x604/0x6f8 [ 0.605447] kernel_init+0x18/0x130 [ 0.605775] ret_from_fork+0x10/0x18 [ 0.606130] [ 0.606274] The buggy address belongs to the variable: [ 0.606754] arm_mpam_of_device_ids+0xc8/0x380 [ 0.607168] [ 0.607314] Memory state around the buggy address: [ 0.607762] ffff2000099a8180: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 0.608429] ffff2000099a8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 0.609095] >ffff2000099a8280: 00 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa [ 0.609760] ^ [ 0.610101] ffff2000099a8300: 00 00 07 fa fa fa fa fa 00 04 fa fa fa fa fa fa [ 0.610771] ffff2000099a8380: 00 00 00 06 fa fa fa fa 00 01 fa fa fa fa fa fa
The arm_mpam_of_device_ids array has no end item, so the array access might be out of bounds. When enable the KASAN config, the out of bounds call trace occured. The add empty end item for arm_mpam_of_device_ids array to fix this issue.
Fixes: b45bdb5a8604 ("arm64/mpam: add device tree support for mpam initialization") Signed-off-by: Xingang Wang wangxingang5@huawei.com Reviewed-by: Cheng Jian cj.chengjian@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- arch/arm64/kernel/mpam/mpam_device.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/arm64/kernel/mpam/mpam_device.c b/arch/arm64/kernel/mpam/mpam_device.c index c7b5c50d431bd..4e882e81cf416 100644 --- a/arch/arm64/kernel/mpam/mpam_device.c +++ b/arch/arm64/kernel/mpam/mpam_device.c @@ -1715,6 +1715,7 @@ void mpam_component_get_config(struct mpam_component *comp,
static const struct of_device_id arm_mpam_of_device_ids[] = { {.compatible = "arm,mpam"}, + { } };
static int of_mpam_parse_irq(struct platform_device *pdev,