| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1655946142-1346-1-git-send-email-hayashi.kunihiko@socionext.com>
Date: Thu, 23 Jun 2022 10:02:22 +0900
From: Kunihiko Hayashi <hayashi.kunihiko@...ionext.com>
To: Michael Turquette <mturquette@...libre.com>,
Stephen Boyd <sboyd@...nel.org>
Cc: linux-clk@...r.kernel.org, linux-kernel@...r.kernel.org,
Kunihiko Hayashi <hayashi.kunihiko@...ionext.com>,
Uwe Kleine-König
<u.kleine-koenig@...gutronix.de>
Subject: [PATCH] clk: Fix referring to wrong pointer in devm_clk_release()
At bind phase, __devm_clk_get() calls devres_alloc() to allocate devres,
and dr->data is treated as a variable "state".
At unbind phase, release_nodes() calls devm_clk_release() specified by
devres_alloc().
The argument "res" of devm_clk_release() is dr->data, and this entity is
"state", however in devm_clk_release(), "*res" is treated as "state",
resulting in pointer inconsistency.
Unbinding a driver caused a panic.
Unable to handle kernel execute from non-executable memory
at virtual address ffff000100236810
...
pc : 0xffff000100236810
lr : devm_clk_release+0x6c/0x9c
...
Call trace:
0xffff000100236810
release_nodes+0xb0/0x150
devres_release_all+0x94/0xf8
device_unbind_cleanup+0x20/0x70
device_release_driver_internal+0x114/0x1a0
device_driver_detach+0x20/0x30
Cc: Uwe Kleine-König <u.kleine-koenig@...gutronix.de>
Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@...ionext.com>
---
drivers/clk/clk-devres.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/clk-devres.c b/drivers/clk/clk-devres.c
index 43ccd20e0298..1f37ed7ad395 100644
--- a/drivers/clk/clk-devres.c
+++ b/drivers/clk/clk-devres.c
@@ -11,7 +11,7 @@ struct devm_clk_state {
static void devm_clk_release(struct device *dev, void *res)
{
- struct devm_clk_state *state = *(struct devm_clk_state **)res;
+ struct devm_clk_state *state = (struct devm_clk_state *)res;
if (state->exit)
state->exit(state->clk);
--
2.25.1
Powered by blists - more mailing lists