From patchwork Fri Apr  5 12:22:56 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
X-Patchwork-Id: 10887311
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A3E0817E1
	for <patchwork-linux-arm@patchwork.kernel.org>;
 Fri,  5 Apr 2019 12:23:25 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8767D28B60
	for <patchwork-linux-arm@patchwork.kernel.org>;
 Fri,  5 Apr 2019 12:23:25 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7C01328B70; Fri,  5 Apr 2019 12:23:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2ABC228B60
	for <patchwork-linux-arm@patchwork.kernel.org>;
 Fri,  5 Apr 2019 12:23:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To
	:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=9nAJT1iP0lwINbRJAtD2MiawUWllLxVyQYlIJb5OiCI=; b=Gi+1kuz5syWKzD
	JiFCZYEoTkZabGXlPauquaXy6U8hOzLqe5dcv7JDdFmW+801kZW1jS6zJNxhUYXqdu6OoFfC99kgV
	SLJWg8dP6odmQkXMFltCoN8WWxbJq/HQMhPqj/XnJV6JpMAj/I4xLlm+md3DiOPL/4f2lWC+yWBzF
	M9vC7BZXptWGy7JtVpFU8ulvqDlEtsSvDxgg+mgExwN++xRaLbt08SbrV5U2eZXciWiqVx34U5GEa
	hMHdPTlFGHB30oxUp4nwQ4Jxzb6PrAa6SnH6kdmWn2J3e7rqZeCwx2QUHAgVmpqOniUlteBk1PDq7
	TOpNKVl2kef6HrdK+MOg==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1hCNsN-00057i-9C; Fri, 05 Apr 2019 12:23:19 +0000
Received: from smtp.codeaurora.org ([198.145.29.96])
 by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux))
 id 1hCNsK-00057K-8d
 for linux-arm-kernel@lists.infradead.org; Fri, 05 Apr 2019 12:23:17 +0000
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
 id A565161A88; Fri,  5 Apr 2019 12:23:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
 s=default; t=1554466995;
 bh=VdLQ+pvShXErJhD2SzInzqS+Emmcdl/7Bmayue6mIjA=;
 h=From:To:Cc:Subject:Date:From;
 b=TMXHlKgvhOEcD0CgV9e8qdKPLLspHU9IDyaGkHj0ak3HyCcabXN35P56db+OjSDOb
 zxK8J2R9seGcqbb10cKxmZxTEmpD0jFJRvigIHCZUkMD0HaBT9n/BefmkzcTP9dsDP
 9RWWAXytbFx4kaeGKWQq4lARglLYovSdIQ2XFMA0=
Received: from blr-ubuntu-253.qualcomm.com
 (blr-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.18.19])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: saiprakash.ranjan@codeaurora.org)
 by smtp.codeaurora.org (Postfix) with ESMTPSA id B717C60DAD;
 Fri,  5 Apr 2019 12:23:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
 s=default; t=1554466993;
 bh=VdLQ+pvShXErJhD2SzInzqS+Emmcdl/7Bmayue6mIjA=;
 h=From:To:Cc:Subject:Date:From;
 b=PGvqBadW6Gv0vu5F3eylkRTQ9Wyll3nMHaSkjvYu+hVAyRgEdIJO4gGEderxkyMBf
 aLsYuR2cg7HgtzrikdedW6yolLYBnipa17lYgN1bgGgfcIX4OIg0Ob++jR6xEG7ywE
 HBJi099KwPLcGzWn0pT1iYxwRsxkf1dqt7Y2LJdg=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org B717C60DAD
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
 dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none
 smtp.mailfrom=saiprakash.ranjan@codeaurora.org
From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
To: Alexander Shishkin <alexander.shishkin@linux.intel.com>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Mulu He <muluhe@codeaurora.org>, Tingwei Zhang <tingwei@codeaurora.org>,
 Maxime Coquelin <mcoquelin.stm32@gmail.com>,
 Alexandre Torgue <alexandre.torgue@st.com>,
 linux-stm32@st-md-mailman.stormreply.com,
 Mathieu Poirier <mathieu.poirier@linaro.org>,
 Suzuki K Poulose <suzuki.poulose@arm.com>,
 Mike Leach <mike.leach@linaro.org>, Leo Yan <leo.yan@linaro.org>
Subject: [PATCH] stm class: Fix out of bound access from bitmap allocation
Date: Fri,  5 Apr 2019 17:52:56 +0530
Message-Id: <20190405122256.27840-1-saiprakash.ranjan@codeaurora.org>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20190405_052316_336145_6BE5CB6D 
X-CRM114-Status: GOOD (  11.92  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>,
 Rajendra Nayak <rnayak@codeaurora.org>, linux-arm-msm@vger.kernel.org,
 linux-kernel@vger.kernel.org, stable@vger.kernel.org,
 Sibi Sankar <sibis@codeaurora.org>,
 Vivek Gautam <vivek.gautam@codeaurora.org>,
 linux-arm-kernel@lists.infradead.org
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Mulu He <muluhe@codeaurora.org>

Bitmap allocation works on array of unsigned longs and
for stm master allocation when the number of software
channels is 32, 4 bytes are allocated and there is a out of
bound access at the first 8 bytes access of bitmap region.

Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
Signed-off-by: Mulu He <muluhe@codeaurora.org>
Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Reported-by: Mulu He <muluhe@codeaurora.org>
---
 drivers/hwtracing/stm/core.c | 2 +-
 drivers/hwtracing/stm/stm.h  | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
index 93ce3aa740a9..21a5838f6e67 100644
--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -168,7 +168,7 @@ static int stp_master_alloc(struct stm_device *stm, unsigned int idx)
 	struct stp_master *master;
 	size_t size;
 
-	size = ALIGN(stm->data->sw_nchannels, 8) / 8;
+	size = ALIGN(stm->data->sw_nchannels, STM_MASTER_SZ) / STM_MASTER_SZ;
 	size += sizeof(struct stp_master);
 	master = kzalloc(size, GFP_ATOMIC);
 	if (!master)
diff --git a/drivers/hwtracing/stm/stm.h b/drivers/hwtracing/stm/stm.h
index 3569439d53bb..10eac550c75f 100644
--- a/drivers/hwtracing/stm/stm.h
+++ b/drivers/hwtracing/stm/stm.h
@@ -12,6 +12,8 @@
 
 #include <linux/configfs.h>
 
+#define STM_MASTER_SZ sizeof(unsigned long)
+
 struct stp_policy;
 struct stp_policy_node;
 struct stm_protocol_driver;