From patchwork Tue May 31 14:00:06 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Krzysztof Kozlowski <k.kozlowski@samsung.com>
X-Patchwork-Id: 9144903
Return-Path: <linux-samsung-soc-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DFAD7607D6 for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Tue, 31 May 2016 14:00:55 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D0E58272D8
	for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Tue, 31 May 2016 14:00:55 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C56D627B89; Tue, 31 May 2016 14:00:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EA57E272D8
	for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Tue, 31 May 2016 14:00:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754371AbcEaOAa (ORCPT
	<rfc822;patchwork-linux-samsung-soc@patchwork.kernel.org>);
	Tue, 31 May 2016 10:00:30 -0400
Received: from mailout2.w1.samsung.com ([210.118.77.12]:58258 "EHLO
	mailout2.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753692AbcEaOAW (ORCPT
	<rfc822;linux-samsung-soc@vger.kernel.org>);
	Tue, 31 May 2016 10:00:22 -0400
Received: from eucpsbgm1.samsung.com (unknown [203.254.199.244])
	by mailout2.w1.samsung.com
	(Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5
	2014))
	with ESMTP id <0O810067BO8GEO60@mailout2.w1.samsung.com>; Tue,
	31 May 2016 15:00:16 +0100 (BST)
X-AuditID: cbfec7f4-f796c6d000001486-79-574d98f0463e
Received: from eusync4.samsung.com ( [203.254.199.214])
	by eucpsbgm1.samsung.com (EUCPMTA) with SMTP id 94.13.05254.0F89D475;
	Tue, 31 May 2016 15:00:16 +0100 (BST)
Received: from AMDC2174.DIGITAL.local ([106.120.53.17])
	by eusync4.samsung.com (Oracle Communications Messaging Server
	7.0.5.31.0 64bit (built May  5 2014))
	with ESMTPA id <0O81009ECO8CIM20@eusync4.samsung.com>; Tue,
	31 May 2016 15:00:16 +0100 (BST)
From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jiri Slaby <jslaby@suse.com>, linux-serial@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
	Sylwester Nawrocki <s.nawrocki@samsung.com>,
	Krzysztof Kozlowski <k.kozlowski@samsung.com>
Subject: [PATCH v2 2/2] serial: samsung: Fix possible out of bounds access on
	non-DT platform
Date: Tue, 31 May 2016 16:00:06 +0200
Message-id: <1464703206-1615-2-git-send-email-k.kozlowski@samsung.com>
X-Mailer: git-send-email 1.9.1
In-reply-to: <1464703206-1615-1-git-send-email-k.kozlowski@samsung.com>
References: <1464703206-1615-1-git-send-email-k.kozlowski@samsung.com>
X-Brightmail-Tracker: 
 H4sIAAAAAAAAA+NgFprCLMWRmVeSWpSXmKPExsVy+t/xa7ofZviGG3S+EbLYOGM9q0Xz4vVs
	FlM2fGCyeP3C0OLyrjlsFjPO72OyOLO4l93i8Jt2VgcOj/1z17B79G1ZxeixfstVFo/Pm+QC
	WKK4bFJSczLLUov07RK4Ms6te8JYcIK34u+1N8wNjHO5uxg5OSQETCS+PTjDBGGLSVy4t56t
	i5GLQ0hgKaPEugV7WSGcRiaJ1U/vMYNUsQkYS2xevgSsSkRgC1DV04eMIAlmgRmMEp+/VYDY
	wgLxEntOvmIBsVkEVCV2fjoJVsMr4CbRuWE7G8Q6OYmTxyazgticAu4SfR9fgS0QAqp5ufYf
	6wRG3gWMDKsYRVNLkwuKk9JzDfWKE3OLS/PS9ZLzczcxQsLqyw7GxcesDjEKcDAq8fBGdvuE
	C7EmlhVX5h5ilOBgVhLhLZ7uGy7Em5JYWZValB9fVJqTWnyIUZqDRUmcd+6u9yFCAumJJanZ
	qakFqUUwWSYOTqkGxrWLjGbpskwNePGpUFlF7Ma8GxtNN6k1sc76+PRboI3u9aWLv8zp+83C
	+lpv9+b1ZlWHjicdDVohcWczv/A0nfV+PTql6a4fYlWvx+UEXXi0zeL/1a33fxsK2ils8RKZ
	viJZev8kKRc90WUv3339Ktc+WVrieuIJBpPWCIN5spMOFhfszZww54wSS3FGoqEWc1FxIgCt
	oPKdJwIAAA==
Sender: linux-samsung-soc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-samsung-soc.vger.kernel.org>
X-Mailing-List: linux-samsung-soc@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On non-DeviceTree platforms, the index of serial device is a static
variable incremented on each probe.  It is incremented even if deferred
probe happens when getting the clock in s3c24xx_serial_init_port().

This index is used for referencing elements of statically allocated
s3c24xx_serial_ports array.  In case of re-probe, the index will point
outside of this array leading to memory corruption.

Increment the index only on successful probe.

Reported-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
---

Not cc-ing stable because:
1. It is just a possibility, not really reproduced (I don't have non-DT
   platform).
2. I am not sure whether deferred probe may happen on non-DT platform.

Changes since v1:
1. New patch.
---
 drivers/tty/serial/samsung.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
index f0bd2ec0db59..4d2924f61e0b 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1844,8 +1844,6 @@ static int s3c24xx_serial_probe(struct platform_device *pdev)
 	ourport->min_dma_size = max_t(int, ourport->port.fifosize,
 				    dma_get_cache_alignment());
 
-	probe_index++;
-
 	dbg("%s: initialising port %p...\n", __func__, ourport);
 
 	ret = s3c24xx_serial_init_port(ourport, pdev);
@@ -1875,6 +1873,8 @@ static int s3c24xx_serial_probe(struct platform_device *pdev)
 	if (ret < 0)
 		dev_err(&pdev->dev, "failed to add cpufreq notifier\n");
 
+	probe_index++;
+
 	return 0;
 }