Commit 7d4de60d authored Aug 30, 2025 by Anders Roxell Committed by Greg Kroah-Hartman Oct 02, 2025

dmaengine: ti: edma: Fix memory allocation size for queue_priority_map



[ Upstream commit e63419dbf2ceb083c1651852209c7f048089ac0f ]

Fix a critical memory allocation bug in edma_setup_from_hw() where
queue_priority_map was allocated with insufficient memory. The code
declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),
but allocated memory using sizeof(s8) instead of the correct size.

This caused out-of-bounds memory writes when accessing:
  queue_priority_map[i][0] = i;
  queue_priority_map[i][1] = i;

The bug manifested as kernel crashes with "Oops - undefined instruction"
on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the
memory corruption triggered kernel hardening features on Clang.

Change the allocation to use sizeof(*queue_priority_map) which
automatically gets the correct size for the 2D array structure.

Fixes: 2b6b3b74 ("ARM/dmaengine: edma: Merge the two drivers under drivers/dma/")
Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
Link: https://lore.kernel.org/r/20250830094953.3038012-1-anders.roxell@linaro.org


Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent ed4d6126

drivers/dma/ti/edma.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2029,8 +2029,8 @@ static int edma_setup_from_hw(struct device dev, struct edma_soc_info pdata,
		* priority. So Q0 is the highest priority queue and the last queue has
		* the lowest priority.
		*/
		queue_priority_map = devm_kcalloc(dev, ecc->num_tc + 1, sizeof(s8),
		GFP_KERNEL);
		queue_priority_map = devm_kcalloc(dev, ecc->num_tc + 1,
		sizeof(*queue_priority_map), GFP_KERNEL);
		if (!queue_priority_map)
		return -ENOMEM;