Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ff0f7a8e authored by Manoj Prabhu B's avatar Manoj Prabhu B
Browse files

diag: Fix for possible memory corruption 



When peripheral supporting more ssids than apps
in a given table entry needs reallocation.
No reallocation causes slab-out-of-bounds reads seen as
bad access/memory corruption.
This patch fixes memory availability limitation.

KASAN Report
27.044086:<6> ===========================================================
27.044108:<6> BUG: KASAN: slab-out-of-bounds in
	diag_cntl_process_read_data+0xeb0/0x10d4 at addr ffffffc033997e6c
27.044112:<6> Read of size 4 by task kworker/u8:9/671
27.044117:<6> ===========================================================
27.044123:<6> BUG kmalloc-128 (Tainted: G B W):kasan: bad access detected
27.044126:<6> -----------------------------------------------------------
27.044136:<6> INFO: Allocated in d
	iag_create_msg_mask_table_entry+0x10c/0x148 age=1444 cpu=3 pid=1
27.044147:<6> alloc_debug_processing+0x118/0x170
27.044153:<6> __slab_alloc.isra.20.constprop.22+0x2a4/0x3a0
27.044159:<6> __kmalloc+0xe8/0x27c
27.044165:<6> diag_create_msg_mask_table_entry+0x108/0x148
27.044170:<6> diag_masks_init+0x30c/0xa1c
27.044184:<6> diagchar_init+0x624/0xa4c
27.044190:<6> do_one_initcall+0x250/0x278
27.044198:<6> kernel_init_freeable+0x1c4/0x268
27.044207:<6> kernel_init+0x10/0xd8
27.044212:<6> ret_from_fork+0xc/0x30
27.044219:<6> INFO: Slab 0xffffffba47b79720 objects=16 used=16 fp=0x
	(null) flags=0x4080
27.044224:<6> INFO: Object 0xffffffc033997e00 @offset=7680
	fp=0xffffffc033997c00
27.044232:<6> Bytes b4 ffffffc033997df0: 5a 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044238:<6> Object ffffffc033997e00: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044244:<6> Object ffffffc033997e10: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044249:<6> Object ffffffc033997e20: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044255:<6> Object ffffffc033997e30: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044260:<6> Object ffffffc033997e40: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044266:<6> Object ffffffc033997e50: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044271:<6> Object ffffffc033997e60: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 00 00 00 00  ................
27.044277:<6> Object ffffffc033997e70: 00 00 00 00 00 00 00 00 00
	00 00 00 00 00 00 00  ................
27.044283:<6> Redzone ffffffc033997e80: cc cc cc cc cc cc cc cc
                      ........
27.044288:<6> Padding ffffffc033997fc0: 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044294:<6> Padding ffffffc033997fd0: 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044299:<6> Padding ffffffc033997fe0: 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044305:<6> Padding ffffffc033997ff0: 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044315:<6> CPU: 1 PID: 671 Comm: kworker/u8:9
	Tainted: G    B   W  3.18.20-g2c703ee #2
27.044319:<6> Hardware name: Qualcomm Technologies, Inc.
	MSM 8996 v3.0 + PMI8994 MTP (DT)
27.044332:<2> Workqueue: DIAG_SOCKMODEM_CNTL socket_read_work_fn
27.044335:<6> Call trace:
27.044343:<2> [<ffffffc00008a168>] dump_backtrace+0x0/0x1c4
27.044350:<2> [<ffffffc00008a33c>] show_stack+0x10/0x1c
27.044359:<2> [<ffffffc00129a850>] dump_stack+0x74/0xc8
27.044366:<2> [<ffffffc000213d8c>] print_trailer+0x19c/0x1b0
27.044372:<2> [<ffffffc000214788>] object_err+0x3c/0x50
27.044378:<2> [<ffffffc000219918>] kasan_report+0x34c/0x504
27.044385:<2> [<ffffffc000218928>] __asan_load4+0x20/0x74
27.044392:<2>[<ffffffc0006f1594>] diag_cntl_process_read_data+0xeac/0x10d4
27.044399:<2> [<ffffffc0006e67f0>] diagfwd_cntl_read_done+0x78/0xf0
27.044407:<2> [<ffffffc0006e7b38>] diagfwd_channel_read_done+0x154/0x184
27.044414:<2> [<ffffffc0006ebdd4>] diag_socket_read+0x480/0x534
27.044420:<2> [<ffffffc0006e85cc>] diagfwd_channel_read+0x348/0x368
27.044427:<2> [<ffffffc0006eabc4>] socket_read_work_fn+0x20/0x30
27.044437:<2> [<ffffffc0000cabf8>] process_one_work+0x394/0x64c
27.044444:<2> [<ffffffc0000cbfb8>] worker_thread+0x3bc/0x550
27.044450:<2> [<ffffffc0000d256c>] kthread+0x180/0x194
27.044753:<6> coresight-tmc 3028000.tmc: TMC aborted
27.044765:<6> Kernel panic - not syncing: kasan: bad access detected

CRs-Fixed: 993725
Change-Id: I90a6a560900d6c1c3694cce460ae8f772dc3434e
Signed-off-by: default avatarManoj Prabhu B <bmanoj@codeaurora.org>
parent 182fc241
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment