Commit 1c2c2301 authored Apr 16, 2015 by David Keitel Committed by Gerrit - the friendly Code Review server Jan 04, 2017
pinctrl: msm: fix function name allocation length



Currently pinctrl driver allocates with the length
following calculation:

  length = strlen(grp_name) + strlen("-func").

However, this does not take into account for the string
terminating character which is used in the subsequent
snprintf and causes KASan to trigger a bug report:

=============================================================================
BUG kmalloc-64 (Tainted: G    B       ): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Slab 0xffffffbc065fb940 objects=64 used=64 fp=0x          (null) flags=0x0080
INFO: Object 0xffffffc0a32c24c0 @offset=1216 fp=0x6365632d696d6468

Bytes b4 ffffffc0a32c24b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffffffc0a32c24c0: 68 64 6d 69 2d 63 65 63 2d 70 69 6e 73 2d 66 75  hdmi-cec-pins-fu
Object ffffffc0a32c24d0: 6e 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00  nc..............
Object ffffffc0a32c24e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffffffc0a32c24f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B        3.10.49-g465b172-00127-g2b70c1d-dirty #119
Call trace:
[<ffffffc00040a2a4>] dump_backtrace+0x0/0x1d4
[<ffffffc00040a488>] show_stack+0x10/0x1c
[<ffffffc000f97164>] dump_stack+0x1c/0x28
[<ffffffc00054aea0>] print_trailer+0x144/0x158
[<ffffffc00054b1fc>] object_err+0x38/0x4c
[<ffffffc00054fec4>] kasan_report_error+0x210/0x3b0
[<ffffffc000550168>] kasan_report+0x5c/0x68
[<ffffffc00054f754>] __asan_store1+0x70/0x7c
[<ffffffc000766e20>] vsnprintf+0x644/0x69c
[<ffffffc000767034>] snprintf+0x94/0xb0
[<ffffffc000792510>] msm_dt_node_to_map+0x2cc/0x378
[<ffffffc0007915f0>] pinctrl_dt_to_map+0x32c/0x424
[<ffffffc00078ce24>] pinctrl_get+0x1b0/0x53c
[<ffffffc00078d1e4>] devm_pinctrl_get+0x34/0x80
[<ffffffc0009b9150>] pinctrl_bind_pins+0x44/0x1b4
[<ffffffc0009990a4>] driver_probe_device+0x188/0x47c
[<ffffffc000999484>] __driver_attach+0x88/0xc0
[<ffffffc0009963f4>] bus_for_each_dev+0xdc/0x11c
[<ffffffc00099886c>] driver_attach+0x2c/0x3c
[<ffffffc0009981bc>] bus_add_driver+0x1bc/0x32c
[<ffffffc000999cdc>] driver_register+0x10c/0x1d8
[<ffffffc00099b854>] platform_driver_register+0x98/0xa8
[<ffffffc00182aa78>] hdmi_tx_drv_init+0x18/0x4c
[<ffffffc000400b00>] do_one_initcall+0xcc/0x188
[<ffffffc001800b54>] kernel_init_freeable+0x1c0/0x264
[<ffffffc000f89b44>] kernel_init+0x10/0xcc
Memory state around the buggy address:
 ffffffc0a32c2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffffffc0a32c2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffffffc0a32c2480: fb fb fb fb fb fb fb fb 00 00 02 fc fc fc fc fc
                                                  ^
 ffffffc0a32c2500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0a32c2580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Fix this by increasing the allocation to length + 1

CRs-Fixed: 826566
Change-Id: Ied04500e6b0c0187b2bea0cfaa9adb4080c2f614
Signed-off-by: David Keitel <dkeitel@codeaurora.org>
parent 6cdf7452
Hide whitespace changes
Inline Side-by-side
Please register or to comment