| From afd3b9edca5317d724c7ca8b365bc5e8335e36f4 Mon Sep 17 00:00:00 2001 |
| From: Marc Zyngier <maz@kernel.org> |
| Date: Sat, 18 Apr 2020 19:14:57 +0100 |
| Subject: [PATCH] net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX |
| clock array |
| |
| commit f0212a5ebfa6cd789ab47666b9cc169e6e688732 upstream. |
| |
| Running with KASAN on a VIM3L systems leads to the following splat |
| when probing the Ethernet device: |
| |
| ================================================================== |
| BUG: KASAN: global-out-of-bounds in _get_maxdiv+0x74/0xd8 |
| Read of size 4 at addr ffffa000090615f4 by task systemd-udevd/139 |
| CPU: 1 PID: 139 Comm: systemd-udevd Tainted: G E 5.7.0-rc1-00101-g8624b7577b9c #781 |
| Hardware name: amlogic w400/w400, BIOS 2020.01-rc5 03/12/2020 |
| Call trace: |
| dump_backtrace+0x0/0x2a0 |
| show_stack+0x20/0x30 |
| dump_stack+0xec/0x148 |
| print_address_description.isra.12+0x70/0x35c |
| __kasan_report+0xfc/0x1d4 |
| kasan_report+0x4c/0x68 |
| __asan_load4+0x9c/0xd8 |
| _get_maxdiv+0x74/0xd8 |
| clk_divider_bestdiv+0x74/0x5e0 |
| clk_divider_round_rate+0x80/0x1a8 |
| clk_core_determine_round_nolock.part.9+0x9c/0xd0 |
| clk_core_round_rate_nolock+0xf0/0x108 |
| clk_hw_round_rate+0xac/0xf0 |
| clk_factor_round_rate+0xb8/0xd0 |
| clk_core_determine_round_nolock.part.9+0x9c/0xd0 |
| clk_core_round_rate_nolock+0xf0/0x108 |
| clk_core_round_rate_nolock+0xbc/0x108 |
| clk_core_set_rate_nolock+0xc4/0x2e8 |
| clk_set_rate+0x58/0xe0 |
| meson8b_dwmac_probe+0x588/0x72c [dwmac_meson8b] |
| platform_drv_probe+0x78/0xd8 |
| really_probe+0x158/0x610 |
| driver_probe_device+0x140/0x1b0 |
| device_driver_attach+0xa4/0xb0 |
| __driver_attach+0xcc/0x1c8 |
| bus_for_each_dev+0xf4/0x168 |
| driver_attach+0x3c/0x50 |
| bus_add_driver+0x238/0x2e8 |
| driver_register+0xc8/0x1e8 |
| __platform_driver_register+0x88/0x98 |
| meson8b_dwmac_driver_init+0x28/0x1000 [dwmac_meson8b] |
| do_one_initcall+0xa8/0x328 |
| do_init_module+0xe8/0x368 |
| load_module+0x3300/0x36b0 |
| __do_sys_finit_module+0x120/0x1a8 |
| __arm64_sys_finit_module+0x4c/0x60 |
| el0_svc_common.constprop.2+0xe4/0x268 |
| do_el0_svc+0x98/0xa8 |
| el0_svc+0x24/0x68 |
| el0_sync_handler+0x12c/0x318 |
| el0_sync+0x158/0x180 |
| |
| The buggy address belongs to the variable: |
| div_table.63646+0x34/0xfffffffffffffa40 [dwmac_meson8b] |
| |
| Memory state around the buggy address: |
| ffffa00009061480: fa fa fa fa 00 00 00 01 fa fa fa fa 00 00 00 00 |
| ffffa00009061500: 05 fa fa fa fa fa fa fa 00 04 fa fa fa fa fa fa |
| >ffffa00009061580: 00 03 fa fa fa fa fa fa 00 00 00 00 00 00 fa fa |
| ^ |
| ffffa00009061600: fa fa fa fa 00 01 fa fa fa fa fa fa 01 fa fa fa |
| ffffa00009061680: fa fa fa fa 00 01 fa fa fa fa fa fa 04 fa fa fa |
| ================================================================== |
| |
| Digging into this indeed shows that the clock divider array is |
| lacking a final fence, and that the clock subsystems goes in the |
| weeds. Oh well. |
| |
| Let's add the empty structure that indicates the end of the array. |
| |
| Fixes: bd6f48546b9c ("net: stmmac: dwmac-meson8b: Fix the RGMII TX delay on Meson8b/8m2 SoCs") |
| Signed-off-by: Marc Zyngier <maz@kernel.org> |
| Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com> |
| Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c |
| index 4b5178097a01..ec2a7a318a47 100644 |
| --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c |
| +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c |
| @@ -119,6 +119,7 @@ static int meson8b_init_rgmii_tx_clk(struct meson8b_dwmac *dwmac) |
| { .div = 5, .val = 5, }, |
| { .div = 6, .val = 6, }, |
| { .div = 7, .val = 7, }, |
| + { /* end of array */ } |
| }; |
| |
| clk_configs = devm_kzalloc(dev, sizeof(*clk_configs), GFP_KERNEL); |
| -- |
| 2.7.4 |
| |