misc: xilinx-ai-engine: Fix slab-out-of-bounds in aie_part_sysfs_init

aie_sysfs_attr structure member, num_*_attrs, captures the total number of sysfs attributes and _not_ the size occupied by attribute structure. Hence, the total size allocated for a null terminated array of pointers of sysfs attribute structure is equal to num_*_attrs times the size of attribute structure pointer. [ 11.098883] ================================================================== [ 11.106114] BUG: KASAN: slab-out-of-bounds in aie_part_sysfs_init+0x544/0x6b0 [ 11.113246] Write of size 8 at addr ffff000814f3bc80 by task kworker/1:1/71 [ 11.120199] [ 11.121692] CPU: 1 PID: 71 Comm: kworker/1:1 Not tainted 5.10.0-xilinx-v2020.2 #1 [ 11.129170] Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) [ 11.136135] Workqueue: events deferred_probe_work_func [ 11.141272] Call trace: [ 11.143720] dump_backtrace+0x0/0x2a4 [ 11.147382] show_stack+0x18/0x2c [ 11.150694] dump_stack+0x118/0x168 [ 11.154183] print_address_description.constprop.0+0x6c/0x468 [ 11.159926] kasan_report+0xfc/0x1a0 [ 11.163499] __asan_store8+0x98/0xd0 [ 11.167072] aie_part_sysfs_init+0x544/0x6b0 [ 11.171341] of_aie_part_probe+0x8f0/0xb10 [ 11.175435] xilinx_ai_engine_probe+0x428/0x644 [ 11.179964] platform_drv_probe+0x70/0xd0 [ 11.183970] really_probe+0x14c/0x6d0 [ 11.187629] driver_probe_device+0x78/0xec [ 11.191722] __device_attach_driver+0x108/0x16c [ 11.196250] bus_for_each_drv+0xf0/0x160 [ 11.200169] __device_attach+0x164/0x224 [ 11.204088] device_initial_probe+0x14/0x20 [ 11.208268] bus_probe_device+0xec/0x100 [ 11.212187] deferred_probe_work_func+0xa8/0xe4 [ 11.216715] process_one_work+0x430/0x74c [ 11.220721] worker_thread+0x4d0/0x8e4 [ 11.224467] kthread+0x1d0/0x1e0 [ 11.227693] ret_from_fork+0x10/0x3c [ 11.231260] [ 11.232746] Allocated by task 71: [ 11.236061] stack_trace_save+0x9c/0xd0 [ 11.239894] kasan_save_stack+0x28/0x60 [ 11.243727] __kasan_kmalloc.constprop.0+0xc8/0xf0 [ 11.248513] kasan_kmalloc+0x10/0x20 [ 11.252085] __kmalloc_track_caller+0x27c/0x450 [ 11.256613] devm_kmalloc+0x64/0x120 [ 11.260185] aie_part_sysfs_init+0x39c/0x6b0 [ 11.264453] of_aie_part_probe+0x8f0/0xb10 [ 11.268546] xilinx_ai_engine_probe+0x428/0x644 [ 11.273074] platform_drv_probe+0x70/0xd0 [ 11.277080] really_probe+0x14c/0x6d0 [ 11.280739] driver_probe_device+0x78/0xec [ 11.284832] __device_attach_driver+0x108/0x16c [ 11.289358] bus_for_each_drv+0xf0/0x160 [ 11.293277] __device_attach+0x164/0x224 [ 11.297197] device_initial_probe+0x14/0x20 [ 11.301376] bus_probe_device+0xec/0x100 [ 11.305296] deferred_probe_work_func+0xa8/0xe4 [ 11.309822] process_one_work+0x430/0x74c [ 11.313827] worker_thread+0x4d0/0x8e4 [ 11.317573] kthread+0x1d0/0x1e0 [ 11.320797] ret_from_fork+0x10/0x3c [ 11.324364] [ 11.325852] The buggy address belongs to the object at ffff000814f3bc00 [ 11.325852] which belongs to the cache kmalloc-256 of size 256 [ 11.338367] The buggy address is located 128 bytes inside of [ 11.338367] 256-byte region [ffff000814f3bc00, ffff000814f3bd00) [ 11.350096] The buggy address belongs to the page: [ 11.354887] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x814f3b [ 11.364278] flags: 0x4000000000000200(slab) [ 11.368464] raw: 4000000000000200 fffffe002033ce88 ffff000800001218 ffff000800000100 [ 11.376205] raw: 0000000000000000 ffff000814f3b000 0000000100000008 0000000000000000 [ 11.383941] page dumped because: kasan: bad access detected [ 11.389506] [ 11.390990] Memory state around the buggy address: [ 11.395778] ffff000814f3bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.402996] ffff000814f3bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 11.410213] >ffff000814f3bc80: 06 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.417427] ^ [ 11.420652] ffff000814f3bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.427870] ffff000814f3bd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 11.435083] ================================================================== Signed-off-by: Nishad Saraf <nishad.saraf@xilinx.com> Acked-by: Wendy Liang <wendy.liang@xilinx.com> State: pending
linux-genz · Jun 2, 2021 · 43c828c · 43c828c
1 parent 32f0752
commit 43c828c
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/drivers/misc/xilinx-ai-engine/ai-engine-sysfs.c b/drivers/misc/xilinx-ai-engine/ai-engine-sysfs.c
@@ -122,8 +122,8 @@ static int aie_tile_sysfs_create(struct aie_tile *atile)
 	ttype = atile->apart->adev->ops->get_tile_type(&atile->loc);
 
 	if (attr->num_dev_attrs) {
-		dev_attrs = devm_kzalloc(&atile->dev, attr->num_dev_attrs + 1,
-					 GFP_KERNEL);
+		dev_attrs = devm_kzalloc(&atile->dev, sizeof(*dev_attrs) *
+					 (attr->num_dev_attrs + 1), GFP_KERNEL);
 		if (!dev_attrs)
 			return -ENOMEM;
 
@@ -145,8 +145,8 @@ static int aie_tile_sysfs_create(struct aie_tile *atile)
 	}
 
 	if (attr->num_bin_attrs) {
-		bin_attrs = devm_kzalloc(&atile->dev, attr->num_bin_attrs + 1,
-					 GFP_KERNEL);
+		bin_attrs = devm_kzalloc(&atile->dev, sizeof(*bin_attrs) *
+					 (attr->num_bin_attrs + 1), GFP_KERNEL);
 		if (!bin_attrs)
 			return -ENOMEM;
 
@@ -206,8 +206,8 @@ static int aie_part_sysfs_create(struct aie_partition *apart)
 	attr = apart->adev->part_sysfs_attr;
 
 	if (attr->num_dev_attrs) {
-		dev_attrs = devm_kzalloc(&apart->dev, attr->num_dev_attrs + 1,
-					 GFP_KERNEL);
+		dev_attrs = devm_kzalloc(&apart->dev, sizeof(*dev_attrs) *
+					 (attr->num_dev_attrs + 1), GFP_KERNEL);
 		if (!dev_attrs)
 			return -ENOMEM;
 
@@ -226,8 +226,8 @@ static int aie_part_sysfs_create(struct aie_partition *apart)
 	}
 
 	if (attr->num_bin_attrs) {
-		bin_attrs = devm_kzalloc(&apart->dev, attr->num_bin_attrs + 1,
-					 GFP_KERNEL);
+		bin_attrs = devm_kzalloc(&apart->dev, sizeof(*bin_attrs) *
+					 (attr->num_bin_attrs + 1), GFP_KERNEL);
 		if (!bin_attrs)
 			return -ENOMEM;