1. Patchew
  2. linux
  3. View series

[PATCH] clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data

Xiaolei Wang posted 1 patch 3 months, 3 weeks ago
There is a newer version of this series
drivers/clk/imx/clk-imx95-blk-ctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data
Posted by Xiaolei Wang 3 months, 3 weeks ago 
When num_parents is 4, __clk_register() occurs an out-of-bounds
when accessing parent_names member.

 BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8
 Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59
  Hardware name: NXP i.MX95 19X19 board (DT)
  Workqueue: events_unbound deferred_probe_work_func
  Call trace:
    dump_backtrace+0x94/0xec
    show_stack+0x18/0x24
    dump_stack_lvl+0x8c/0xcc
    print_report+0x398/0x5fc
    kasan_report+0xd4/0x114
    __asan_report_load8_noabort+0x20/0x2c
    __clk_register+0x1844/0x20d8
    clk_hw_register+0x44/0x110
    __clk_hw_register_mux+0x284/0x3a8
    imx95_bc_probe+0x4f4/0xa70

Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
---
 drivers/clk/imx/clk-imx95-blk-ctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c
index 25974947ad0c..fd11932b12b3 100644
--- a/drivers/clk/imx/clk-imx95-blk-ctl.c
+++ b/drivers/clk/imx/clk-imx95-blk-ctl.c
@@ -223,7 +223,7 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
 	[IMX95_CLK_DISPMIX_ENG0_SEL] = {
 		.name = "disp_engine0_sel",
 		.parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
-		.num_parents = 4,
+		.num_parents = 3,
 		.reg = 0,
 		.bit_idx = 0,
 		.bit_width = 2,
@@ -233,7 +233,7 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
 	[IMX95_CLK_DISPMIX_ENG1_SEL] = {
 		.name = "disp_engine1_sel",
 		.parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
-		.num_parents = 4,
+		.num_parents = 3,
 		.reg = 0,
 		.bit_idx = 2,
 		.bit_width = 2,
-- 
2.43.0
Re: [PATCH] clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data
Posted by Frank Li 3 months, 3 weeks ago 
On Sat, Jun 14, 2025 at 07:22:55PM +0800, Xiaolei Wang wrote:
> When num_parents is 4, __clk_register() occurs an out-of-bounds
> when accessing parent_names member.
>
>  BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8
>  Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59
>   Hardware name: NXP i.MX95 19X19 board (DT)
>   Workqueue: events_unbound deferred_probe_work_func
>   Call trace:
>     dump_backtrace+0x94/0xec
>     show_stack+0x18/0x24
>     dump_stack_lvl+0x8c/0xcc
>     print_report+0x398/0x5fc
>     kasan_report+0xd4/0x114
>     __asan_report_load8_noabort+0x20/0x2c
>     __clk_register+0x1844/0x20d8
>     clk_hw_register+0x44/0x110
>     __clk_hw_register_mux+0x284/0x3a8
>     imx95_bc_probe+0x4f4/0xa70
>
> Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver")
> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
> ---
>  drivers/clk/imx/clk-imx95-blk-ctl.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c
> index 25974947ad0c..fd11932b12b3 100644
> --- a/drivers/clk/imx/clk-imx95-blk-ctl.c
> +++ b/drivers/clk/imx/clk-imx95-blk-ctl.c
> @@ -223,7 +223,7 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
>  	[IMX95_CLK_DISPMIX_ENG0_SEL] = {
>  		.name = "disp_engine0_sel",
>  		.parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
> -		.num_parents = 4,
> +		.num_parents = 3,

Although this is simple fix, is it possible to change to

const char *parent[] = {"videopll1", "dsi_pll", "ldb_pll_div7"}
num_parents = ARRAY_SIZE(parent);

to avoid hardcode number here.

Frank

>  		.reg = 0,
>  		.bit_idx = 0,
>  		.bit_width = 2,
> @@ -233,7 +233,7 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
>  	[IMX95_CLK_DISPMIX_ENG1_SEL] = {
>  		.name = "disp_engine1_sel",
>  		.parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
> -		.num_parents = 4,
> +		.num_parents = 3,
>  		.reg = 0,
>  		.bit_idx = 2,
>  		.bit_width = 2,
> --
> 2.43.0
>
Re: [PATCH] clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data
Posted by Xiaolei Wang 3 months, 3 weeks ago 
On 6/17/25 03:24, Frank Li wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Sat, Jun 14, 2025 at 07:22:55PM +0800, Xiaolei Wang wrote:
>> When num_parents is 4, __clk_register() occurs an out-of-bounds
>> when accessing parent_names member.
>>
>>   BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8
>>   Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59
>>    Hardware name: NXP i.MX95 19X19 board (DT)
>>    Workqueue: events_unbound deferred_probe_work_func
>>    Call trace:
>>      dump_backtrace+0x94/0xec
>>      show_stack+0x18/0x24
>>      dump_stack_lvl+0x8c/0xcc
>>      print_report+0x398/0x5fc
>>      kasan_report+0xd4/0x114
>>      __asan_report_load8_noabort+0x20/0x2c
>>      __clk_register+0x1844/0x20d8
>>      clk_hw_register+0x44/0x110
>>      __clk_hw_register_mux+0x284/0x3a8
>>      imx95_bc_probe+0x4f4/0xa70
>>
>> Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver")
>> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
>> ---
>>   drivers/clk/imx/clk-imx95-blk-ctl.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c
>> index 25974947ad0c..fd11932b12b3 100644
>> --- a/drivers/clk/imx/clk-imx95-blk-ctl.c
>> +++ b/drivers/clk/imx/clk-imx95-blk-ctl.c
>> @@ -223,7 +223,7 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
>>        [IMX95_CLK_DISPMIX_ENG0_SEL] = {
>>                .name = "disp_engine0_sel",
>>                .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
>> -             .num_parents = 4,
>> +             .num_parents = 3,
> Although this is simple fix, is it possible to change to
>
> const char *parent[] = {"videopll1", "dsi_pll", "ldb_pll_div7"}
> num_parents = ARRAY_SIZE(parent);
>
> to avoid hardcode number here.

Thanks for the suggestion frank, I will send a v2 version

thanks

xiaolei

>
> Frank
>
>>                .reg = 0,
>>                .bit_idx = 0,
>>                .bit_width = 2,
>> @@ -233,7 +233,7 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
>>        [IMX95_CLK_DISPMIX_ENG1_SEL] = {
>>                .name = "disp_engine1_sel",
>>                .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
>> -             .num_parents = 4,
>> +             .num_parents = 3,
>>                .reg = 0,
>>                .bit_idx = 2,
>>                .bit_width = 2,
>> --
>> 2.43.0
>>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.