1. Patchew
  2. linux
  3. View series

[PATCH v2] clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data

Xiaolei Wang posted 1 patch 3 months, 3 weeks ago
There is a newer version of this series
drivers/clk/imx/clk-imx95-blk-ctl.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
[PATCH v2] clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data
Posted by Xiaolei Wang 3 months, 3 weeks ago 
When num_parents is 4, __clk_register() occurs an out-of-bounds
when accessing parent_names member. Use ARRAY_SIZE() instead of
hardcode number here.

 BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8
 Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59
  Hardware name: NXP i.MX95 19X19 board (DT)
  Workqueue: events_unbound deferred_probe_work_func
  Call trace:
    dump_backtrace+0x94/0xec
    show_stack+0x18/0x24
    dump_stack_lvl+0x8c/0xcc
    print_report+0x398/0x5fc
    kasan_report+0xd4/0x114
    __asan_report_load8_noabort+0x20/0x2c
    __clk_register+0x1844/0x20d8
    clk_hw_register+0x44/0x110
    __clk_hw_register_mux+0x284/0x3a8
    imx95_bc_probe+0x4f4/0xa70

Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
---
v1:
  https://patchwork.kernel.org/project/linux-arm-kernel/patch/20250614112255.2838154-1-xiaolei.wang@windriver.com/
v2:
  Use ARRAY_SIZE() instead of hardcode number here.

 drivers/clk/imx/clk-imx95-blk-ctl.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c
index 25974947ad0c..cc2ee2be1819 100644
--- a/drivers/clk/imx/clk-imx95-blk-ctl.c
+++ b/drivers/clk/imx/clk-imx95-blk-ctl.c
@@ -219,11 +219,15 @@ static const struct imx95_blk_ctl_dev_data lvds_csr_dev_data = {
 	.clk_reg_offset = 0,
 };
 
+static const char * const disp_engine_parents[] = {
+	"videopll1", "dsi_pll", "ldb_pll_div7"
+};
+
 static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
 	[IMX95_CLK_DISPMIX_ENG0_SEL] = {
 		.name = "disp_engine0_sel",
-		.parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
-		.num_parents = 4,
+		.parent_names = disp_engine_parents,
+		.num_parents = ARRAY_SIZE(disp_engine_parents),
 		.reg = 0,
 		.bit_idx = 0,
 		.bit_width = 2,
@@ -232,8 +236,8 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
 	},
 	[IMX95_CLK_DISPMIX_ENG1_SEL] = {
 		.name = "disp_engine1_sel",
-		.parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
-		.num_parents = 4,
+		.parent_names = disp_engine_parents,
+		.num_parents = ARRAY_SIZE(disp_engine_parents),
 		.reg = 0,
 		.bit_idx = 2,
 		.bit_width = 2,
-- 
2.43.0
Re: [PATCH v2] clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data
Posted by Frank Li 3 months, 3 weeks ago 
On Wed, Jun 18, 2025 at 02:53:18PM +0800, Xiaolei Wang wrote:
> When num_parents is 4, __clk_register() occurs an out-of-bounds
> when accessing parent_names member. Use ARRAY_SIZE() instead of
> hardcode number here.
>
>  BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8
>  Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59
>   Hardware name: NXP i.MX95 19X19 board (DT)
>   Workqueue: events_unbound deferred_probe_work_func
>   Call trace:
>     dump_backtrace+0x94/0xec
>     show_stack+0x18/0x24
>     dump_stack_lvl+0x8c/0xcc
>     print_report+0x398/0x5fc
>     kasan_report+0xd4/0x114
>     __asan_report_load8_noabort+0x20/0x2c
>     __clk_register+0x1844/0x20d8
>     clk_hw_register+0x44/0x110
>     __clk_hw_register_mux+0x284/0x3a8
>     imx95_bc_probe+0x4f4/0xa70
>
> Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver")
> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>

You need cc stable.

Reviewed-by: Frank Li <Frank.Li@nxp.com>

> ---
> v1:
>   https://patchwork.kernel.org/project/linux-arm-kernel/patch/20250614112255.2838154-1-xiaolei.wang@windriver.com/
> v2:
>   Use ARRAY_SIZE() instead of hardcode number here.
>
>  drivers/clk/imx/clk-imx95-blk-ctl.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c
> index 25974947ad0c..cc2ee2be1819 100644
> --- a/drivers/clk/imx/clk-imx95-blk-ctl.c
> +++ b/drivers/clk/imx/clk-imx95-blk-ctl.c
> @@ -219,11 +219,15 @@ static const struct imx95_blk_ctl_dev_data lvds_csr_dev_data = {
>  	.clk_reg_offset = 0,
>  };
>
> +static const char * const disp_engine_parents[] = {
> +	"videopll1", "dsi_pll", "ldb_pll_div7"
> +};
> +
>  static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
>  	[IMX95_CLK_DISPMIX_ENG0_SEL] = {
>  		.name = "disp_engine0_sel",
> -		.parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
> -		.num_parents = 4,
> +		.parent_names = disp_engine_parents,
> +		.num_parents = ARRAY_SIZE(disp_engine_parents),
>  		.reg = 0,
>  		.bit_idx = 0,
>  		.bit_width = 2,
> @@ -232,8 +236,8 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
>  	},
>  	[IMX95_CLK_DISPMIX_ENG1_SEL] = {
>  		.name = "disp_engine1_sel",
> -		.parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
> -		.num_parents = 4,
> +		.parent_names = disp_engine_parents,
> +		.num_parents = ARRAY_SIZE(disp_engine_parents),
>  		.reg = 0,
>  		.bit_idx = 2,
>  		.bit_width = 2,
> --
> 2.43.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.