1. Patchew
  2. linux
  3. View series

[PATCH] clk: microchip: mpfs-ccc: fix out-of-bounds write

Aleš Pečnik via B4 Relay posted 1 patch 2 months, 1 week ago 
drivers/clk/microchip/clk-mpfs-ccc.c             | 3 +--
include/dt-bindings/clock/microchip,mpfs-clock.h | 2 ++
2 files changed, 3 insertions(+), 2 deletions(-)
[PATCH] clk: microchip: mpfs-ccc: fix out-of-bounds write
Posted by Aleš Pečnik via B4 Relay 2 months, 1 week ago 
From: Aleš Pečnik <ales.pecnik@skylabs.si>

Issue was allocated array size for clk_data.
When clocks are being registered their index is taken from defines in
dt-bindings. The last 2 clocks had their index outside of allocated range.
Two defines (CLK_CCC_DLL0, CLK_CCC_DLL1) were not used and skipped over
which was not taken into account when allocating the array.

This patch is minimal change to resolve the issue.

Issue was found using KASAN when debugging unrelated xdma driver issue.
Consequently fixing this issue also resolved xdma driver issue.

Related dmesg output:
[    0.290703] BUG: KASAN: slab-out-of-bounds in mpfs_ccc_register_outputs.constprop.0+0xd0/0x1fa
[    0.290984] Write of size 8 at addr ffffffe7be6e3ca8 by task swapper/0/1
[    0.291253] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.43-linux4microchip+fpga-2023.09 #1
[    0.291482] Hardware name: Skylabs HPC (DT)
[    0.291611] Call Trace:
...
[    0.292999] [<ffffffff808508c8>] mpfs_ccc_register_outputs.constprop.0+0xd0/0x1fa
[    0.293245] [<ffffffff80850b66>] mpfs_ccc_probe+0x174/0x30e
[    0.293437] [<ffffffff808d4af2>] platform_probe+0x74/0xba
...

Fixes: d39fb172760e ("clk: microchip: add PolarFire SoC fabric clock support")
Signed-off-by: Aleš Pečnik <ales.pecnik@skylabs.si>
---
 drivers/clk/microchip/clk-mpfs-ccc.c             | 3 +--
 include/dt-bindings/clock/microchip,mpfs-clock.h | 2 ++
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c
index 3a3ea2d142f8..71fbb6265ea4 100644
--- a/drivers/clk/microchip/clk-mpfs-ccc.c
+++ b/drivers/clk/microchip/clk-mpfs-ccc.c
@@ -234,8 +234,7 @@ static int mpfs_ccc_probe(struct platform_device *pdev)
 	unsigned int num_clks;
 	int ret;
 
-	num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) +
-		   ARRAY_SIZE(mpfs_ccc_pll1out_clks);
+	num_clks = CLK_CCC_NUM;
 
 	clk_data = devm_kzalloc(&pdev->dev, struct_size(clk_data, hw_data.hws, num_clks),
 				GFP_KERNEL);
diff --git a/include/dt-bindings/clock/microchip,mpfs-clock.h b/include/dt-bindings/clock/microchip,mpfs-clock.h
index b52f19a2b480..8d53f2b81a54 100644
--- a/include/dt-bindings/clock/microchip,mpfs-clock.h
+++ b/include/dt-bindings/clock/microchip,mpfs-clock.h
@@ -73,4 +73,6 @@
 #define CLK_CCC_DLL1_OUT0	14
 #define CLK_CCC_DLL1_OUT1	15
 
+#define CLK_CCC_NUM		16
+
 #endif	/* _DT_BINDINGS_CLK_MICROCHIP_MPFS_H_ */

---
base-commit: bfe62a454542cfad3379f6ef5680b125f41e20f4
change-id: 20260407-mpfs-clk-oob-write-a0cec9a5c224

Best regards,
--  
Aleš Pečnik <ales.pecnik@skylabs.si>
Re: [PATCH] clk: microchip: mpfs-ccc: fix out-of-bounds write
Posted by Krzysztof Kozlowski 2 months, 1 week ago 
On Wed, Apr 08, 2026 at 07:07:34AM +0200, Aleš Pečnik wrote:
> Issue was allocated array size for clk_data.
> When clocks are being registered their index is taken from defines in
> dt-bindings. The last 2 clocks had their index outside of allocated range.
> Two defines (CLK_CCC_DLL0, CLK_CCC_DLL1) were not used and skipped over
> which was not taken into account when allocating the array.
> 
> This patch is minimal change to resolve the issue.
> 
> Issue was found using KASAN when debugging unrelated xdma driver issue.
> Consequently fixing this issue also resolved xdma driver issue.
> 
> Related dmesg output:
> [    0.290703] BUG: KASAN: slab-out-of-bounds in mpfs_ccc_register_outputs.constprop.0+0xd0/0x1fa
> [    0.290984] Write of size 8 at addr ffffffe7be6e3ca8 by task swapper/0/1
> [    0.291253] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.43-linux4microchip+fpga-2023.09 #1
> [    0.291482] Hardware name: Skylabs HPC (DT)
> [    0.291611] Call Trace:
> ...
> [    0.292999] [<ffffffff808508c8>] mpfs_ccc_register_outputs.constprop.0+0xd0/0x1fa
> [    0.293245] [<ffffffff80850b66>] mpfs_ccc_probe+0x174/0x30e
> [    0.293437] [<ffffffff808d4af2>] platform_probe+0x74/0xba
> ...
> 
> Fixes: d39fb172760e ("clk: microchip: add PolarFire SoC fabric clock support")
> Signed-off-by: Aleš Pečnik <ales.pecnik@skylabs.si>
> ---
>  drivers/clk/microchip/clk-mpfs-ccc.c             | 3 +--
>  include/dt-bindings/clock/microchip,mpfs-clock.h | 2 ++

Please run scripts/checkpatch.pl on the patches and fix reported
warnings. After that, run also 'scripts/checkpatch.pl --strict' on the
patches and (probably) fix more warnings. Some warnings can be ignored,
especially from --strict run, but the code here looks like it needs a
fix. Feel free to get in touch if the warning is not clear.

>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c
> index 3a3ea2d142f8..71fbb6265ea4 100644
> --- a/drivers/clk/microchip/clk-mpfs-ccc.c
> +++ b/drivers/clk/microchip/clk-mpfs-ccc.c
> @@ -234,8 +234,7 @@ static int mpfs_ccc_probe(struct platform_device *pdev)
>  	unsigned int num_clks;
>  	int ret;
>  
> -	num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) +
> -		   ARRAY_SIZE(mpfs_ccc_pll1out_clks);
> +	num_clks = CLK_CCC_NUM;
>  
>  	clk_data = devm_kzalloc(&pdev->dev, struct_size(clk_data, hw_data.hws, num_clks),
>  				GFP_KERNEL);
> diff --git a/include/dt-bindings/clock/microchip,mpfs-clock.h b/include/dt-bindings/clock/microchip,mpfs-clock.h
> index b52f19a2b480..8d53f2b81a54 100644
> --- a/include/dt-bindings/clock/microchip,mpfs-clock.h
> +++ b/include/dt-bindings/clock/microchip,mpfs-clock.h
> @@ -73,4 +73,6 @@
>  #define CLK_CCC_DLL1_OUT0	14
>  #define CLK_CCC_DLL1_OUT1	15
>  
> +#define CLK_CCC_NUM		16

Not a binding, drop from bindings. Driver is the place for that.

Best regards,
Krzysztof
Re: [PATCH] clk: microchip: mpfs-ccc: fix out-of-bounds write
Posted by Conor Dooley 2 months, 1 week ago 
On Wed, Apr 08, 2026 at 07:07:34AM +0200, Aleš Pečnik wrote:
> Issue was allocated array size for clk_data.
> When clocks are being registered their index is taken from defines in
> dt-bindings. The last 2 clocks had their index outside of allocated range.
> Two defines (CLK_CCC_DLL0, CLK_CCC_DLL1) were not used and skipped over
> which was not taken into account when allocating the array.
> 
> This patch is minimal change to resolve the issue.
> 
> Issue was found using KASAN when debugging unrelated xdma driver issue.
> Consequently fixing this issue also resolved xdma driver issue.
> 
> Related dmesg output:
> [    0.290703] BUG: KASAN: slab-out-of-bounds in mpfs_ccc_register_outputs.constprop.0+0xd0/0x1fa
> [    0.290984] Write of size 8 at addr ffffffe7be6e3ca8 by task swapper/0/1
> [    0.291253] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.43-linux4microchip+fpga-2023.09 #1
> [    0.291482] Hardware name: Skylabs HPC (DT)
> [    0.291611] Call Trace:
> ...
> [    0.292999] [<ffffffff808508c8>] mpfs_ccc_register_outputs.constprop.0+0xd0/0x1fa
> [    0.293245] [<ffffffff80850b66>] mpfs_ccc_probe+0x174/0x30e
> [    0.293437] [<ffffffff808d4af2>] platform_probe+0x74/0xba
> ...
> 
> Fixes: d39fb172760e ("clk: microchip: add PolarFire SoC fabric clock support")
> Signed-off-by: Aleš Pečnik <ales.pecnik@skylabs.si>

I think this should be already fixed in linux-next, in commit
2f7ae8ab6aa73 ("clk: microchip: mpfs-ccc: fix out of bounds access
during output registration")

Regardless, thanks for your patch.

> ---
>  drivers/clk/microchip/clk-mpfs-ccc.c             | 3 +--
>  include/dt-bindings/clock/microchip,mpfs-clock.h | 2 ++
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/clk/microchip/clk-mpfs-ccc.c b/drivers/clk/microchip/clk-mpfs-ccc.c
> index 3a3ea2d142f8..71fbb6265ea4 100644
> --- a/drivers/clk/microchip/clk-mpfs-ccc.c
> +++ b/drivers/clk/microchip/clk-mpfs-ccc.c
> @@ -234,8 +234,7 @@ static int mpfs_ccc_probe(struct platform_device *pdev)
>  	unsigned int num_clks;
>  	int ret;
>  
> -	num_clks = ARRAY_SIZE(mpfs_ccc_pll_clks) + ARRAY_SIZE(mpfs_ccc_pll0out_clks) +
> -		   ARRAY_SIZE(mpfs_ccc_pll1out_clks);
> +	num_clks = CLK_CCC_NUM;
>  
>  	clk_data = devm_kzalloc(&pdev->dev, struct_size(clk_data, hw_data.hws, num_clks),
>  				GFP_KERNEL);
> diff --git a/include/dt-bindings/clock/microchip,mpfs-clock.h b/include/dt-bindings/clock/microchip,mpfs-clock.h
> index b52f19a2b480..8d53f2b81a54 100644
> --- a/include/dt-bindings/clock/microchip,mpfs-clock.h
> +++ b/include/dt-bindings/clock/microchip,mpfs-clock.h
> @@ -73,4 +73,6 @@
>  #define CLK_CCC_DLL1_OUT0	14
>  #define CLK_CCC_DLL1_OUT1	15
>  
> +#define CLK_CCC_NUM		16
> +
>  #endif	/* _DT_BINDINGS_CLK_MICROCHIP_MPFS_H_ */
> 
> ---
> base-commit: bfe62a454542cfad3379f6ef5680b125f41e20f4
> change-id: 20260407-mpfs-clk-oob-write-a0cec9a5c224
> 
> Best regards,
> --  
> Aleš Pečnik <ales.pecnik@skylabs.si>
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.