diff options
| author | Seung-Woo Kim <sw0312.kim@samsung.com> | 2015-09-01 16:59:03 +0900 |
|---|---|---|
| committer | Seung-Woo Kim <sw0312.kim@samsung.com> | 2016-12-14 13:47:59 +0900 |
| commit | 86c169126c2da28b98e0776c65a2ce2eb53e639e (patch) | |
| tree | 02b69133f62d7827f99fc8bf81b38ff818760650 | |
| parent | 5bf5422c6f37f48caa70cb790b2412a117433ba2 (diff) | |
fimc-is: fix wrong index access for dt child nodes
This patch fixes wrong index access for dt child nodes. This fixes
following use after free:
==================================================================
BUG: KASan: use after free in fimc_is_parse_children_dt+0x6c/0xe8 at addr ffffffc08d27ffa8
Write of size 8 by task swapper/0/1
page:ffffffbdc2b49fc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.1.0-00839-gb91c2a6-dirty #3
Hardware name: Samsung TM2 board (DT)
Call trace:
[<ffffffc00008bc58>] dump_backtrace+0x0/0x1d8
[<ffffffc00008be40>] show_stack+0x10/0x20
[<ffffffc000eee3a4>] dump_stack+0x80/0xd4
[<ffffffc00021e510>] kasan_report_error+0x400/0x408
[<ffffffc00021e9ec>] kasan_report+0x44/0x50
[<ffffffc00021d38c>] __asan_store8+0x94/0xb0
[<ffffffc000991900>] fimc_is_parse_children_dt+0x68/0xe8
[<ffffffc000959368>] fimc_is_probe+0xc0/0xed8
[<ffffffc0006dc724>] platform_drv_probe+0x64/0xf8
[<ffffffc0006d9ae8>] driver_probe_device+0x1f0/0x3a8
[<ffffffc0006d9de0>] __driver_attach+0xc8/0xd0
[<ffffffc0006d6fac>] bus_for_each_dev+0xd4/0x138
[<ffffffc0006d932c>] driver_attach+0x2c/0x40
[<ffffffc0006d8dfc>] bus_add_driver+0x214/0x2e8
[<ffffffc0006dab40>] driver_register+0xb0/0x1c0
[<ffffffc0006dc618>] __platform_driver_register+0xa8/0xb8
[<ffffffc0017952c0>] fimc_is_driver_init+0x18/0x24
[<ffffffc000082ae4>] do_one_initcall+0xec/0x240
[<ffffffc001755e50>] kernel_init_freeable+0x288/0x330
[<ffffffc000eeab1c>] kernel_init+0xc/0xf0
Memory state around the buggy address:
ffffffc08d27fe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffffffc08d27ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffffffc08d27ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffffffc08d280000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc08d280080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
| -rw-r--r-- | drivers/media/platform/exynos/fimc-is/fimc-is-dt.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c b/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c index dee15221c831..4c5ea68b8039 100644 --- a/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c +++ b/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c @@ -270,11 +270,11 @@ int fimc_is_parse_children_dt(struct device *dev, struct fimc_is_core *core) int i; i = of_alias_get_id(child, "fimc-lite"); - if (i >= 0 || i < FIMC_IS_MAX_NODES) + if (i >= 0 && i < FIMC_IS_MAX_NODES) core->lite_np[i] = child; i = of_alias_get_id(child, "csis"); - if (i >= 0 || i < FIMC_IS_MAX_NODES) + if (i >= 0 && i < FIMC_IS_MAX_NODES) core->csis_np[i] = child; } |