Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 59e7a04192b02481d2aa827450deeff3e4aff101^! / .
commit59e7a04192b02481d2aa827450deeff3e4aff101[log] [tgz]
authorKassey Li <yingangl@codeaurora.org>Wed May 20 17:43:00 2020 +0530
committerLingutla Chandrasekhar <clingutla@codeaurora.org>Fri Jun 19 14:33:46 2020 +0530
treec8459d3b51d552db295c0fee13f6083e6629282a
parent963758c9b6f963d6f3cf0d38932e2e952e8d9dfa [diff]
sched: Fix out of bounds issue in for_each_cluster macro

[   31.504753] =================================================================
[   31.512215] BUG: KASAN: global-out-of-bounds in core_ctl_set_boost+0x554/0x558
[   31.519637] Read of size 4 at addr ffffffd0327c18f4 by task init/456
[   31.526160]
[   31.527707] CPU: 1 PID: 456 Comm: init Tainted: G S      W 5.4.12-qgki-debug-gdc9adf3559a6-dirty #25
[   31.537793] Hardware name: Qualcomm Technologies, Inc. 8350 venus (DT)
[   31.544499] Call trace:
[   31.547026]  dump_backtrace+0x0/0x2e0
[   31.550797]  show_stack+0x14/0x20
[   31.554220]  dump_stack+0xf0/0x144
[   31.557732]  print_address_description.isra.7+0x3c/0x3d8
[   31.563190]  __kasan_report+0x158/0x23c
[   31.567144]  kasan_report+0xc/0x18
[   31.570649]  __asan_report_load4_noabort+0x18/0x20
[   31.575572]  core_ctl_set_boost+0x554/0x558
[   31.579881]  z3d22747cee+0x14/0x58
[   31.583385]  z991cee001b+0x884/0xd70
[   31.587071]  sched_boost_handler+0xe4/0x108
[   31.591381]  proc_sys_call_handler+0x384/0x420
[   31.595954]  proc_sys_write+0x10/0x18
[   31.599728]  __vfs_write+0x54/0xe8
[   31.603232]  vfs_write+0x15c/0x430
[   31.606736]  ksys_write+0xe8/0x1c0
[   31.610241]  __arm64_sys_write+0x68/0x98
[   31.614282]  el0_svc_common.constprop.0+0x1c0/0x370
[   31.619302]  el0_svc_handler+0xd4/0x178
[   31.623257]  el0_svc+0x8/0xc

Change-Id: I71e71d61e080c1ce948bd0400f9ebb0705a2210b
Signed-off-by: Kassey Li <yingangl@codeaurora.org>
Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org>

diff --git a/kernel/sched/core_ctl.c b/kernel/sched/core_ctl.c
index bd64b1a..d906509 100644
--- a/kernel/sched/core_ctl.c
+++ b/kernel/sched/core_ctl.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2018, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2018, 2020 The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -75,8 +75,8 @@
 static unsigned int num_clusters;
 
 #define for_each_cluster(cluster, idx) \
-	for ((cluster) = &cluster_state[idx]; (idx) < num_clusters;\
-		(idx)++, (cluster) = &cluster_state[idx])
+	for (; (idx) < num_clusters && ((cluster) = &cluster_state[idx]);\
+		(idx)++)
 
 static DEFINE_SPINLOCK(state_lock);
 static void apply_need(struct cluster_data *state);