xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9f966357b14e356dbd83b8f4a197a287ab4ff83
android_kernel_xiaomi_sm8450/arch/arm/kernel
History
Stephen Boyd d9f966357b ARM: 7810/1: perf: Fix array out of bounds access in armpmu_map_hw_event() 
Vince Weaver reports an oops in the ARM perf event code while
running his perf_fuzzer tool on a pandaboard running v3.11-rc4.

Unable to handle kernel paging request at virtual address 73fd14cc
pgd = eca6c000
[73fd14cc] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: snd_soc_omap_hdmi omapdss snd_soc_omap_abe_twl6040 snd_soc_twl6040 snd_soc_omap snd_soc_omap_hdmi_card snd_soc_omap_mcpdm snd_soc_omap_mcbsp snd_soc_core snd_compress regmap_spi snd_pcm snd_page_alloc snd_timer snd soundcore
CPU: 1 PID: 2790 Comm: perf_fuzzer Not tainted 3.11.0-rc4 #6
task: eddcab80 ti: ed892000 task.ti: ed892000
PC is at armpmu_map_event+0x20/0x88
LR is at armpmu_event_init+0x38/0x280
pc : [<c001c3e4>]    lr : [<c001c17c>]    psr: 60000013
sp : ed893e40  ip : ecececec  fp : edfaec00
r10: 00000000  r9 : 00000000  r8 : ed8c3ac0
r7 : ed8c3b5c  r6 : edfaec00  r5 : 00000000  r4 : 00000000
r3 : 000000ff  r2 : c0496144  r1 : c049611c  r0 : edfaec00
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: aca6c04a  DAC: 00000015
Process perf_fuzzer (pid: 2790, stack limit = 0xed892240)
Stack: (0xed893e40 to 0xed894000)
3e40: 00000800 c001c17c 00000002 c008a748 00000001 00000000 00000000 c00bf078
3e60: 00000000 edfaee50 00000000 00000000 00000000 edfaec00 ed8c3ac0 edfaec00
3e80: 00000000 c073ffac ed893f20 c00bf180 00000001 00000000 c00bf078 ed893f20
3ea0: 00000000 ed8c3ac0 00000000 00000000 00000000 c0cb0818 eddcab80 c00bf440
3ec0: ed893f20 00000000 eddcab80 eca76800 00000000 eca76800 00000000 00000000
3ee0: 00000000 ec984c80 eddcab80 c00bfe68 00000000 00000000 00000000 00000080
3f00: 00000000 ed892000 00000000 ed892030 00000004 ecc7e3c8 ecc7e3c8 00000000
3f20: 00000000 00000048 ecececec 00000000 00000000 00000000 00000000 00000000
3f40: 00000000 00000000 00297810 00000000 00000000 00000000 00000000 00000000
3f60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3f80: 00000002 00000002 000103a4 00000002 0000016c c00128e8 ed892000 00000000
3fa0: 00090998 c0012700 00000002 000103a4 00090ab8 00000000 00000000 0000000f
3fc0: 00000002 000103a4 00000002 0000016c 00090ab0 00090ab8 000107a0 00090998
3fe0: bed92be0 bed92bd0 0000b785 b6e8f6d0 40000010 00090ab8 00000000 00000000
[<c001c3e4>] (armpmu_map_event+0x20/0x88) from [<c001c17c>] (armpmu_event_init+0x38/0x280)
[<c001c17c>] (armpmu_event_init+0x38/0x280) from [<c00bf180>] (perf_init_event+0x108/0x180)
[<c00bf180>] (perf_init_event+0x108/0x180) from [<c00bf440>] (perf_event_alloc+0x248/0x40c)
[<c00bf440>] (perf_event_alloc+0x248/0x40c) from [<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc)
[<c00bfe68>] (SyS_perf_event_open+0x4f4/0x8fc) from [<c0012700>] (ret_fast_syscall+0x0/0x48)
Code: 0a000005 e3540004 0a000016 e3540000 (0791010c)

This is because event->attr.config in armpmu_event_init()
contains a very large number copied directly from userspace and
is never checked against the size of the array indexed in
armpmu_map_hw_event(). Fix the problem by checking the value of
config before indexing the array and rejecting invalid config
values.

Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2013-08-13 20:21:44 +01:00
..
.gitignore
arch_timer.c
sched_clock: Make ARM's sched_clock generic for all architectures
2013-06-12 14:02:13 -07:00
armksyms.c
Merge branches 'audit', 'delay', 'fixes', 'misc' and 'sta2x11' into for-linus
2012-07-27 23:06:32 +01:00
arthur.c
asm-offsets.c
ARM: kernel: implement stack pointer save array through MPIDR hashing
2013-06-20 11:24:11 +01:00
atags_compat.c
ARM: 7505/1: split out ATAGS parsing
2012-09-03 22:55:56 +01:00
atags_parse.c
ARM: 7505/1: split out ATAGS parsing
2012-09-03 22:55:56 +01:00
atags_proc.c
procfs: new helper - PDE_DATA(inode)
2013-04-09 14:13:32 -04:00
atags.h
ARM: 7506/1: allow for ATAGS to be configured out when DT support is selected
2012-09-03 22:56:15 +01:00
bios32.c
ARM: pci: create pci_common_init_dev()
2013-06-03 08:02:47 +02:00
calls.S
ARM: 7665/1: Wire up kcmp syscall
2013-03-03 22:54:18 +00:00
cpuidle.c
cpuidle: Add common time keeping and irq enabling
2012-03-21 01:59:40 -04:00
crash_dump.c
debug.S
ARM: compile fix for DEBUG_LL=y && MMU=n
2013-01-16 14:30:06 -08:00
devtree.c
ARM: dt: Only print warning, not WARN() on bad cpu map in device tree
2013-06-29 17:00:40 -07:00
dma-isa.c
dma.c
locking, ARM: Annotate low level hw locks as raw
2011-09-13 11:12:14 +02:00
early_printk.c
early_printk: consolidate random copies of identical code
2013-04-29 18:28:13 -07:00
elf.c
Disintegrate asm/system.h for ARM
2012-03-28 18:30:01 +01:00
entry-armv.S
ARM: Fix !kuser helpers case
2013-08-07 14:00:11 +01:00
entry-common.S
Merge branch 'devel-stable' into for-next
2013-06-29 11:44:43 +01:00
entry-header.S
Merge branch 'for-next' of git://git.pengutronix.de/git/ukl/linux into devel-stable
2013-05-22 10:52:24 +01:00
entry-v7m.S
ARM: ARMv7-M: Add support for exception handling
2013-04-17 21:44:46 +02:00
etm.c
ARM/etm/sysrq: fix inconstistent help message of sysrq key
2013-04-30 17:04:10 -07:00
fiq.c
ARM: Fix FIQ code on VIVT CPUs
2013-08-08 12:03:29 +01:00
fiqasm.S
ftrace.c
ARM: 7468/1: ftrace: Trace function entry before updating index
2012-07-31 10:30:42 +01:00
head-common.S
arm: delete __cpuinit/__CPUINIT usage from all ARM users
2013-07-14 19:36:52 -04:00
head-nommu.S
arm: delete __cpuinit/__CPUINIT usage from all ARM users
2013-07-14 19:36:52 -04:00
head.S
arm: delete __cpuinit/__CPUINIT usage from all ARM users
2013-07-14 19:36:52 -04:00
hw_breakpoint.c
arm: delete __cpuinit/__CPUINIT usage from all ARM users
2013-07-14 19:36:52 -04:00
hyp-stub.S
ARM: arch_timer: stop virtual timer when booted in HYP mode
2013-06-07 10:20:29 +01:00
insn.c
ARM: fix missing bug.h include in arch/arm/kernel/insn.c
2012-03-30 11:51:46 +01:00
insn.h
ARM: 7334/1: add jump label support
2012-03-24 09:38:56 +00:00
io.c
arm: convert core files from module.h to export.h
2011-10-31 19:30:49 -04:00
irq.c
ARM: irq: Call irqchip_init if no init_irq function is specified
2013-04-02 11:05:40 -07:00
isa.c
iwmmxt.S
ARM: pxa: fix logic error in PJ4 iWMMXt handling
2011-08-11 10:10:26 +08:00
jump_label.c
ARM: 7334/1: add jump label support
2012-03-24 09:38:56 +00:00
kgdb.c
kprobes-arm.c
ARM: 7181/1: Restrict kprobes probing SWP instructions to ARMv5 and below
2011-11-30 23:54:54 +00:00
kprobes-common.c
Disintegrate asm/system.h for ARM
2012-03-28 18:30:01 +01:00
kprobes-test-arm.c
ARM: kprobes: make more tests conditional
2012-10-09 17:07:43 +02:00
kprobes-test-thumb.c
ARM: 7174/1: Fix build error in kprobes test code on Thumb2 kernels
2011-11-26 21:58:53 +00:00
kprobes-test.c
treewide: fix printk typo in multiple drivers
2012-11-19 11:08:17 +01:00
kprobes-test.h
ARM: 7174/1: Fix build error in kprobes test code on Thumb2 kernels
2011-11-26 21:58:53 +00:00
kprobes-thumb.c
ARM: 7423/1: kprobes: run t32_simulate_ldr_literal() without insn slot
2012-06-14 15:11:44 +01:00
kprobes.c
hlist: drop the node parameter from iterators
2013-02-27 19:10:24 -08:00
kprobes.h
ARM: kprobes: Add exports for test code
2011-09-20 18:17:43 +00:00
machine_kexec.c
ARM: 7759/1: decouple CPU offlining from reboot/shutdown
2013-06-17 21:35:25 +01:00
Makefile
Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2013-07-06 14:09:38 -07:00
module.c
Finally eradicate CONFIG_HOTPLUG
2013-06-03 14:20:18 -07:00
opcodes.c
ARM: 7206/1: Add generic ARM instruction set condition code checks.
2011-12-13 08:52:02 +00:00
patch.c
ARM: 7332/1: extract out code patch function from kprobes
2012-03-24 09:38:55 +00:00
patch.h
ARM: 7332/1: extract out code patch function from kprobes
2012-03-24 09:38:55 +00:00
perf_event_cpu.c
arm: delete __cpuinit/__CPUINIT usage from all ARM users
2013-07-14 19:36:52 -04:00
perf_event_v6.c
ARM: perf: don't pretend to support counting of L1I writes
2013-01-16 12:01:59 +00:00
perf_event_v7.c
ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit
2013-03-03 22:54:17 +00:00
perf_event_xscale.c
ARM: perf: don't pretend to support counting of L1I writes
2013-01-16 12:01:59 +00:00
perf_event.c
ARM: 7810/1: perf: Fix array out of bounds access in armpmu_map_hw_event()
2013-08-13 20:21:44 +01:00
pj4-cp0.c
arm: remove several unnecessary module.h include instances
2011-10-31 19:30:48 -04:00
process.c
ARM: Fix the world famous typo with is_gate_vma()
2013-08-07 14:00:10 +01:00
psci_smp.c
arm: delete __cpuinit/__CPUINIT usage from all ARM users
2013-07-14 19:36:52 -04:00
psci.c
arm: introduce psci_smp_ops
2013-05-21 14:24:11 +00:00
ptrace.c
ptrace/arm: revert "hw_breakpoints: Fix racy access to ptrace breakpoints"
2013-07-09 10:33:25 -07:00
relocate_kernel.S
ARM: 7065/1: kexec: ensure new kernel is entered in ARM state
2011-08-28 10:39:41 +01:00
return_address.c
ARM: 7676/1: fix a wrong value returned from CALLER_ADDRn
2013-03-19 11:43:46 +00:00
setup.c
reboot: arm: prepare reboot_mode for moving to generic kernel code
2013-07-09 10:33:29 -07:00
signal.c
ARM: fix nommu builds with 48be69a02 (ARM: move signal handlers into a vdso-like page)
2013-08-03 10:49:01 +01:00
sleep.S
ARM: kernel: implement stack pointer save array through MPIDR hashing
2013-06-20 11:24:11 +01:00
smp_scu.c
Merge branch 'for-next' of git://git.pengutronix.de/git/ukl/linux into devel-stable
2013-03-09 15:49:32 +00:00
smp_tlb.c
ARM: 7769/1: Cortex-A15: fix erratum 798181 implementation
2013-06-24 15:27:35 +01:00
smp_twd.c
arm: delete __cpuinit/__CPUINIT usage from all ARM users
2013-07-14 19:36:52 -04:00
smp.c
arm: delete __cpuinit/__CPUINIT usage from all ARM users
2013-07-14 19:36:52 -04:00
stacktrace.c
arm: convert core files from module.h to export.h
2011-10-31 19:30:49 -04:00
suspend.c
ARM: kernel: implement stack pointer save array through MPIDR hashing
2013-06-20 11:24:11 +01:00
swp_emulate.c
arm: single_open() leaks
2013-05-05 00:07:22 -04:00
sys_arm.c
arm: switch to generic fork/vfork/clone
2012-11-28 22:13:54 -05:00
sys_oabi-compat.c
userns: Convert stat to return values mapped from kuids and kgids
2012-05-15 14:08:35 -07:00
tcm.c
ARM: 7694/1: ARM, TCM: initialize TCM in paging_init(), instead of setup_arch()
2013-04-17 16:53:24 +01:00
thumbee.c
ARM: 7385/1: ThumbEE: Use cpuid macros to read ID_PFR0 for ThumbEE
2012-04-25 19:49:26 +01:00
time.c
sched_clock: Make ARM's sched_clock generic for all architectures
2013-06-12 14:02:13 -07:00
topology.c
ARM: 7742/1: topology: export cpu_topology
2013-06-05 23:32:26 +01:00
traps.c
ARM: move signal handlers into a vdso-like page
2013-08-01 14:31:56 +01:00
unwind.c
ARM: unwinder: fix bisection to find origin in .idx section
2011-12-15 14:02:19 -08:00
vmlinux.lds.S
ARM: use linker magic for vectors and vector stubs
2013-07-31 21:34:24 +01:00
xscale-cp0.c
arm: remove several unnecessary module.h include instances
2011-10-31 19:30:48 -04:00