From 2b14e54a405a90c0c14bc24c8ea711c400c9ed82 Mon Sep 17 00:00:00 2001 From: Bo He Date: Thu, 22 May 2025 20:46:22 +0800 Subject: [PATCH] fix the global-out-of-bounds in update_pdata the patch is to fix the below issue: BUG: KASAN: global-out-of-bounds in update_pdata+0x80b/0xcc0 [ipu6_acpi_pdata] Write of size 8 at addr ffffffffc09bace8 by task (udev-worker)/235 Call Trace: dump_stack_lvl+0x36/0x80 print_report+0xcf/0x640 ? kasan_unpoison+0x44/0x80 ? lock_acquire.part.0.isra.0+0x41/0xc0 ? update_pdata+0x80b/0xcc0 [ipu6_acpi_pdata] kasan_report+0xb7/0x100 ? update_pdata+0x80b/0xcc0 [ipu6_acpi_pdata] update_pdata+0x80b/0xcc0 [ipu6_acpi_pdata] get_sensor_pdata+0x2dd/0x940 [ipu6_acpi_pdata] ? __pfx_get_sensor_pdata+0x40/0x40 [ipu6_acpi_pdata] ipu_acpi_test+0x2c4/0x400 [ipu6_acpi] ? __pfx_get_sensor_pdata+0x40/0x40 [ipu6_acpi_pdata] ? __pfx_ipu_acpi_test+0x40/0x40 [ipu6_acpi] bus_for_each_dev+0xcf/0x140 ? __pfx_bus_for_each_dev+0x40/0x40 ? do_raw_spin_unlock+0xa6/0x140 ? __pfx_isys_init_acpi_add_device+0x40/0x40 [intel_ipu6] ipu_get_acpi_devices+0x52/0x100 [ipu6_acpi] ipu_pci_probe+0x106d/0x1400 [intel_ipu6] ? __pfx_lock_release+0x40/0x40 ? __pfx_ipu_pci_probe+0x40/0x40 [intel_ipu6] ? lock_acquire.part.0.isra.0+0x80/0xc0 ? do_raw_spin_unlock+0xa6/0x140 ? _raw_spin_unlock_irqrestore+0x22/0x80 pci_device_probe+0xf8/0x240 really_probe+0x276/0x5c0 Signed-off-by: Bo He --- drivers/media/platform/intel/ipu6-acpi-pdata.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/intel/ipu6-acpi-pdata.c b/drivers/media/platform/intel/ipu6-acpi-pdata.c index 511dd8726fec..a66e530bf339 100644 --- a/drivers/media/platform/intel/ipu6-acpi-pdata.c +++ b/drivers/media/platform/intel/ipu6-acpi-pdata.c @@ -35,7 +35,7 @@ static struct ipu_isys_clk_mapping clk_mapping[] = { }; struct ipu_isys_subdev_pdata acpi_subdev_pdata = { - .subdevs = (struct ipu_isys_subdev_info *[]) { + .subdevs = (struct ipu_isys_subdev_info *[MAX_ACPI_SENSOR_NUM + 1]) { NULL, }, .clk_map = clk_mapping, @@ -158,7 +158,7 @@ static void add_local_subdevs(struct ipu_isys_subdev_info *new_subdev_info) struct ipu_isys_subdev_pdata *ptr_acpi_subdev_pdata = &acpi_subdev_pdata; int i = 0; - while (i <= MAX_ACPI_SENSOR_NUM) { + while (i < MAX_ACPI_SENSOR_NUM) { if (!ptr_acpi_subdev_pdata->subdevs[i]) { ptr_acpi_subdev_pdata->subdevs[i] = new_subdev_info; ptr_acpi_subdev_pdata->subdevs[i+1] = NULL;