git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Anders Roxell <anders.roxell@linaro.org>
	Sat, 30 Aug 2025 09:49:53 +0000 (11:49 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 19 Sep 2025 14:37:38 +0000 (16:37 +0200)
commit	d5e82f3f2c918d446df46e8d65f8083fd97cdec5
tree	dca65640c7d8e75ed3df20b4b43b32e645a21d04	tree \| snapshot
parent	db5d7abd379a8dcf030be8f52f99cadf7e397ba8	commit \| diff

dmaengine: ti: edma: Fix memory allocation size for queue_priority_map

[ Upstream commit e63419dbf2ceb083c1651852209c7f048089ac0f ]

Fix a critical memory allocation bug in edma_setup_from_hw() where
queue_priority_map was allocated with insufficient memory. The code
declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8),
but allocated memory using sizeof(s8) instead of the correct size.

This caused out-of-bounds memory writes when accessing:
queue_priority_map[i][0] = i;
queue_priority_map[i][1] = i;

The bug manifested as kernel crashes with "Oops - undefined instruction"
on ARM platforms (BeagleBoard-X15) during EDMA driver probe, as the
memory corruption triggered kernel hardening features on Clang.

Change the allocation to use sizeof(*queue_priority_map) which
automatically gets the correct size for the 2D array structure.

Fixes: 2b6b3b742019 ("ARM/dmaengine: edma: Merge the two drivers under drivers/dma/")
Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
Link: https://lore.kernel.org/r/20250830094953.3038012-1-anders.roxell@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>