diff options
| author | Shree Ramamoorthy <[email protected]> | 2025-06-20 15:45:41 +0000 |
|---|---|---|
| committer | Mark Brown <[email protected]> | 2025-06-29 21:10:41 +0000 |
| commit | eeca209124bb694650026216d3e59cae02d91686 (patch) | |
| tree | 86e9744673966b497491f0445ba3e7867ed213ae /drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | |
| parent | regulator: core: fix NULL dereference on unbind due to stale coupling data (diff) | |
| download | kernel-eeca209124bb694650026216d3e59cae02d91686.tar.gz kernel-eeca209124bb694650026216d3e59cae02d91686.zip | |
regulator: tps65219: Fix devm_kmalloc size allocation
In probe(), two arrays of structs are allocated with the devm_kmalloc()
function, but the memory size of the allocations were given as the arrays'
length (pmic->common_irq_size for the first call and pmic->dev_irq_size for
the second devm_kmalloc call). The memory size should have been the total
memory needed.
This led to a heap overflow when the struct array was used. The issue was
first discovered with the PocketBeagle2 and BeaglePlay. The common and
device-specific structs are now allocated one at a time within the loop.
Fixes: 38c9f98db20a ("regulator: tps65219: Add support for TPS65215 Regulator IRQs")
Reported-by: Dhruva Gole <[email protected]>
Closes: https://lore.kernel.org/all/[email protected]/
Tested-by: Robert Nelson <[email protected]>
Acked-by: Andrew Davis <[email protected]>
Signed-off-by: Shree Ramamoorthy <[email protected]>
Reviewed-by: Nishanth Menon <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Mark Brown <[email protected]>
Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c')
0 files changed, 0 insertions, 0 deletions