Re:[PATCH v7] cpufreq/pasemi: fix an use-after-freeinpas_cpufreq_cpu_init()
>>> Hello Wen, >>> >>> Thanks for your patch! >>> >>> Did you test your patch with a P.A. Semi board? >>> >> Hello Christian, thank you. >> We don't have a P.A. Semi board yet, so we didn't test it. >> If you have such a board, could you please kindly help to test it? >> >> -- >> Thanks and regards, >> Wen > > Hello Wen, > > I successfully tested your pasemi cpufreq modifications with my P.A. > Semi board [1] today. > > First I patched the latest Git kernel with Viresh Kumar's patch [2]. > After that I was able to patch the latest Git kernel with your v7 patch [3]. > > Then the kernel compiled without any errors. > > Afterwards I successfully tested the new Git kernel with some cpufreq > governors on openSUSE Tumbleweed 20190521 PowerPC64 [4] and on ubuntu > MATE 16.04.6 LTS PowerPC32. > > Thanks a lot for your work! > > Tested-by: Christian Zigotzky > > Cheers, > Christian Thank you very much! -- Cheers, Wen > [1] https://en.wikipedia.org/wiki/AmigaOne_X1000 > [2] > https://lore.kernel.org/lkml/ee8cf5fb4b4a01fdf9199037ff6d835b935cfd13.1562902877.git.viresh.ku...@linaro.org/#Z30drivers:cpufreq:pasemi-cpufreq.c > [3] https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-July/193735.html > [4] Screenshots: > https://i.pinimg.com/originals/37/66/93/37669306cbc909a9d79270a849d18aa6.png > and > https://i.pinimg.com/originals/fe/f8/bf/fef8bfc90d95b5ae9cf31e175e8ba2da.png
Re: [PATCH v6] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init()
> > The cpu variable is still being used in the of_get_property() call
> > after the of_node_put() call, which may result in use-after-free.
> >
> > Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak")
> > Signed-off-by: Wen Yang
> > Cc: "Rafael J. Wysocki"
> > Cc: Viresh Kumar
> > Cc: Michael Ellerman
> > Cc: linuxppc-dev@lists.ozlabs.org
> > Cc: linux...@vger.kernel.org
> > Cc: linux-ker...@vger.kernel.org
> > ---
> > v6: keep the blank line and fix warning: label 'out_unmap_sdcpwr' defined
> > but not used.
> > v5: put together the code to get, use, and release cpu device_node.
> > v4: restore the blank line.
> > v3: fix a leaked reference.
> > v2: clean up the code according to the advice of viresh.
> >
> > drivers/cpufreq/pasemi-cpufreq.c | 26 ++
> > 1 file changed, 14 insertions(+), 12 deletions(-)
> >
> > diff --git a/drivers/cpufreq/pasemi-cpufreq.c
> > b/drivers/cpufreq/pasemi-cpufreq.c
> > index 6b1e4ab..7d557f9 100644
> > --- a/drivers/cpufreq/pasemi-cpufreq.c
> > +++ b/drivers/cpufreq/pasemi-cpufreq.c
> > @@ -131,10 +131,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy
> > *policy)
> > int err = -ENODEV;
> >
> > cpu = of_get_cpu_node(policy->cpu, NULL);
> > +if (!cpu)
> > +goto out;
> >
> > +max_freqp = of_get_property(cpu, "clock-frequency", NULL);
> > of_node_put(cpu);
> > -if (!cpu)
> > +if (!max_freqp) {
> > +err = -EINVAL;
> > goto out;
> > +}
> > +
> > +/* we need the freq in kHz */
> > +max_freq = *max_freqp / 1000;
> >
> > dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
> > if (!dn)
> > @@ -171,16 +179,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy
> > *policy)
> > }
> >
> > pr_debug("init cpufreq on CPU %d\n", policy->cpu);
> > -
> > -max_freqp = of_get_property(cpu, "clock-frequency", NULL);
> > -if (!max_freqp) {
> > -err = -EINVAL;
> > -goto out_unmap_sdcpwr;
> > -}
> > -
> > -/* we need the freq in kHz */
> > -max_freq = *max_freqp / 1000;
> > -
> > pr_debug("max clock-frequency is at %u kHz\n", max_freq);
> > pr_debug("initializing frequency table\n");
> >
> > @@ -196,7 +194,11 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy
> > *policy)
> > policy->cur = pas_freqs[cur_astate].frequency;
> > ppc_proc_freq = policy->cur * 1000ul;
> >
> > -return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
> > +err = cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
>
> So you are trying to fix an earlier issue here with this. Should have
> been a separate patch. Over that I have just sent a patch now to make
> this routine return void.
>
> https://lore.kernel.org/lkml/ee8cf5fb4b4a01fdf9199037ff6d835b935cfd13.1562902877.git.viresh.ku...@linaro.org/
>
> So all you need to do is to remove the label out_unmap_sdcpwr instead.
Okay thank you.
Now this patch
(https://lore.kernel.org/lkml/ee8cf5fb4b4a01fdf9199037ff6d835b935cfd13.1562902877.git.viresh.ku...@linaro.org/)
seems to have not been merged into the linux-next.
In order to avoid code conflicts, we will wait until this patch is merged in
and then send v7.
--
Thanks and regards,
Wen
> > +if (err)
> > +goto out_unmap_sdcpwr;
> > +
> > +return 0;
> >
> > out_unmap_sdcpwr:
> > iounmap(sdcpwr_mapbase);
> > --
> > 2.9.5
Re: [PATCH v6] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init()
> > The cpu variable is still being used in the of_get_property() call
> > after the of_node_put() call, which may result in use-after-free.
> >
> > Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak")
> > Signed-off-by: Wen Yang
> > Cc: "Rafael J. Wysocki"
> > Cc: Viresh Kumar
> > Cc: Michael Ellerman
> > Cc: linuxppc-dev@lists.ozlabs.org
> > Cc: linux...@vger.kernel.org
> > Cc: linux-ker...@vger.kernel.org
> > ---
> > v6: keep the blank line and fix warning: label 'out_unmap_sdcpwr' defined
> > but not used.
> > v5: put together the code to get, use, and release cpu device_node.
> > v4: restore the blank line.
> > v3: fix a leaked reference.
> > v2: clean up the code according to the advice of viresh.
> >
> > drivers/cpufreq/pasemi-cpufreq.c | 26 ++
> > 1 file changed, 14 insertions(+), 12 deletions(-)
> >
> > diff --git a/drivers/cpufreq/pasemi-cpufreq.c
> > b/drivers/cpufreq/pasemi-cpufreq.c
> > index 6b1e4ab..7d557f9 100644
> > --- a/drivers/cpufreq/pasemi-cpufreq.c
> > +++ b/drivers/cpufreq/pasemi-cpufreq.c
> > @@ -131,10 +131,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy
> > *policy)
> > int err = -ENODEV;
> >
> > cpu = of_get_cpu_node(policy->cpu, NULL);
> > +if (!cpu)
> > +goto out;
> >
> > +max_freqp = of_get_property(cpu, "clock-frequency", NULL);
> > of_node_put(cpu);
> > -if (!cpu)
> > +if (!max_freqp) {
> > +err = -EINVAL;
> > goto out;
> > +}
> > +
> > +/* we need the freq in kHz */
> > +max_freq = *max_freqp / 1000;
> >
> > dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
> > if (!dn)
> > @@ -171,16 +179,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy
> > *policy)
> > }
> >
> > pr_debug("init cpufreq on CPU %d\n", policy->cpu);
> > -
> > -max_freqp = of_get_property(cpu, "clock-frequency", NULL);
> > -if (!max_freqp) {
> > -err = -EINVAL;
> > -goto out_unmap_sdcpwr;
> > -}
> > -
> > -/* we need the freq in kHz */
> > -max_freq = *max_freqp / 1000;
> > -
> > pr_debug("max clock-frequency is at %u kHz\n", max_freq);
> > pr_debug("initializing frequency table\n");
> >
> > @@ -196,7 +194,11 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy
> > *policy)
> > policy->cur = pas_freqs[cur_astate].frequency;
> > ppc_proc_freq = policy->cur * 1000ul;
> >
> > -return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
> > +err = cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
>
> So you are trying to fix an earlier issue here with this. Should have
> been a separate patch. Over that I have just sent a patch now to make
> this routine return void.
>
> https://lore.kernel.org/lkml/ee8cf5fb4b4a01fdf9199037ff6d835b935cfd13.1562902877.git.viresh.ku...@linaro.org/
>
> So all you need to do is to remove the label out_unmap_sdcpwr instead.
Ok, thanks.
--
Cheers,
Wen
Re: Coccinelle: Checking of_node_put() calls with SmPL
> > we developed a coccinelle script to detect such problems.
>
> Would you find the implementation of the function “dt_init_idle_driver”
> suspicious according to discussed source code search patterns?
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/cpuidle/dt_idle_states.c?id=e9a83bd2322035ed9d7dcf35753d3f984d76c6a5#n208
> https://elixir.bootlin.com/linux/v5.2/source/drivers/cpuidle/dt_idle_states.c#L208
>
>
> > This script is still being improved.
>
> Will corresponding software development challenges become more interesting?
Hello Markus,
This is the simplified code pattern for it:
172 for (i = 0; ; i++) {
173 state_node = of_parse_phandle(...); ---> Obtain here
...
177 match_id = of_match_node(matches, state_node);
178 if (!match_id) {
179 err = -ENODEV;
180 break; ---> Jump out of
the loop without releasing it
181 }
182
183 if (!of_device_is_available(state_node)) {
184 of_node_put(state_node);
185 continue;---> Release the
object references within a loop
186 }
...
208 of_node_put(state_node); --> Release the object
references within a loop
209 }
210
211 of_node_put(state_node); -->There may be double free here.
This code pattern is very interesting and the coccinelle software should also
recognize this pattern.
Regards,
Wen
Re: [1/2] powerpc/83xx: fix use-after-free in mpc831x_usb_cfg()
> > The immr_node variable is still being used after the of_node_put() call, > > which may result in use-after-free. > > Was any known source code analysis tool involved to point such > a questionable implementation detail out for further software > development considerations? Hi Markus, we developed a coccinelle script to detect such problems. This script is still being improved. After a period of testing, we will send it to the LMKL mailing list later. -- Regards, Wen
Re: powerpc/83xx: fix use-after-free on mpc831x_usb_cfg()
> > The np variable is still being used after the of_node_put() call, > > > which may result in use-after-free. > > > We fix this issue by calling of_node_put() after the last usage. > > > I imagine that this commit description can be improved a bit more > (by mentioning the influence of “immr_node”?). > How do you think about to omit the word “We” here? > > > > This patatch also do some cleanup. > > > Should the renaming of a jump label be contributed in a separate update > step of a small patch series besides a wording without a typo? Thank you for your comments. We will improve the commit description and send v2 as soon as possible. -- Regards, Wen
Re:[PATCH v3] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init()
> Hello Wen, > > Thanks for your patch! > > Did you test your patch with a P.A. Semi board? > Hello Christian, thank you. We don't have a P.A. Semi board yet, so we didn't test it. If you have such a board, could you please kindly help to test it? -- Thanks and regards, Wen
Re: [PATCH v2] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init()
> > The cpu variable is still being used in the of_get_property() call
> > after the of_node_put() call, which may result in use-after-free.
> >
> > Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
> > Signed-off-by: Wen Yang
> > Cc: "Rafael J. Wysocki"
> > Cc: Viresh Kumar
> > Cc: linuxppc-dev@lists.ozlabs.org
> > Cc: linux...@vger.kernel.org
> > Cc: linux-ker...@vger.kernel.org
> > ---
> > v2: clean up the code according to the advice of viresh.
> >
> > drivers/cpufreq/pasemi-cpufreq.c | 10 +-
> > 1 file changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/cpufreq/pasemi-cpufreq.c
> > b/drivers/cpufreq/pasemi-cpufreq.c
> > index 6b1e4ab..c6d464b 100644
> > --- a/drivers/cpufreq/pasemi-cpufreq.c
> > +++ b/drivers/cpufreq/pasemi-cpufreq.c
> > @@ -128,20 +128,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy
> > *policy)
> > int cur_astate, idx;
> > struct resource res;
> > struct device_node *cpu, *dn;
> > -int err = -ENODEV;
> > +int err;
> >
> > cpu = of_get_cpu_node(policy->cpu, NULL);
> > -
> > -of_node_put(cpu);
> > if (!cpu)
> > -goto out;
> > +return -ENODEV;
> >
>
>
> > dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
> > if (!dn)
> > dn = of_find_compatible_node(NULL, NULL,
> > "pasemi,pwrficient-sdc");
> > if (!dn)
> > -goto out;
> > +return -ENODEV;
>
> This change looks incorrect. You still need to drop reference to cpu ?
>
Thanks!
We will fix it immediately.
--
Thanks and regards,
Wen
Re: [PATCH] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init()
> > The cpu variable is still being used in the of_get_property() call
> > after the of_node_put() call, which may result in use-after-free.
> >
> > Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
> > Signed-off-by: Wen Yang
> > Cc: "Rafael J. Wysocki"
> > Cc: Viresh Kumar
> > Cc: linuxppc-dev@lists.ozlabs.org
> > Cc: linux...@vger.kernel.org
> > Cc: linux-ker...@vger.kernel.org
> > ---
> > drivers/cpufreq/pasemi-cpufreq.c | 10 ++
> > 1 file changed, 6 insertions(+), 4 deletions(-)
>
> I will suggest some changes here.
Hello viresh, thank you for your comments.
We will make changes as soon as possible.
--
Thanks and regards,
Wen
答复: Re: [PATCH v2] powerpc/8xx: fix possible object reference leak
>> The call to of_find_compatible_node returns a node pointer with refcount
>> incremented thus it must be explicitly decremented after the last
>> usage.
>> irq_domain_add_linear also calls of_node_get to increase refcount,
>> so irq_domain will not be affected when it is released.
>>
>> Detected by coccinelle with the following warnings:
>> ./arch/powerpc/platforms/8xx/pic.c:158:1-7: ERROR: missing of_node_put;
>> acquired a node pointer with refcount incremented on line 136, but without a
>> corresponding object release within this function.
>>
>> Fixes: a8db8cf0d894 ("irq_domain: Replace irq_alloc_host() with
>> revmap-specific initializers")
>> Signed-off-by: Wen Yang
>> Suggested-by: Christophe Leroy
>> Reviewed-by: Peng Hao
>> Cc: Vitaly Bordug
>> Cc: Benjamin Herrenschmidt
>> Cc: Paul Mackerras
>> Cc: Michael Ellerman
>> Cc: linuxppc-dev@lists.ozlabs.org
>> Cc: linux-ker...@vger.kernel.org
>> ---
>> arch/powerpc/platforms/8xx/pic.c | 2 --
>> 1 file changed, 2 deletions(-)
>>
>> diff --git a/arch/powerpc/platforms/8xx/pic.c
>> b/arch/powerpc/platforms/8xx/pic.c
>> index 8d5a25d..4453df6 100644
>> --- a/arch/powerpc/platforms/8xx/pic.c
>> +++ b/arch/powerpc/platforms/8xx/pic.c
>> @@ -153,9 +153,7 @@ int mpc8xx_pic_init(void)
>> if (mpc8xx_pic_host == NULL) {
>> printk(KERN_ERR "MPC8xx PIC: failed to allocate irq host!\n");
>> ret = -ENOMEM;
>> -goto out;
>> }
>> -return 0;
>
> It's fragile to rely on ret being equal to zero here. If the code
> further up is changed it's easy enough to miss that ret is expected to
> be zero.
>
> Better to set it to zero here explicitly, this is the success path after
> all, eg:
>
> ret = 0;
>
Thank you for your comments.
I'll fix it soon.
Thanks and regards,
Wen
Re: Re: [PATCH 5/5] powerpc/8xx: fix possible object reference leak
Hi, Christophe,
>> The call to of_find_compatible_node returns a node pointer with refcount
>> incremented thus it must be explicitly decremented after the last
>> usage.
>> irq_domain_add_linear also calls of_node_get to increase refcount,
>> so irq_domain will not be affected when it is released.
>
>
> Should you have a:
>
> Fixes: a8db8cf0d894 ("irq_domain: Replace irq_alloc_host() with
> revmap-specific initializers")
>
> If not, it means your change is in contradiction with commit
> b1725c9319aa ("[POWERPC] arch/powerpc/sysdev: Add missing of_node_put")
Thank you very much.
This problem existed before this commit (a8db8cf0d894).
and the SmPL we used is:
https://lkml.org/lkml/2019/3/14/880
We are still improving this SmPL, and it is somewhat different from the script
used by b1725c9319aa ("[POWERPC] arch/powerpc/sysdev: Add missing of_node_put").
>> Detected by coccinelle with the following warnings:
>> ./arch/powerpc/platforms/8xx/pic.c:158:1-7: ERROR: missing of_node_put;
>> acquired a node pointer with refcount incremented on line 136, but without a
>> corresponding object release within this function.
>>
>> arch/powerpc/platforms/8xx/pic.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/arch/powerpc/platforms/8xx/pic.c
>> b/arch/powerpc/platforms/8xx/pic.c
>> index 8d5a25d..13d880b 100644
>> --- a/arch/powerpc/platforms/8xx/pic.c
>> +++ b/arch/powerpc/platforms/8xx/pic.c
>> @@ -155,6 +155,7 @@ int mpc8xx_pic_init(void)
>> ret = -ENOMEM;
>> goto out;
>> }
>> +of_node_put(np);
>> return 0;
>>
>> out:
>>
>
> I guess it would be better as follows:
>
> --- a/arch/powerpc/platforms/8xx/pic.c
> +++ b/arch/powerpc/platforms/8xx/pic.c
> @@ -153,9 +153,7 @@ int mpc8xx_pic_init(void)
> if (mpc8xx_pic_host == NULL) {
> printk(KERN_ERR "MPC8xx PIC: failed to allocate irq
> host!\n");
> ret = -ENOMEM;
> - goto out;
> }
> - return 0;
>
> out:
> of_node_put(np);
OK.
Thank you.
We will fix it soon.
Thanks and regards,
Wen
Re: [PATCH v3] soc/fsl/qe: fix err handling of ucc_of_parse_tdm
Hi David,
Thank you, we'll fix it soon.
Best wishes,
Wen
--Original Mail--
Sender: DavidMiller
To: peng hao10096742;
CC: qiang.z...@nxp.com leoyang...@nxp.com
linux-ker...@vger.kernel.org
wen yang10156314;julia.law...@lip6.fr
net...@vger.kernel.org
linuxppc-dev@lists.ozlabs.org
Date: 2018/12/29 13:11
Subject: Re: [PATCH v3] soc/fsl/qe: fix err handling of ucc_of_parse_tdm
From: Peng Hao
Date: Wed, 26 Dec 2018 16:26:29 +0800
> diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c
> index 839fa77..8ce4921f 100644
> --- a/drivers/net/wan/fsl_ucc_hdlc.c
> +++ b/drivers/net/wan/fsl_ucc_hdlc.c
> @@ -1057,6 +1057,27 @@ static const struct net_device_ops uhdlc_ops = {
> .ndo_tx_timeout= uhdlc_tx_timeout,
> };
>
> +static int ucc_get_resource_by_nodename(char *name, struct resource *res)
> +{
...
> +res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> +return 0;
This assignment to 'res' doesn't do what you think it does. The caller never
sees the value you compute.
Re:RE: [PATCH] soc/fsl/qe: fix err handling of ucc_of_parse_tdm
Hi Qiang,
Thank you, we'll send a new version to fix this.
Best regards,
Wen
--Original Mail--
Sender: QiangZhao
To: wang yi10129963;
CC: zhong weidong10001088;lkml
julia.law...@lip6.fr
linuxppc-dev wen
yang10156314;moderatedlist:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE
Leo Li
Date: 2018/12/25 09:58
Subject: RE: [PATCH] soc/fsl/qe: fix err handling of ucc_of_parse_tdm
Hi Wen,
Will you send another version to resolve the issue described in the comments?
BR
Qiang
> -Original Message-
> From: Li Yang
> Sent: 2018年12月6日 4:10
> To: wang.y...@zte.com.cn
> Cc: Qiang Zhao ; zhong.weid...@zte.com.cn; lkml
> ; julia.law...@lip6.fr; linuxppc-dev
> ; wen.yan...@zte.com.cn; moderated
> list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE
>
> Subject: Re: [PATCH] soc/fsl/qe: fix err handling of ucc_of_parse_tdm
>
> On Thu, Nov 22, 2018 at 2:42 PM Yi Wang wrote:
> >
> > From: Wen Yang
> >
> > Currently there are 2 problems with the ucc_of_parse_tdm function:
> > 1,a possible null pointer dereference in ucc_of_parse_tdm, detected by
> > the semantic patch deref_null.cocci, with the following warning:
> > drivers/soc/fsl/qe/qe_tdm.c:177:21-24: ERROR: pdev is NULL but
> dereferenced.
> > 2,dev gets modified, so in any case that devm_iounmap() will fail even
> > when the new pdev is valid, because the iomap was done with a different
> pdev.
> > This patch fixes them.
>
> While we are at this, I think this logic need more serious fixing. I see
> there is
> no driver bind with the "fsl,t1040-qe-si" or "fsl,t1040-qe-siram" device. So
> allocating resources using devm_*() with these devices won't provide a
> cleanup path for these resources when the caller fails. I think we should
> probably allocate resource under device of caller (e.g. ucc-hdlc), so that
> when
> caller probe fails or is removed it will trigger the cleanup.
>
> >
> > Suggested-by: Christophe LEROY
> > Signed-off-by: Wen Yang
> > CC: Julia Lawall
> > CC: Zhao Qiang
> > ---
> > drivers/soc/fsl/qe/qe_tdm.c | 20 ++--
> > 1 file changed, 10 insertions(+), 10 deletions(-)
> >
> > diff --git a/drivers/soc/fsl/qe/qe_tdm.c b/drivers/soc/fsl/qe/qe_tdm.c
> > index f78c346..9a29f0b 100644
> > --- a/drivers/soc/fsl/qe/qe_tdm.c
> > +++ b/drivers/soc/fsl/qe/qe_tdm.c
> > @@ -47,7 +47,7 @@ int ucc_of_parse_tdm(struct device_node *np, struct
> ucc_tdm *utdm,
> > struct resource *res;
> > struct device_node *np2;
> > static int siram_init_flag;
> > - struct platform_device *pdev;
> > + struct platform_device *pdev_si, *pdev_siram;
> >
> > sprop = of_get_property(np, "fsl,rx-sync-clock", NULL);
> > if (sprop) {
> > @@ -129,16 +129,16 @@ int ucc_of_parse_tdm(struct device_node *np,
> struct ucc_tdm *utdm,
> > if (!np2)
> > return -EINVAL;
> >
> > - pdev = of_find_device_by_node(np2);
> > - if (!pdev) {
> > + pdev_si = of_find_device_by_node(np2);
> > + if (!pdev_si) {
> > pr_err("%pOFn: failed to lookup pdev\n", np2);
> > of_node_put(np2);
> > return -EINVAL;
> > }
> >
> > of_node_put(np2);
> > - res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> > - utdm->si_regs = devm_ioremap_resource(>dev, res);
> > + res = platform_get_resource(pdev_si, IORESOURCE_MEM, 0);
> > + utdm->si_regs = devm_ioremap_resource(_si->dev, res);
> > if (IS_ERR(utdm->si_regs)) {
> > ret = PTR_ERR(utdm->si_regs);
> > goto err_miss_siram_property; @@ -150,8 +150,8 @@
> int
> > ucc_of_parse_tdm(struct device_node *np, struct ucc_tdm *utdm,
> > goto err_miss_siram_property;
> > }
> >
> > - pdev = of_find_device_by_node(np2);
> > - if (!pdev) {
> > + pdev_siram = of_find_device_by_node(np2);
> > + if (!pdev_siram) {
> > ret = -EINVAL;
> > pr_err("%pOFn: failed to lookup pdev\n", np2);
> > of_node_put(np2);
> > @@ -159,8 +159,8 @@ int ucc_of_parse_tdm(struct device_node *np, struct
> ucc_tdm *utdm,
> > }
> >
> > of_node_put(np2);
> > - res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> > - utdm->siram = devm_ioremap_resource(>dev, res);
> > + res = platform_get_resource(pdev_siram, IORESOURCE_MEM, 0);
> > + utdm->siram = devm_ioremap_resource(_siram->dev, res);
> > if (IS_ERR(utdm->siram)) {
> > ret = PTR_ERR(utdm->siram);
> > goto err_miss_siram_property; @@ -174,7 +174,7 @@
> int
> > ucc_of_parse_tdm(struct device_node *np, struct ucc_tdm *utdm,
> > return ret;
> >
> > err_miss_siram_property:
> > - devm_iounmap(>dev, utdm->si_regs);
> > + devm_iounmap(_si->dev, utdm->si_regs);
> > return ret;
> > }
> > EXPORT_SYMBOL(ucc_of_parse_tdm);
> > --
> > 2.9.5
> >
答复: Re: [PATCH 2/4] soc/fsl/qe: fix potential NULL pointer dereference inucc_of_parse_tdm
Hi Christophe, thank you for your review.
There are two problems in the ucc_of_parse_tdm function.
1, NULL pointer reference
2, pdev gets modified, iomap was done with a different pdev.
We will submit a patch to repair it later.
Thanks.
132 pdev = of_find_device_by_node(np2);
..
141 utdm->si_regs = devm_ioremap_resource(>dev, res); ---> use
pdev to call devm_ioremap
..
153 pdev = of_find_device_by_node(np2); --->This line, pdev gets
modified
154 if (!pdev) {
155 ret = -EINVAL;
156 pr_err("%pOFn: failed to lookup pdev\n", np2);
157 of_node_put(np2);
158 goto err_miss_siram_property;
--> This line, if pdev is NULL, will jump to label err_miss_siram_property
159 }
..
163 utdm->siram = devm_ioremap_resource(>dev, res); --> use
changed pdev to call devm_ioremap
..
175
176 err_miss_siram_property:
177 devm_iounmap(>dev, utdm->si_regs);--> Within the code
block, if pdev is NULL, kernel panic will be triggered; devm_iounmap() will
alse fail even when the new pdev is valid.
178 return ret;
179 }
--原始邮件--
发件人:ChristopheLEROY
收件人:文洋10156314;qiang.z...@nxp.com
抄送人:汪翼10129963;钟卫东10001088;linux-ker...@vger.kernel.org
leoyang...@nxp.com Julia
Lawall linuxppc-dev@lists.ozlabs.org
linux-arm-ker...@lists.infradead.org
日 期 :2018年11月21日 18:46
主 题 :Re: [PATCH 2/4] soc/fsl/qe: fix potential NULL pointer dereference
inucc_of_parse_tdm
Le 21/11/2018 à 08:41, Wen Yang a écrit :
> This patch fixes a possible null pointer dereference in
> ucc_of_parse_tdm, detected by the semantic patch
> deref_null.cocci, with the following warning:
>
> ./drivers/soc/fsl/qe/qe_tdm.c:177:21-24: ERROR: pdev is NULL but dereferenced.
>
> The following code has potential null pointer references:
> pdev = of_find_device_by_node(np2);
> if (!pdev) {
> ret = -EINVAL;
> pr_err("%pOFn: failed to lookup pdev\n", np2);
> of_node_put(np2);
> goto err_miss_siram_property;
> }
> ...
> err_miss_siram_property:
> devm_iounmap(>dev, utdm->si_regs);
>
> Signed-off-by: Wen Yang
> Reviewed-by: Tan Hu
> CC: Julia Lawall
> ---
> drivers/soc/fsl/qe/qe_tdm.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/soc/fsl/qe/qe_tdm.c b/drivers/soc/fsl/qe/qe_tdm.c
> index f78c346..166378b 100644
> --- a/drivers/soc/fsl/qe/qe_tdm.c
> +++ b/drivers/soc/fsl/qe/qe_tdm.c
> @@ -174,7 +174,8 @@ int ucc_of_parse_tdm(struct device_node *np, struct
> ucc_tdm *utdm,
> return ret;
>
> err_miss_siram_property:
> -devm_iounmap(>dev, utdm->si_regs);
> +if (pdev)
> +devm_iounmap(>dev, utdm->si_regs);
You are just hiding the issue, not fixing it.
The problem is that pdev gets modified, so in any case that
devm_iounmap() will fail even when the new pdev is valid, because the
iomap was done with a different pdev.
Christophe
> return ret;
> }
> EXPORT_SYMBOL(ucc_of_parse_tdm);
>
