Re: [PATCH] irqchip: renesas-rza1: fix an use-after-free in rza1_irqc_probe()
On Mon, 08 Jul 2019 07:19:04 +0100,
Wen Yang wrote:
>
> The gic_node is still being used in the rza1_irqc_parse_map() call
> after the of_node_put() call, which may result in use-after-free.
>
> Fixes: a644ccb819bc ("irqchip: Add Renesas RZ/A1 Interrupt Controller driver")
> Signed-off-by: Wen Yang
> Cc: Thomas Gleixner
> Cc: Jason Cooper
> Cc: Marc Zyngier
> Cc: Geert Uytterhoeven
> Cc: Chris Brandt
> Cc: Simon Horman
> Cc: linux-kernel@vger.kernel.org
> ---
> drivers/irqchip/irq-renesas-rza1.c | 15 ---
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/irqchip/irq-renesas-rza1.c
> b/drivers/irqchip/irq-renesas-rza1.c
> index b1f19b21..b0d46ac 100644
> --- a/drivers/irqchip/irq-renesas-rza1.c
> +++ b/drivers/irqchip/irq-renesas-rza1.c
> @@ -208,20 +208,19 @@ static int rza1_irqc_probe(struct platform_device *pdev)
> return PTR_ERR(priv->base);
>
> gic_node = of_irq_find_parent(np);
> - if (gic_node) {
> + if (gic_node)
> parent = irq_find_host(gic_node);
> - of_node_put(gic_node);
> - }
>
> if (!parent) {
> dev_err(dev, "cannot find parent domain\n");
> - return -ENODEV;
> + ret = -ENODEV;
> + goto out_put_node;
> }
>
> ret = rza1_irqc_parse_map(priv, gic_node);
> if (ret) {
> dev_err(dev, "cannot parse %s: %d\n", "interrupt-map", ret);
> - return ret;
> + goto out_put_node;
> }
>
> priv->chip.name = "rza1-irqc",
> @@ -237,10 +236,12 @@ static int rza1_irqc_probe(struct platform_device *pdev)
> priv);
> if (!priv->irq_domain) {
> dev_err(dev, "cannot initialize irq domain\n");
> - return -ENOMEM;
> + ret = -ENOMEM;
> }
>
> - return 0;
> +out_put_node:
> + of_node_put(gic_node);
> + return ret;
> }
>
> static int rza1_irqc_remove(struct platform_device *pdev)
> --
> 2.9.5
>
Applied, thanks.
M.
--
Jazz is not dead, it just smells funny.
Re: [PATCH] irqchip: renesas-rza1: fix an use-after-free in rza1_irqc_probe()
Hi Wen,
On Mon, Jul 8, 2019 at 8:22 AM Wen Yang wrote:
> The gic_node is still being used in the rza1_irqc_parse_map() call
> after the of_node_put() call, which may result in use-after-free.
Thanks! This use was added in v3, but I forgot to move the of_node_put() call.
> Fixes: a644ccb819bc ("irqchip: Add Renesas RZ/A1 Interrupt Controller driver")
Reviewed-by: Geert Uytterhoeven
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
[PATCH] irqchip: renesas-rza1: fix an use-after-free in rza1_irqc_probe()
The gic_node is still being used in the rza1_irqc_parse_map() call
after the of_node_put() call, which may result in use-after-free.
Fixes: a644ccb819bc ("irqchip: Add Renesas RZ/A1 Interrupt Controller driver")
Signed-off-by: Wen Yang
Cc: Thomas Gleixner
Cc: Jason Cooper
Cc: Marc Zyngier
Cc: Geert Uytterhoeven
Cc: Chris Brandt
Cc: Simon Horman
Cc: linux-kernel@vger.kernel.org
---
drivers/irqchip/irq-renesas-rza1.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/irqchip/irq-renesas-rza1.c
b/drivers/irqchip/irq-renesas-rza1.c
index b1f19b21..b0d46ac 100644
--- a/drivers/irqchip/irq-renesas-rza1.c
+++ b/drivers/irqchip/irq-renesas-rza1.c
@@ -208,20 +208,19 @@ static int rza1_irqc_probe(struct platform_device *pdev)
return PTR_ERR(priv->base);
gic_node = of_irq_find_parent(np);
- if (gic_node) {
+ if (gic_node)
parent = irq_find_host(gic_node);
- of_node_put(gic_node);
- }
if (!parent) {
dev_err(dev, "cannot find parent domain\n");
- return -ENODEV;
+ ret = -ENODEV;
+ goto out_put_node;
}
ret = rza1_irqc_parse_map(priv, gic_node);
if (ret) {
dev_err(dev, "cannot parse %s: %d\n", "interrupt-map", ret);
- return ret;
+ goto out_put_node;
}
priv->chip.name = "rza1-irqc",
@@ -237,10 +236,12 @@ static int rza1_irqc_probe(struct platform_device *pdev)
priv);
if (!priv->irq_domain) {
dev_err(dev, "cannot initialize irq domain\n");
- return -ENOMEM;
+ ret = -ENOMEM;
}
- return 0;
+out_put_node:
+ of_node_put(gic_node);
+ return ret;
}
static int rza1_irqc_remove(struct platform_device *pdev)
--
2.9.5
