LinuxLists.cc - [PATCH] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu

2019-07-08 08:46:40

Subject: [PATCH] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang <[email protected]>
Cc: "Rafael J. Wysocki" <[email protected]>
Cc: Viresh Kumar <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
---
drivers/cpufreq/pasemi-cpufreq.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4ab..d2dd47b 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -132,7 +132,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)

cpu = of_get_cpu_node(policy->cpu, NULL);

- of_node_put(cpu);
if (!cpu)
goto out;

@@ -141,15 +140,15 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
dn = of_find_compatible_node(NULL, NULL,
"pasemi,pwrficient-sdc");
if (!dn)
- goto out;
+ goto out_put_cpu_node;
err = of_address_to_resource(dn, 0, &res);
of_node_put(dn);
if (err)
- goto out;
+ goto out_put_cpu_node;
sdcasr_mapbase = ioremap(res.start + SDCASR_OFFSET, 0x2000);
if (!sdcasr_mapbase) {
err = -EINVAL;
- goto out;
+ goto out_put_cpu_node;
}

dn = of_find_compatible_node(NULL, NULL, "1682m-gizmo");
@@ -177,6 +176,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
err = -EINVAL;
goto out_unmap_sdcpwr;
}
+ of_node_put(cpu);

/* we need the freq in kHz */
max_freq = *max_freqp / 1000;
@@ -203,6 +203,8 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)

out_unmap_sdcasr:
iounmap(sdcasr_mapbase);
+out_put_cpu_node:
+ of_node_put(cpu);
out:
return err;
}
--
2.9.5

2019-07-08 09:10:22

by Wen Yang

[permalink] [raw]

Subject: [PATCH] phy: ti: am654-serdes: fix an use-after-free in serdes_am654_clk_register()

The regmap_node variable is still being used in the syscon_node_to_regmap()
call after the of_node_put() call, which may result in use-after-free.

Fixes: 71e2f5c5c224 ("phy: ti: Add a new SERDES driver for TI's AM654x SoC")
Signed-off-by: Wen Yang <[email protected]>
Cc: Kishon Vijay Abraham I <[email protected]>
Cc: Roger Quadros <[email protected]>
Cc: [email protected]
---
drivers/phy/ti/phy-am654-serdes.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/drivers/phy/ti/phy-am654-serdes.c b/drivers/phy/ti/phy-am654-serdes.c
index f8edd08..f14f1f0 100644
--- a/drivers/phy/ti/phy-am654-serdes.c
+++ b/drivers/phy/ti/phy-am654-serdes.c
@@ -405,6 +405,7 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
const __be32 *addr;
unsigned int reg;
struct clk *clk;
+ int ret = 0;

mux = devm_kzalloc(dev, sizeof(*mux), GFP_KERNEL);
if (!mux)
@@ -413,34 +414,40 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
init = &mux->clk_data;

regmap_node = of_parse_phandle(node, "ti,serdes-clk", 0);
- of_node_put(regmap_node);
if (!regmap_node) {
dev_err(dev, "Fail to get serdes-clk node\n");
- return -ENODEV;
+ ret = -ENODEV;
+ goto out_put_node;
}

regmap = syscon_node_to_regmap(regmap_node->parent);
if (IS_ERR(regmap)) {
dev_err(dev, "Fail to get Syscon regmap\n");
- return PTR_ERR(regmap);
+ ret = PTR_ERR(regmap);
+ goto out_put_node;
}

num_parents = of_clk_get_parent_count(node);
if (num_parents < 2) {
dev_err(dev, "SERDES clock must have parents\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out_put_node;
}

parent_names = devm_kzalloc(dev, (sizeof(char *) * num_parents),
GFP_KERNEL);
- if (!parent_names)
- return -ENOMEM;
+ if (!parent_names) {
+ ret = -ENOMEM;
+ goto out_put_node;
+ }

of_clk_parent_fill(node, parent_names, num_parents);

addr = of_get_address(regmap_node, 0, NULL, NULL);
- if (!addr)
- return -EINVAL;
+ if (!addr) {
+ ret = -EINVAL;
+ goto out_put_node;
+ }

reg = be32_to_cpu(*addr);

@@ -456,12 +463,16 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
mux->hw.init = init;

clk = devm_clk_register(dev, &mux->hw);
- if (IS_ERR(clk))
- return PTR_ERR(clk);
+ if (IS_ERR(clk)) {
+ ret = PTR_ERR(clk);
+ goto out_put_node;
+ }

am654_phy->clks[clock_num] = clk;

- return 0;
+out_put_node:
+ of_node_put(regmap_node);
+ return ret;
}

static const struct of_device_id serdes_am654_id_table[] = {
--
2.9.5

2019-08-06 14:09:24

by Roger Quadros

[permalink] [raw]

Subject: Re: [PATCH] phy: ti: am654-serdes: fix an use-after-free in serdes_am654_clk_register()

On 08/07/2019 09:19, Wen Yang wrote:
> The regmap_node variable is still being used in the syscon_node_to_regmap()
> call after the of_node_put() call, which may result in use-after-free.
>
> Fixes: 71e2f5c5c224 ("phy: ti: Add a new SERDES driver for TI's AM654x SoC")
> Signed-off-by: Wen Yang <[email protected]>
> Cc: Kishon Vijay Abraham I <[email protected]>
> Cc: Roger Quadros <[email protected]>
> Cc: [email protected]

Reviewed-by: Roger Quadros <[email protected]>

> ---
> drivers/phy/ti/phy-am654-serdes.c | 33 ++++++++++++++++++++++-----------
> 1 file changed, 22 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/phy/ti/phy-am654-serdes.c b/drivers/phy/ti/phy-am654-serdes.c
> index f8edd08..f14f1f0 100644
> --- a/drivers/phy/ti/phy-am654-serdes.c
> +++ b/drivers/phy/ti/phy-am654-serdes.c
> @@ -405,6 +405,7 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> const __be32 *addr;
> unsigned int reg;
> struct clk *clk;
> + int ret = 0;
>
> mux = devm_kzalloc(dev, sizeof(*mux), GFP_KERNEL);
> if (!mux)
> @@ -413,34 +414,40 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> init = &mux->clk_data;
>
> regmap_node = of_parse_phandle(node, "ti,serdes-clk", 0);
> - of_node_put(regmap_node);
> if (!regmap_node) {
> dev_err(dev, "Fail to get serdes-clk node\n");
> - return -ENODEV;
> + ret = -ENODEV;
> + goto out_put_node;
> }
>
> regmap = syscon_node_to_regmap(regmap_node->parent);
> if (IS_ERR(regmap)) {
> dev_err(dev, "Fail to get Syscon regmap\n");
> - return PTR_ERR(regmap);
> + ret = PTR_ERR(regmap);
> + goto out_put_node;
> }
>
> num_parents = of_clk_get_parent_count(node);
> if (num_parents < 2) {
> dev_err(dev, "SERDES clock must have parents\n");
> - return -EINVAL;
> + ret = -EINVAL;
> + goto out_put_node;
> }
>
> parent_names = devm_kzalloc(dev, (sizeof(char *) * num_parents),
> GFP_KERNEL);
> - if (!parent_names)
> - return -ENOMEM;
> + if (!parent_names) {
> + ret = -ENOMEM;
> + goto out_put_node;
> + }
>
> of_clk_parent_fill(node, parent_names, num_parents);
>
> addr = of_get_address(regmap_node, 0, NULL, NULL);
> - if (!addr)
> - return -EINVAL;
> + if (!addr) {
> + ret = -EINVAL;
> + goto out_put_node;
> + }
>
> reg = be32_to_cpu(*addr);
>
> @@ -456,12 +463,16 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> mux->hw.init = init;
>
> clk = devm_clk_register(dev, &mux->hw);
> - if (IS_ERR(clk))
> - return PTR_ERR(clk);
> + if (IS_ERR(clk)) {
> + ret = PTR_ERR(clk);
> + goto out_put_node;
> + }
>
> am654_phy->clks[clock_num] = clk;
>
> - return 0;
> +out_put_node:
> + of_node_put(regmap_node);
> + return ret;
> }
>
> static const struct of_device_id serdes_am654_id_table[] = {
>

--
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki