2018-08-06 16:49:31

by Anton Vasilyev

[permalink] [raw]
Subject: [PATCH] serial: mxs-auart: Fix potential infinite loop

On the error path of mxs_auart_request_gpio_irq() is performed
backward iterating with index i of enum type. Underline enum type
may be unsigned char. In this case check (--i >= 0) will be always
true and error handling goes into infinite loop.

The patch changes type of index variable to int.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <[email protected]>
---
drivers/tty/serial/mxs-auart.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 76aa289652f7..89b34bb09cde 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1617,7 +1617,7 @@ static void mxs_auart_free_gpio_irq(struct mxs_auart_port *s)
static int mxs_auart_request_gpio_irq(struct mxs_auart_port *s)
{
int *irq = s->gpio_irq;
- enum mctrl_gpio_idx i;
+ int i;
int err = 0;

for (i = 0; (i < UART_GPIO_MAX) && !err; i++) {
@@ -1634,8 +1634,9 @@ static int mxs_auart_request_gpio_irq(struct mxs_auart_port *s)

/*
* If something went wrong, rollback.
+ * Be careful: i may be unsigned.
*/
- while (err && (--i >= 0))
+ while (err && (i-- > 0))
if (irq[i] >= 0)
free_irq(irq[i], s);

--
2.18.0



2018-08-07 11:03:08

by Anton Vasilyev

[permalink] [raw]
Subject: [PATCH v2] serial: mxs-auart: Fix potential infinite loop

On the error path of mxs_auart_request_gpio_irq() is performed
backward iterating with index i of enum type. Underline enum type
may be unsigned char. In this case check (--i >= 0) will be always
true and error handling goes into infinite loop.

The patch changes the check so that it is valid for signed and unsigned
types.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <[email protected]>
---
v2: mistype in patch as result of combination of different fixes.
Change comment and leave enum type.
---
drivers/tty/serial/mxs-auart.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 76aa289652f7..27235a526cce 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1634,8 +1634,9 @@ static int mxs_auart_request_gpio_irq(struct mxs_auart_port *s)

/*
* If something went wrong, rollback.
+ * Be careful: i may be unsigned.
*/
- while (err && (--i >= 0))
+ while (err && (i-- > 0))
if (irq[i] >= 0)
free_irq(irq[i], s);

--
2.18.0


2018-08-22 06:44:16

by Uwe Kleine-König

[permalink] [raw]
Subject: Re: [PATCH v2] serial: mxs-auart: Fix potential infinite loop

On Tue, Aug 07, 2018 at 01:59:05PM +0300, Anton Vasilyev wrote:
> On the error path of mxs_auart_request_gpio_irq() is performed
> backward iterating with index i of enum type. Underline enum type
> may be unsigned char. In this case check (--i >= 0) will be always
> true and error handling goes into infinite loop.
>
> The patch changes the check so that it is valid for signed and unsigned
> types.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Anton Vasilyev <[email protected]>
> ---
> v2: mistype in patch as result of combination of different fixes.
> Change comment and leave enum type.
> ---
> drivers/tty/serial/mxs-auart.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
> index 76aa289652f7..27235a526cce 100644
> --- a/drivers/tty/serial/mxs-auart.c
> +++ b/drivers/tty/serial/mxs-auart.c
> @@ -1634,8 +1634,9 @@ static int mxs_auart_request_gpio_irq(struct mxs_auart_port *s)
>
> /*
> * If something went wrong, rollback.
> + * Be careful: i may be unsigned.
> */
> - while (err && (--i >= 0))
> + while (err && (i-- > 0))
> if (irq[i] >= 0)
> free_irq(irq[i], s);

I wouldn't have added the comment, but the code change is correct.

Acked-by: Uwe Kleine-K?nig <[email protected]>

Thanks
Uwe

--
Pengutronix e.K. | Uwe Kleine-K?nig |
Industrial Linux Solutions | http://www.pengutronix.de/ |