2021-02-27 09:28:15

by Dan Carpenter

[permalink] [raw]
Subject: drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init() error: we previously assumed 'data' could be null (see line 327)

tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 8b83369ddcb3fb9cab5c1088987ce477565bb630
commit: 67fc209b527d023db4d087c68e44e9790aa089ef cpufreq: qcom-hw: drop devm_xxx() calls from init/exit hooks
config: arm64-randconfig-m031-20210226 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>

smatch warnings:
drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init() error: we previously assumed 'data' could be null (see line 327)
drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init() error: dereferencing freed memory 'data'

vim +/data +377 drivers/cpufreq/qcom-cpufreq-hw.c

2849dd8bc72b62 Taniya Das 2018-12-14 277 static int qcom_cpufreq_hw_cpu_init(struct cpufreq_policy *policy)
2849dd8bc72b62 Taniya Das 2018-12-14 278 {
bd74e286b35413 Manivannan Sadhasivam 2020-09-08 279 struct platform_device *pdev = cpufreq_get_driver_data();
bd74e286b35413 Manivannan Sadhasivam 2020-09-08 280 struct device *dev = &pdev->dev;
2849dd8bc72b62 Taniya Das 2018-12-14 281 struct of_phandle_args args;
2849dd8bc72b62 Taniya Das 2018-12-14 282 struct device_node *cpu_np;
55538fbc79e926 Taniya Das 2019-01-31 283 struct device *cpu_dev;
67fc209b527d02 Shawn Guo 2021-01-19 284 struct resource *res;
2849dd8bc72b62 Taniya Das 2018-12-14 285 void __iomem *base;
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 286 struct qcom_cpufreq_data *data;
2849dd8bc72b62 Taniya Das 2018-12-14 287 int ret, index;
2849dd8bc72b62 Taniya Das 2018-12-14 288
55538fbc79e926 Taniya Das 2019-01-31 289 cpu_dev = get_cpu_device(policy->cpu);
55538fbc79e926 Taniya Das 2019-01-31 290 if (!cpu_dev) {
55538fbc79e926 Taniya Das 2019-01-31 291 pr_err("%s: failed to get cpu%d device\n", __func__,
55538fbc79e926 Taniya Das 2019-01-31 292 policy->cpu);
55538fbc79e926 Taniya Das 2019-01-31 293 return -ENODEV;
55538fbc79e926 Taniya Das 2019-01-31 294 }
55538fbc79e926 Taniya Das 2019-01-31 295
2849dd8bc72b62 Taniya Das 2018-12-14 296 cpu_np = of_cpu_device_node_get(policy->cpu);
2849dd8bc72b62 Taniya Das 2018-12-14 297 if (!cpu_np)
2849dd8bc72b62 Taniya Das 2018-12-14 298 return -EINVAL;
2849dd8bc72b62 Taniya Das 2018-12-14 299
2849dd8bc72b62 Taniya Das 2018-12-14 300 ret = of_parse_phandle_with_args(cpu_np, "qcom,freq-domain",
2849dd8bc72b62 Taniya Das 2018-12-14 301 "#freq-domain-cells", 0, &args);
2849dd8bc72b62 Taniya Das 2018-12-14 302 of_node_put(cpu_np);
2849dd8bc72b62 Taniya Das 2018-12-14 303 if (ret)
2849dd8bc72b62 Taniya Das 2018-12-14 304 return ret;
2849dd8bc72b62 Taniya Das 2018-12-14 305
2849dd8bc72b62 Taniya Das 2018-12-14 306 index = args.args[0];
2849dd8bc72b62 Taniya Das 2018-12-14 307
67fc209b527d02 Shawn Guo 2021-01-19 308 res = platform_get_resource(pdev, IORESOURCE_MEM, index);
67fc209b527d02 Shawn Guo 2021-01-19 309 if (!res) {
67fc209b527d02 Shawn Guo 2021-01-19 310 dev_err(dev, "failed to get mem resource %d\n", index);
67fc209b527d02 Shawn Guo 2021-01-19 311 return -ENODEV;
67fc209b527d02 Shawn Guo 2021-01-19 312 }
67fc209b527d02 Shawn Guo 2021-01-19 313
67fc209b527d02 Shawn Guo 2021-01-19 314 if (!request_mem_region(res->start, resource_size(res), res->name)) {
67fc209b527d02 Shawn Guo 2021-01-19 315 dev_err(dev, "failed to request resource %pR\n", res);
67fc209b527d02 Shawn Guo 2021-01-19 316 return -EBUSY;
67fc209b527d02 Shawn Guo 2021-01-19 317 }
2849dd8bc72b62 Taniya Das 2018-12-14 318
67fc209b527d02 Shawn Guo 2021-01-19 319 base = ioremap(res->start, resource_size(res));
67fc209b527d02 Shawn Guo 2021-01-19 320 if (IS_ERR(base)) {
67fc209b527d02 Shawn Guo 2021-01-19 321 dev_err(dev, "failed to map resource %pR\n", res);
67fc209b527d02 Shawn Guo 2021-01-19 322 ret = PTR_ERR(base);
67fc209b527d02 Shawn Guo 2021-01-19 323 goto release_region;
67fc209b527d02 Shawn Guo 2021-01-19 324 }
67fc209b527d02 Shawn Guo 2021-01-19 325
67fc209b527d02 Shawn Guo 2021-01-19 326 data = kzalloc(sizeof(*data), GFP_KERNEL);
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 @327 if (!data) {
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 328 ret = -ENOMEM;
67fc209b527d02 Shawn Guo 2021-01-19 329 goto unmap_base;
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 330 }
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 331
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 332 data->soc_data = of_device_get_match_data(&pdev->dev);
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 333 data->base = base;
67fc209b527d02 Shawn Guo 2021-01-19 334 data->res = res;
2849dd8bc72b62 Taniya Das 2018-12-14 335
2849dd8bc72b62 Taniya Das 2018-12-14 336 /* HW should be in enabled state to proceed */
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 337 if (!(readl_relaxed(base + data->soc_data->reg_enable) & 0x1)) {
2849dd8bc72b62 Taniya Das 2018-12-14 338 dev_err(dev, "Domain-%d cpufreq hardware not enabled\n", index);
2849dd8bc72b62 Taniya Das 2018-12-14 339 ret = -ENODEV;
2849dd8bc72b62 Taniya Das 2018-12-14 340 goto error;
2849dd8bc72b62 Taniya Das 2018-12-14 341 }
2849dd8bc72b62 Taniya Das 2018-12-14 342
2849dd8bc72b62 Taniya Das 2018-12-14 343 qcom_get_related_cpus(index, policy->cpus);
2849dd8bc72b62 Taniya Das 2018-12-14 344 if (!cpumask_weight(policy->cpus)) {
2849dd8bc72b62 Taniya Das 2018-12-14 345 dev_err(dev, "Domain-%d failed to get related CPUs\n", index);
2849dd8bc72b62 Taniya Das 2018-12-14 346 ret = -ENOENT;
2849dd8bc72b62 Taniya Das 2018-12-14 347 goto error;
2849dd8bc72b62 Taniya Das 2018-12-14 348 }
2849dd8bc72b62 Taniya Das 2018-12-14 349
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 350 policy->driver_data = data;
2849dd8bc72b62 Taniya Das 2018-12-14 351
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 352 ret = qcom_cpufreq_hw_read_lut(cpu_dev, policy);
2849dd8bc72b62 Taniya Das 2018-12-14 353 if (ret) {
2849dd8bc72b62 Taniya Das 2018-12-14 354 dev_err(dev, "Domain-%d failed to read LUT\n", index);
2849dd8bc72b62 Taniya Das 2018-12-14 355 goto error;
2849dd8bc72b62 Taniya Das 2018-12-14 356 }
2849dd8bc72b62 Taniya Das 2018-12-14 357
55538fbc79e926 Taniya Das 2019-01-31 358 ret = dev_pm_opp_get_opp_count(cpu_dev);
55538fbc79e926 Taniya Das 2019-01-31 359 if (ret <= 0) {
55538fbc79e926 Taniya Das 2019-01-31 360 dev_err(cpu_dev, "Failed to add OPPs\n");
55538fbc79e926 Taniya Das 2019-01-31 361 ret = -ENODEV;
55538fbc79e926 Taniya Das 2019-01-31 362 goto error;
55538fbc79e926 Taniya Das 2019-01-31 363 }
55538fbc79e926 Taniya Das 2019-01-31 364
0e0ffa855d1590 Lukasz Luba 2020-05-27 365 dev_pm_opp_of_register_em(cpu_dev, policy->cpus);
dab535052f67db Matthias Kaehlcke 2019-02-05 366
266991721c15f9 Shawn Guo 2021-01-13 367 if (policy_has_boost_freq(policy)) {
266991721c15f9 Shawn Guo 2021-01-13 368 ret = cpufreq_enable_boost_support();
266991721c15f9 Shawn Guo 2021-01-13 369 if (ret)
266991721c15f9 Shawn Guo 2021-01-13 370 dev_warn(cpu_dev, "failed to enable boost: %d\n", ret);
266991721c15f9 Shawn Guo 2021-01-13 371 }
266991721c15f9 Shawn Guo 2021-01-13 372
2849dd8bc72b62 Taniya Das 2018-12-14 373 return 0;
2849dd8bc72b62 Taniya Das 2018-12-14 374 error:
67fc209b527d02 Shawn Guo 2021-01-19 375 kfree(data);
67fc209b527d02 Shawn Guo 2021-01-19 376 unmap_base:
67fc209b527d02 Shawn Guo 2021-01-19 @377 iounmap(data->base);

Use after free. iounmap(base);

67fc209b527d02 Shawn Guo 2021-01-19 378 release_region:
67fc209b527d02 Shawn Guo 2021-01-19 379 release_mem_region(res->start, resource_size(res));
2849dd8bc72b62 Taniya Das 2018-12-14 380 return ret;
2849dd8bc72b62 Taniya Das 2018-12-14 381 }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]

Attachments:
(No filename) (9.02 kB)
 .config.gz (32.43 kB)
 Download all attachments

2021-02-28 01:14:49

by Shawn Guo

[permalink] [raw]
Subject: Re: drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init() error: we previously assumed 'data' could be null (see line 327)

On Sat, Feb 27, 2021 at 12:26:20PM +0300, Dan Carpenter wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head: 8b83369ddcb3fb9cab5c1088987ce477565bb630
> commit: 67fc209b527d023db4d087c68e44e9790aa089ef cpufreq: qcom-hw: drop devm_xxx() calls from init/exit hooks
> config: arm64-randconfig-m031-20210226 (attached as .config)
> compiler: aarch64-linux-gcc (GCC) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <[email protected]>
> Reported-by: Dan Carpenter <[email protected]>
>
> smatch warnings:
> drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init() error: we previously assumed 'data' could be null (see line 327)
> drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init() error: dereferencing freed memory 'data'

Thanks for the report! I will send a fix for it right away.

Shawn