In socfpga_gate_init(), when ops fails, socfpga_clk is not released or
passed out, which could lead to a memleak.
Fix this bug by adding a kfree of socfpga_clk on the failure path of ops.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops")
Signed-off-by: Zhou Qingyang <[email protected]>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/clk/socfpga/clk-gate.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
index 53d6e3ec4309..0ca5e0000925 100644
--- a/drivers/clk/socfpga/clk-gate.c
+++ b/drivers/clk/socfpga/clk-gate.c
@@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
return;
ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
- if (WARN_ON(!ops))
+ if (WARN_ON(!ops)) {
+ kfree(socfpga_clk);
return;
+ }
rc = of_property_read_u32_array(node, "clk-gate", clk_gate, 2);
if (rc)
--
2.25.1
Quoting Zhou Qingyang (2022-01-24 08:53:16)
> diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
> index 53d6e3ec4309..0ca5e0000925 100644
> --- a/drivers/clk/socfpga/clk-gate.c
> +++ b/drivers/clk/socfpga/clk-gate.c
> @@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
> return;
>
> ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
> - if (WARN_ON(!ops))
> + if (WARN_ON(!ops)) {
A WARN_ON() after an allocation failure will lead to double stacktraces.
Can you remove the WARN_ON()?
Furthermore, it looks like 'ops' is never freed on failure in this
function. Did the SA tool figure that out? There are more problems with
this function and error paths. Seems like nobody cares.
> + kfree(socfpga_clk);
> return;
> + }
>
On 1/24/22 13:53, Stephen Boyd wrote:
> Quoting Zhou Qingyang (2022-01-24 08:53:16)
>> diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
>> index 53d6e3ec4309..0ca5e0000925 100644
>> --- a/drivers/clk/socfpga/clk-gate.c
>> +++ b/drivers/clk/socfpga/clk-gate.c
>> @@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
>> return;
>>
>> ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
>> - if (WARN_ON(!ops))
>> + if (WARN_ON(!ops)) {
>
> A WARN_ON() after an allocation failure will lead to double stacktraces.
> Can you remove the WARN_ON()?
>
> Furthermore, it looks like 'ops' is never freed on failure in this
> function. Did the SA tool figure that out? There are more problems with
> this function and error paths. Seems like nobody cares.
>
Thanks for pointing this out. I'll take a look and will send a patch
shortly.
Dinh
On Tue, Jan 25, 2022 at 12:53:16AM +0800, Zhou Qingyang wrote:
> In socfpga_gate_init(), when ops fails, socfpga_clk is not released or
> passed out, which could lead to a memleak.
>
> Fix this bug by adding a kfree of socfpga_clk on the failure path of ops.
>
> This bug was found by a static analyzer.
>
> Builds with 'make allyesconfig' show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops")
> Signed-off-by: Zhou Qingyang <[email protected]>
> ---
> The analysis employs differential checking to identify inconsistent
> security operations (e.g., checks or kfrees) between two code paths
> and confirms that the inconsistent operations are not recovered in the
> current function or the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> drivers/clk/socfpga/clk-gate.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
> index 53d6e3ec4309..0ca5e0000925 100644
> --- a/drivers/clk/socfpga/clk-gate.c
> +++ b/drivers/clk/socfpga/clk-gate.c
> @@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
> return;
>
> ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
> - if (WARN_ON(!ops))
> + if (WARN_ON(!ops)) {
> + kfree(socfpga_clk);
> return;
> + }
>
> rc = of_property_read_u32_array(node, "clk-gate", clk_gate, 2);
> if (rc)
> --
> 2.25.1
>
As stated before, umn.edu is still not allowed to contribute to the
Linux kernel. Please work with your administration to resolve this
issue.