The global pointer 'sprd_port' may not zero when sprd_probe returns
failure, that is a risk for sprd_port to be accessed afterward, and
may lead to unexpected errors.
For example:
There are two UART ports, UART1 is used for console and configured in
kernel command line, i.e. "console=";
The UART1 probe failed and the memory allocated to sprd_port[1] was
released, but sprd_port[1] was not set to NULL;
In UART2 probe, the same virtual address was allocated to sprd_port[2],
and UART2 probe process finally will go into sprd_console_setup() to
register UART1 as console since it is configured as preferred console
(filled to console_cmdline[]), but the console parameters (sprd_port[1])
belong to UART2.
So move the sprd_port[] assignment to where the port already initialized
can avoid the above issue.
Fixes: b7396a38fb28 ("tty/serial: Add Spreadtrum sc9836-uart driver support")
Signed-off-by: Chunyan Zhang <[email protected]>
---
V3:
- Call uart_unregister_driver() only when the 'sprd_ports_num' decreases to 0;
- Add calling sprd_rx_free_buf() instread of sprd_remove() under clean_up lable.
V2:
- Leave sprd_remove() to keep the unrelated code logic the same.
---
drivers/tty/serial/sprd_serial.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c
index b58f51296ace..fc1377029021 100644
--- a/drivers/tty/serial/sprd_serial.c
+++ b/drivers/tty/serial/sprd_serial.c
@@ -1106,7 +1106,7 @@ static bool sprd_uart_is_console(struct uart_port *uport)
static int sprd_clk_init(struct uart_port *uport)
{
struct clk *clk_uart, *clk_parent;
- struct sprd_uart_port *u = sprd_port[uport->line];
+ struct sprd_uart_port *u = container_of(uport, struct sprd_uart_port, port);
clk_uart = devm_clk_get(uport->dev, "uart");
if (IS_ERR(clk_uart)) {
@@ -1149,22 +1149,22 @@ static int sprd_probe(struct platform_device *pdev)
{
struct resource *res;
struct uart_port *up;
+ struct sprd_uart_port *sport;
int irq;
int index;
int ret;
index = of_alias_get_id(pdev->dev.of_node, "serial");
- if (index < 0 || index >= ARRAY_SIZE(sprd_port)) {
+ if (index < 0 || index >= UART_NR_MAX) {
dev_err(&pdev->dev, "got a wrong serial alias id %d\n", index);
return -EINVAL;
}
- sprd_port[index] = devm_kzalloc(&pdev->dev, sizeof(*sprd_port[index]),
- GFP_KERNEL);
- if (!sprd_port[index])
+ sport = devm_kzalloc(&pdev->dev, sizeof(*sport), GFP_KERNEL);
+ if (!sport)
return -ENOMEM;
- up = &sprd_port[index]->port;
+ up = &sport->port;
up->dev = &pdev->dev;
up->line = index;
up->type = PORT_SPRD;
@@ -1195,7 +1195,7 @@ static int sprd_probe(struct platform_device *pdev)
* Allocate one dma buffer to prepare for receive transfer, in case
* memory allocation failure at runtime.
*/
- ret = sprd_rx_alloc_buf(sprd_port[index]);
+ ret = sprd_rx_alloc_buf(sport);
if (ret)
return ret;
@@ -1206,14 +1206,23 @@ static int sprd_probe(struct platform_device *pdev)
return ret;
}
}
+
sprd_ports_num++;
+ sprd_port[index] = sport;
ret = uart_add_one_port(&sprd_uart_driver, up);
if (ret)
- sprd_remove(pdev);
+ goto clean_port;
platform_set_drvdata(pdev, up);
+ return 0;
+
+clean_port:
+ sprd_port[index] = NULL;
+ if (--sprd_ports_num == 0)
+ uart_unregister_driver(&sprd_uart_driver);
+ sprd_rx_free_buf(sport);
return ret;
}
--
2.41.0
On 7/25/2023 2:40 PM, Chunyan Zhang wrote:
> The global pointer 'sprd_port' may not zero when sprd_probe returns
> failure, that is a risk for sprd_port to be accessed afterward, and
> may lead to unexpected errors.
>
> For example:
>
> There are two UART ports, UART1 is used for console and configured in
> kernel command line, i.e. "console=";
>
> The UART1 probe failed and the memory allocated to sprd_port[1] was
> released, but sprd_port[1] was not set to NULL;
>
> In UART2 probe, the same virtual address was allocated to sprd_port[2],
> and UART2 probe process finally will go into sprd_console_setup() to
> register UART1 as console since it is configured as preferred console
> (filled to console_cmdline[]), but the console parameters (sprd_port[1])
> belong to UART2.
>
> So move the sprd_port[] assignment to where the port already initialized
> can avoid the above issue.
>
> Fixes: b7396a38fb28 ("tty/serial: Add Spreadtrum sc9836-uart driver support")
> Signed-off-by: Chunyan Zhang <[email protected]>
LGTM.
Reviewed-by: Baolin Wang <[email protected]>
> ---
> V3:
> - Call uart_unregister_driver() only when the 'sprd_ports_num' decreases to 0;
> - Add calling sprd_rx_free_buf() instread of sprd_remove() under clean_up lable.
>
> V2:
> - Leave sprd_remove() to keep the unrelated code logic the same.
> ---
> drivers/tty/serial/sprd_serial.c | 25 +++++++++++++++++--------
> 1 file changed, 17 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c
> index b58f51296ace..fc1377029021 100644
> --- a/drivers/tty/serial/sprd_serial.c
> +++ b/drivers/tty/serial/sprd_serial.c
> @@ -1106,7 +1106,7 @@ static bool sprd_uart_is_console(struct uart_port *uport)
> static int sprd_clk_init(struct uart_port *uport)
> {
> struct clk *clk_uart, *clk_parent;
> - struct sprd_uart_port *u = sprd_port[uport->line];
> + struct sprd_uart_port *u = container_of(uport, struct sprd_uart_port, port);
>
> clk_uart = devm_clk_get(uport->dev, "uart");
> if (IS_ERR(clk_uart)) {
> @@ -1149,22 +1149,22 @@ static int sprd_probe(struct platform_device *pdev)
> {
> struct resource *res;
> struct uart_port *up;
> + struct sprd_uart_port *sport;
> int irq;
> int index;
> int ret;
>
> index = of_alias_get_id(pdev->dev.of_node, "serial");
> - if (index < 0 || index >= ARRAY_SIZE(sprd_port)) {
> + if (index < 0 || index >= UART_NR_MAX) {
> dev_err(&pdev->dev, "got a wrong serial alias id %d\n", index);
> return -EINVAL;
> }
>
> - sprd_port[index] = devm_kzalloc(&pdev->dev, sizeof(*sprd_port[index]),
> - GFP_KERNEL);
> - if (!sprd_port[index])
> + sport = devm_kzalloc(&pdev->dev, sizeof(*sport), GFP_KERNEL);
> + if (!sport)
> return -ENOMEM;
>
> - up = &sprd_port[index]->port;
> + up = &sport->port;
> up->dev = &pdev->dev;
> up->line = index;
> up->type = PORT_SPRD;
> @@ -1195,7 +1195,7 @@ static int sprd_probe(struct platform_device *pdev)
> * Allocate one dma buffer to prepare for receive transfer, in case
> * memory allocation failure at runtime.
> */
> - ret = sprd_rx_alloc_buf(sprd_port[index]);
> + ret = sprd_rx_alloc_buf(sport);
> if (ret)
> return ret;
>
> @@ -1206,14 +1206,23 @@ static int sprd_probe(struct platform_device *pdev)
> return ret;
> }
> }
> +
> sprd_ports_num++;
> + sprd_port[index] = sport;
>
> ret = uart_add_one_port(&sprd_uart_driver, up);
> if (ret)
> - sprd_remove(pdev);
> + goto clean_port;
>
> platform_set_drvdata(pdev, up);
>
> + return 0;
> +
> +clean_port:
> + sprd_port[index] = NULL;
> + if (--sprd_ports_num == 0)
> + uart_unregister_driver(&sprd_uart_driver);
> + sprd_rx_free_buf(sport);
> return ret;
> }
>