mlxreg_hotplug_work_helper() implies that item can be NULL. There is a
sanity check that checks item for NULL and then dereferences it.
Even though, the comment before sanity check says that it can only happen
if some piece of hardware is broken, but in this case it will lead to
NULL-pointer dereference before the function is even called,
so let's check it before dereferencing.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a regmap interface")
Signed-off-by: Daniil Dulov <[email protected]>
---
drivers/platform/mellanox/mlxreg-hotplug.c | 16 +---------------
1 file changed, 1 insertion(+), 15 deletions(-)
diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c b/drivers/platform/mellanox/mlxreg-hotplug.c
index 5c022b258f91..524121b9f070 100644
--- a/drivers/platform/mellanox/mlxreg-hotplug.c
+++ b/drivers/platform/mellanox/mlxreg-hotplug.c
@@ -348,20 +348,6 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv,
u32 regval, bit;
int ret;
- /*
- * Validate if item related to received signal type is valid.
- * It should never happen, excepted the situation when some
- * piece of hardware is broken. In such situation just produce
- * error message and return. Caller must continue to handle the
- * signals from other devices if any.
- */
- if (unlikely(!item)) {
- dev_err(priv->dev, "False signal: at offset:mask 0x%02x:0x%02x.\n",
- item->reg, item->mask);
-
- return;
- }
-
/* Mask event. */
ret = regmap_write(priv->regmap, item->reg + MLXREG_HOTPLUG_MASK_OFF,
0);
@@ -556,7 +542,7 @@ static void mlxreg_hotplug_work_handler(struct work_struct *work)
/* Handle topology and health configuration changes. */
for (i = 0; i < pdata->counter; i++, item++) {
- if (aggr_asserted & item->aggr_mask) {
+ if (item && (aggr_asserted & item->aggr_mask)) {
if (item->health)
mlxreg_hotplug_health_work_helper(priv, item);
else
--
2.25.1
> -----Original Message-----
> From: Daniil Dulov <[email protected]>
> Sent: Monday, 26 February 2024 16:55
> To: Hans de Goede <[email protected]>
> Cc: Daniil Dulov <[email protected]>; Mark Gross
> <[email protected]>; Andy Shevchenko <[email protected]>; Darren
> Hart <[email protected]>; Vadim Pasternak <[email protected]>;
> [email protected]; [email protected]; lvc-
> [email protected]
> Subject: [PATCH] platform/mellanox: mlxreg-hotplug: Check pointer for NULL
> before dereferencing it
>
> mlxreg_hotplug_work_helper() implies that item can be NULL. There is a
> sanity check that checks item for NULL and then dereferences it.
>
> Even though, the comment before sanity check says that it can only happen if
> some piece of hardware is broken, but in this case it will lead to NULL-pointer
> dereference before the function is even called, so let's check it before
> dereferencing.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a
> regmap interface")
> Signed-off-by: Daniil Dulov <[email protected]>
> ---
> drivers/platform/mellanox/mlxreg-hotplug.c | 16 +---------------
> 1 file changed, 1 insertion(+), 15 deletions(-)
>
> diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c
> b/drivers/platform/mellanox/mlxreg-hotplug.c
> index 5c022b258f91..524121b9f070 100644
> --- a/drivers/platform/mellanox/mlxreg-hotplug.c
> +++ b/drivers/platform/mellanox/mlxreg-hotplug.c
> @@ -348,20 +348,6 @@ mlxreg_hotplug_work_helper(struct
> mlxreg_hotplug_priv_data *priv,
> u32 regval, bit;
> int ret;
>
> - /*
> - * Validate if item related to received signal type is valid.
> - * It should never happen, excepted the situation when some
> - * piece of hardware is broken. In such situation just produce
> - * error message and return. Caller must continue to handle the
> - * signals from other devices if any.
> - */
> - if (unlikely(!item)) {
> - dev_err(priv->dev, "False signal: at offset:mask
> 0x%02x:0x%02x.\n",
> - item->reg, item->mask);
> -
> - return;
> - }
It would be enough just to produce dev_err(priv->dev, "False signal\n");
And return.
> -
> /* Mask event. */
> ret = regmap_write(priv->regmap, item->reg +
> MLXREG_HOTPLUG_MASK_OFF,
> 0);
> @@ -556,7 +542,7 @@ static void mlxreg_hotplug_work_handler(struct
> work_struct *work)
>
> /* Handle topology and health configuration changes. */
> for (i = 0; i < pdata->counter; i++, item++) {
> - if (aggr_asserted & item->aggr_mask) {
> + if (item && (aggr_asserted & item->aggr_mask)) {
> if (item->health)
> mlxreg_hotplug_health_work_helper(priv,
> item);
> else
> --
> 2.25.1
Hello!
I suppose there is no sense to produce dev_err() inside
mlxreg_hotplug_work_helper() since item is dereferenced twice
before we call this function. Should we produce dev_err()
inside the loop in mlxreg_hotplug_work_handler() instead?
-----Original Message-----
From: Vadim Pasternak [mailto:[email protected]]
Sent: Monday, February 26, 2024 6:15 PM
To: Daniil Dulov <[email protected]>; Hans de Goede <[email protected]>
Cc: Mark Gross <[email protected]>; Andy Shevchenko <[email protected]>; Darren Hart <[email protected]>; [email protected]; [email protected]; [email protected]
Subject: RE: [PATCH] platform/mellanox: mlxreg-hotplug: Check pointer for NULL before dereferencing it
> -----Original Message-----
> From: Daniil Dulov <[email protected]>
> Sent: Monday, 26 February 2024 16:55
> To: Hans de Goede <[email protected]>
> Cc: Daniil Dulov <[email protected]>; Mark Gross
> <[email protected]>; Andy Shevchenko <[email protected]>; Darren
> Hart <[email protected]>; Vadim Pasternak <[email protected]>;
> [email protected]; [email protected]; lvc-
> [email protected]
> Subject: [PATCH] platform/mellanox: mlxreg-hotplug: Check pointer for NULL
> before dereferencing it
>
> mlxreg_hotplug_work_helper() implies that item can be NULL. There is a
> sanity check that checks item for NULL and then dereferences it.
>
> Even though, the comment before sanity check says that it can only happen if
> some piece of hardware is broken, but in this case it will lead to NULL-pointer
> dereference before the function is even called, so let's check it before
> dereferencing.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a
> regmap interface")
> Signed-off-by: Daniil Dulov <[email protected]>
> ---
> drivers/platform/mellanox/mlxreg-hotplug.c | 16 +---------------
> 1 file changed, 1 insertion(+), 15 deletions(-)
>
> diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c
> b/drivers/platform/mellanox/mlxreg-hotplug.c
> index 5c022b258f91..524121b9f070 100644
> --- a/drivers/platform/mellanox/mlxreg-hotplug.c
> +++ b/drivers/platform/mellanox/mlxreg-hotplug.c
> @@ -348,20 +348,6 @@ mlxreg_hotplug_work_helper(struct
> mlxreg_hotplug_priv_data *priv,
> u32 regval, bit;
> int ret;
>
> - /*
> - * Validate if item related to received signal type is valid.
> - * It should never happen, excepted the situation when some
> - * piece of hardware is broken. In such situation just produce
> - * error message and return. Caller must continue to handle the
> - * signals from other devices if any.
> - */
> - if (unlikely(!item)) {
> - dev_err(priv->dev, "False signal: at offset:mask
> 0x%02x:0x%02x.\n",
> - item->reg, item->mask);
> -
> - return;
> - }
It would be enough just to produce dev_err(priv->dev, "False signal\n");
And return.
> -
> /* Mask event. */
> ret = regmap_write(priv->regmap, item->reg +
> MLXREG_HOTPLUG_MASK_OFF,
> 0);
> @@ -556,7 +542,7 @@ static void mlxreg_hotplug_work_handler(struct
> work_struct *work)
>
> /* Handle topology and health configuration changes. */
> for (i = 0; i < pdata->counter; i++, item++) {
> - if (aggr_asserted & item->aggr_mask) {
> + if (item && (aggr_asserted & item->aggr_mask)) {
> if (item->health)
> mlxreg_hotplug_health_work_helper(priv,
> item);
> else
> --
> 2.25.1
> -----Original Message-----
> From: Daniil Dulov <[email protected]>
> Sent: Monday, 4 March 2024 13:44
> To: Vadim Pasternak <[email protected]>; Hans de Goede
> <[email protected]>
> Cc: Mark Gross <[email protected]>; Andy Shevchenko
> <[email protected]>; Darren Hart <[email protected]>; platform-
> [email protected]; [email protected]; lvc-
> [email protected]
> Subject: RE: [PATCH] platform/mellanox: mlxreg-hotplug: Check pointer for
> NULL before dereferencing it
>
> Hello!
>
> I suppose there is no sense to produce dev_err() inside
> mlxreg_hotplug_work_helper() since item is dereferenced twice before we
> call this function. Should we produce dev_err() inside the loop in
> mlxreg_hotplug_work_handler() instead?
Hi Daniil,
I think would be correct just to remove from mlx reg_hotplug_work_helper()
lines validating 'item' pointer.
This is paranoic test, this pointer should never be NULL.
It is safe to remove this validation.
Thanks,
Vadim.
>
> -----Original Message-----
> From: Vadim Pasternak [mailto:[email protected]]
> Sent: Monday, February 26, 2024 6:15 PM
> To: Daniil Dulov <[email protected]>; Hans de Goede
> <[email protected]>
> Cc: Mark Gross <[email protected]>; Andy Shevchenko
> <[email protected]>; Darren Hart <[email protected]>; platform-
> [email protected]; [email protected]; lvc-
> [email protected]
> Subject: RE: [PATCH] platform/mellanox: mlxreg-hotplug: Check pointer for
> NULL before dereferencing it
>
>
>
> > -----Original Message-----
> > From: Daniil Dulov <[email protected]>
> > Sent: Monday, 26 February 2024 16:55
> > To: Hans de Goede <[email protected]>
> > Cc: Daniil Dulov <[email protected]>; Mark Gross
> > <[email protected]>; Andy Shevchenko <[email protected]>;
> Darren
> > Hart <[email protected]>; Vadim Pasternak <[email protected]>;
> > [email protected]; [email protected]; lvc-
> > [email protected]
> > Subject: [PATCH] platform/mellanox: mlxreg-hotplug: Check pointer for NULL
> > before dereferencing it
> >
> > mlxreg_hotplug_work_helper() implies that item can be NULL. There is a
> > sanity check that checks item for NULL and then dereferences it.
> >
> > Even though, the comment before sanity check says that it can only happen
> if
> > some piece of hardware is broken, but in this case it will lead to NULL-
> pointer
> > dereference before the function is even called, so let's check it before
> > dereferencing.
> >
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> >
> > Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a
> > regmap interface")
> > Signed-off-by: Daniil Dulov <[email protected]>
> > ---
> > drivers/platform/mellanox/mlxreg-hotplug.c | 16 +---------------
> > 1 file changed, 1 insertion(+), 15 deletions(-)
> >
> > diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c
> > b/drivers/platform/mellanox/mlxreg-hotplug.c
> > index 5c022b258f91..524121b9f070 100644
> > --- a/drivers/platform/mellanox/mlxreg-hotplug.c
> > +++ b/drivers/platform/mellanox/mlxreg-hotplug.c
> > @@ -348,20 +348,6 @@ mlxreg_hotplug_work_helper(struct
> > mlxreg_hotplug_priv_data *priv,
> > u32 regval, bit;
> > int ret;
> >
> > - /*
> > - * Validate if item related to received signal type is valid.
> > - * It should never happen, excepted the situation when some
> > - * piece of hardware is broken. In such situation just produce
> > - * error message and return. Caller must continue to handle the
> > - * signals from other devices if any.
> > - */
> > - if (unlikely(!item)) {
> > - dev_err(priv->dev, "False signal: at offset:mask
> > 0x%02x:0x%02x.\n",
> > - item->reg, item->mask);
> > -
> > - return;
> > - }
>
> It would be enough just to produce dev_err(priv->dev, "False signal\n");
> And return.
>
> > -
> > /* Mask event. */
> > ret = regmap_write(priv->regmap, item->reg +
> > MLXREG_HOTPLUG_MASK_OFF,
> > 0);
> > @@ -556,7 +542,7 @@ static void mlxreg_hotplug_work_handler(struct
> > work_struct *work)
> >
> > /* Handle topology and health configuration changes. */
> > for (i = 0; i < pdata->counter; i++, item++) {
> > - if (aggr_asserted & item->aggr_mask) {
> > + if (item && (aggr_asserted & item->aggr_mask)) {
> > if (item->health)
> > mlxreg_hotplug_health_work_helper(priv,
> > item);
> > else
> > --
> > 2.25.1
Pointer item is checked fo NULL at mlxreg_hotplug_work_helper() and then
it is dereferenced to produce dev_err().
This pointer is also dereferenced before calling this function and should
never be NULL except some piece of hardware is broken as it is said in
the comment before the check. So, this check can be safely removed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a regmap interface")
Signed-off-by: Daniil Dulov <[email protected]>
---
drivers/platform/mellanox/mlxreg-hotplug.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c b/drivers/platform/mellanox/mlxreg-hotplug.c
index 5c022b258f91..0ce9fff1f7d4 100644
--- a/drivers/platform/mellanox/mlxreg-hotplug.c
+++ b/drivers/platform/mellanox/mlxreg-hotplug.c
@@ -348,20 +348,6 @@ mlxreg_hotplug_work_helper(struct mlxreg_hotplug_priv_data *priv,
u32 regval, bit;
int ret;
- /*
- * Validate if item related to received signal type is valid.
- * It should never happen, excepted the situation when some
- * piece of hardware is broken. In such situation just produce
- * error message and return. Caller must continue to handle the
- * signals from other devices if any.
- */
- if (unlikely(!item)) {
- dev_err(priv->dev, "False signal: at offset:mask 0x%02x:0x%02x.\n",
- item->reg, item->mask);
-
- return;
- }
-
/* Mask event. */
ret = regmap_write(priv->regmap, item->reg + MLXREG_HOTPLUG_MASK_OFF,
0);
--
2.25.1
> -----Original Message-----
> From: Daniil Dulov <[email protected]>
> Sent: Wednesday, 6 March 2024 17:38
> To: Vadim Pasternak <[email protected]>
> Cc: Daniil Dulov <[email protected]>; Mark Gross
> <[email protected]>; Andy Shevchenko <[email protected]>; Darren
> Hart <[email protected]>; Hans de Goede <[email protected]>;
> [email protected]; [email protected]; lvc-
> [email protected]
> Subject: [PATCH] platform/mellanox: mlxreg-hotplug: Remove redundant
> NULL-check
>
> Pointer item is checked fo NULL at mlxreg_hotplug_work_helper() and then it
> is dereferenced to produce dev_err().
> This pointer is also dereferenced before calling this function and should never
> be NULL except some piece of hardware is broken as it is said in the comment
> before the check. So, this check can be safely removed.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a
> regmap interface")
> Signed-off-by: Daniil Dulov <[email protected]>
Reviewed-by: Vadim Pasternak <[email protected]>
> ---
> drivers/platform/mellanox/mlxreg-hotplug.c | 14 --------------
> 1 file changed, 14 deletions(-)
>
> diff --git a/drivers/platform/mellanox/mlxreg-hotplug.c
> b/drivers/platform/mellanox/mlxreg-hotplug.c
> index 5c022b258f91..0ce9fff1f7d4 100644
> --- a/drivers/platform/mellanox/mlxreg-hotplug.c
> +++ b/drivers/platform/mellanox/mlxreg-hotplug.c
> @@ -348,20 +348,6 @@ mlxreg_hotplug_work_helper(struct
> mlxreg_hotplug_priv_data *priv,
> u32 regval, bit;
> int ret;
>
> - /*
> - * Validate if item related to received signal type is valid.
> - * It should never happen, excepted the situation when some
> - * piece of hardware is broken. In such situation just produce
> - * error message and return. Caller must continue to handle the
> - * signals from other devices if any.
> - */
> - if (unlikely(!item)) {
> - dev_err(priv->dev, "False signal: at offset:mask
> 0x%02x:0x%02x.\n",
> - item->reg, item->mask);
> -
> - return;
> - }
> -
> /* Mask event. */
> ret = regmap_write(priv->regmap, item->reg +
> MLXREG_HOTPLUG_MASK_OFF,
> 0);
> --
> 2.25.1
On Wed, 06 Mar 2024 18:38:04 +0300, Daniil Dulov wrote:
> Pointer item is checked fo NULL at mlxreg_hotplug_work_helper() and then
> it is dereferenced to produce dev_err().
> This pointer is also dereferenced before calling this function and should
> never be NULL except some piece of hardware is broken as it is said in
> the comment before the check. So, this check can be safely removed.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> [...]
Thank you for your contribution, it has been applied to my local
review-ilpo branch. Note it will show up in the public
platform-drivers-x86/review-ilpo branch only once I've pushed my
local branch there, which might take a while.
The list of commits applied:
[1/1] platform/mellanox: mlxreg-hotplug: Remove redundant NULL-check
commit: 576b82c3c9bf021af4984aafc105508c99660667
--
i.