This series includes some fixup patches for 85dfdbfc13ea ("mailbox:
cmdq: add multi-gce clocks support for mt8195").
Changes in v2:
- Add Reviewed-by tag
- Make clock names static
Fei Shao (2):
mailbox: mtk-cmdq: Validate alias_id on probe
mailbox: mtk-cmdq: Fix local clock ID usage
drivers/mailbox/mtk-cmdq-mailbox.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--
2.33.0.882.g93a45727a2-goog
In the probe function, the clock IDs were pointed to local variables
which should only be used in the same code block, and any access to them
after the probing stage becomes an use-after-free case.
Since there are only limited variants of the gce clock names so far, we
can just declare them as static constants to fix the issue.
Fixes: 85dfdbfc13ea ("mailbox: cmdq: add multi-gce clocks support for
mt8195")
Signed-off-by: Fei Shao <[email protected]>
---
Changes in v2:
- Make clock names static
drivers/mailbox/mtk-cmdq-mailbox.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c
index f3e52dddd422..95ce7275641c 100644
--- a/drivers/mailbox/mtk-cmdq-mailbox.c
+++ b/drivers/mailbox/mtk-cmdq-mailbox.c
@@ -532,7 +532,8 @@ static int cmdq_probe(struct platform_device *pdev)
struct device_node *phandle = dev->of_node;
struct device_node *node;
int alias_id = 0;
- char clk_name[4] = "gce";
+ static const char * const clk_name = "gce";
+ static const char * const clk_names[] = { "gce0", "gce1" };
cmdq = devm_kzalloc(dev, sizeof(*cmdq), GFP_KERNEL);
if (!cmdq)
@@ -570,12 +571,9 @@ static int cmdq_probe(struct platform_device *pdev)
if (cmdq->gce_num > 1) {
for_each_child_of_node(phandle->parent, node) {
- char clk_id[8];
-
alias_id = of_alias_get_id(node, clk_name);
if (alias_id >= 0 && alias_id < cmdq->gce_num) {
- snprintf(clk_id, sizeof(clk_id), "%s%d", clk_name, alias_id);
- cmdq->clocks[alias_id].id = clk_id;
+ cmdq->clocks[alias_id].id = clk_names[alias_id];
cmdq->clocks[alias_id].clk = of_clk_get(node, 0);
if (IS_ERR(cmdq->clocks[alias_id].clk)) {
dev_err(dev, "failed to get gce clk: %d\n", alias_id);
--
2.33.0.882.g93a45727a2-goog
of_alias_get_id() may return -ENODEV which leads to illegal access to
the cmdq->clocks array.
Adding a check over alias_id to prevent the unexpected behavior.
Fixes: 85dfdbfc13ea ("mailbox: cmdq: add multi-gce clocks support for
mt8195")
Signed-off-by: Fei Shao <[email protected]>
Reviewed-by: Tzung-Bi Shih <[email protected]>
---
Changes in v2:
- Add Reviewed-by tag
drivers/mailbox/mtk-cmdq-mailbox.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c
index 64175a893312..f3e52dddd422 100644
--- a/drivers/mailbox/mtk-cmdq-mailbox.c
+++ b/drivers/mailbox/mtk-cmdq-mailbox.c
@@ -573,7 +573,7 @@ static int cmdq_probe(struct platform_device *pdev)
char clk_id[8];
alias_id = of_alias_get_id(node, clk_name);
- if (alias_id < cmdq->gce_num) {
+ if (alias_id >= 0 && alias_id < cmdq->gce_num) {
snprintf(clk_id, sizeof(clk_id), "%s%d", clk_name, alias_id);
cmdq->clocks[alias_id].id = clk_id;
cmdq->clocks[alias_id].clk = of_clk_get(node, 0);
--
2.33.0.882.g93a45727a2-goog
On Thu, Oct 14, 2021 at 08:03:52PM +0800, Fei Shao wrote:
> In the probe function, the clock IDs were pointed to local variables
> which should only be used in the same code block, and any access to them
> after the probing stage becomes an use-after-free case.
>
> Since there are only limited variants of the gce clock names so far, we
> can just declare them as static constants to fix the issue.
>
> Fixes: 85dfdbfc13ea ("mailbox: cmdq: add multi-gce clocks support for
> mt8195")
> Signed-off-by: Fei Shao <[email protected]>
Reviewed-by: Tzung-Bi Shih <[email protected]>