Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp37694375rwd; Tue, 11 Jul 2023 18:57:28 -0700 (PDT) X-Google-Smtp-Source: APBJJlFrYG0L1Llqzj0yo5Kkr65FHuMTGBYNaw2R+Cqi+oslczlvUBH1EHzNXboctI15vVgRG3ik X-Received: by 2002:a17:906:7499:b0:992:630f:98b4 with SMTP id e25-20020a170906749900b00992630f98b4mr18004630ejl.7.1689127047792; Tue, 11 Jul 2023 18:57:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689127047; cv=none; d=google.com; s=arc-20160816; b=oBVaAG2YKGNCgkIxZu58z2vYXQbh0eZ8KmIVwQqyVIS15ztD01xf/s+bfS306m1S/3 JGCXgqIFm4nUrHItypt1DaGTdEZG42nUcZU7IVFq7H1p5cMfgOn1XoxBFz/Xe8jwvCNe ZbVvah+6cal+OJoZcxfqO7UW7FILaeJZJwd/IzsY1sSO6/25q4oWULVo5Yy3gyFLyYje vd0ix5CqdYnKgqq8kh/bDcVmSh8oxSlaHw0ovlxFBqDNQpogD+lf3XWShI8livYHj4jc A40IrDtt4pV2dA1Xi9EFUrZMvmsP7KJgmIKBxYOy2PW9bRC4GUW7zOW3xv3V8yRsjviD o0Sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=x8veN3uqlkHF1KzFPSpnUTK0uXl55Z8h+vmn42+qaDc=; fh=BHRv3Uiw7NIDh12hPMil5fvRdIQ7yXQdqYMjX8yGcsg=; b=ahgiGcVRp1hFxnSMGLmECmGlQD/w3rLnlqCdPb16w95GlBNrvYTqZXHBn0SlJX9QMJ XdJBt/vY7mSo4viltL8FtuNQda7SsNwFIdv72HtOAY9K9Nxom668gQ9kjZA6g9bDyu5S eEtgZYgOrus6oJ+sG7DC6qKiV5fNwd2fdvy4Jvit9v8FF2z/JC1qWRgXEKjNWlUH73VH fdKYaBTRlvJvlY+FKTMsEBaVHl9qr/C9+NvSUPBhELxrnIcTCV4wb5OAvDmsZ8j6ZTkI B9GZ1BPLrUwnbSvljYsea4MRU/i932HT8iXWtHAkzkdyIrvaS7LEORxgAFY6Xjk+XP8S l4Ug== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n1-20020a170906088100b0098da8d0ce54si3396032eje.834.2023.07.11.18.57.02; Tue, 11 Jul 2023 18:57:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230150AbjGLBjD (ORCPT + 99 others); Tue, 11 Jul 2023 21:39:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55972 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229609AbjGLBjB (ORCPT ); Tue, 11 Jul 2023 21:39:01 -0400 Received: from out30-98.freemail.mail.aliyun.com (out30-98.freemail.mail.aliyun.com [115.124.30.98]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3794C195; Tue, 11 Jul 2023 18:38:56 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R111e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046059;MF=baolin.wang@linux.alibaba.com;NM=1;PH=DS;RN=7;SR=0;TI=SMTPD_---0VnAhBvS_1689125932; Received: from 30.97.48.48(mailfrom:baolin.wang@linux.alibaba.com fp:SMTPD_---0VnAhBvS_1689125932) by smtp.aliyun-inc.com; Wed, 12 Jul 2023 09:38:53 +0800 Message-ID: Date: Wed, 12 Jul 2023 09:39:13 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH 1/2] serial: sprd: Assign sprd_port after initialized to avoid wrong access To: Chunyan Zhang Cc: Chunyan Zhang , Greg Kroah-Hartman , Jiri Slaby , linux-serial@vger.kernel.org, Orson Zhai , LKML References: <20230710080348.4137875-1-chunyan.zhang@unisoc.com> From: Baolin Wang In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-10.0 required=5.0 tests=BAYES_00, ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/11/2023 10:57 AM, Chunyan Zhang wrote: > On Mon, 10 Jul 2023 at 17:57, Baolin Wang wrote: >> >> >> >> On 7/10/2023 4:03 PM, Chunyan Zhang wrote: >>> The global pointer 'sprd_port' maybe not zero when sprd_probe returns >>> fail, that is a risk for sprd_port to be accessed afterward, and will >>> lead unexpected errors. >>> >>> For example: >>> >>> There're two UART ports, UART1 is used for console and configured in kernel >>> command line, i.e. "console="; >>> >>> The UART1 probe fail and the memory allocated to sprd_port[1] was released, >>> but sprd_port[1] was not set to NULL; >> >> IMO, we should just set sprd_port[1] to be NULL, which seems simpler? > > This patch just does like this indeed, in the label of 'clean_port'. > Adding a local variable instead of using global pointer (sprd_port[]) > to store the virtual address allocated for sprd_port can avoid > overmany goto labels. > >> >>> >>> In UART2 probe, the same virtual address was allocated to sprd_port[2], >>> and UART2 probe process finally will go into sprd_console_setup() to >>> register UART1 as console since it is configured as preferred console >>> (filled to console_cmdline[]), but the console parameters (sprd_port[1]) >>> actually belongs to UART2. >> >> I'm confusing why the console parameters belongs to UART2? Since the >> console_cmdline[] will specify the serial index, that belongs to UART1. > > The same virtual address stored in sprd_port[1] was reallocated to > sprd_port[2] after the UART1 probe returned failure. > After more thinking, I understood your case. :) But I see a nit in this patch, you added a 'clean_port' label to clear the resource for the fail-probe-port instead of sprd_remove(), however sprd_remove() will call sprd_rx_free_buf() to free the DMA buffer originally. I know the 2nd patch will add it back, but patch 1 is not git-bisect safe, right? So I think you should also add sprd_rx_free_buf() under the 'clean_port' label in patch 1, then patch 2 moves the sprd_rx_free_buf() to the correct place. >> Please correct me if I miss something. >> >>> So move the sprd_port[] assignment to where the port already initialized >>> can avoid the above issue. >>> >>> Fixes: b7396a38fb28 ("tty/serial: Add Spreadtrum sc9836-uart driver support") >>> Signed-off-by: Chunyan Zhang >>> --- >>> drivers/tty/serial/sprd_serial.c | 24 ++++++++++++++++-------- >>> 1 file changed, 16 insertions(+), 8 deletions(-) >>> >>> diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c >>> index b58f51296ace..942808517393 100644 >>> --- a/drivers/tty/serial/sprd_serial.c >>> +++ b/drivers/tty/serial/sprd_serial.c >>> @@ -1106,7 +1106,7 @@ static bool sprd_uart_is_console(struct uart_port *uport) >>> static int sprd_clk_init(struct uart_port *uport) >>> { >>> struct clk *clk_uart, *clk_parent; >>> - struct sprd_uart_port *u = sprd_port[uport->line]; >>> + struct sprd_uart_port *u = container_of(uport, struct sprd_uart_port, port); >>> >>> clk_uart = devm_clk_get(uport->dev, "uart"); >>> if (IS_ERR(clk_uart)) { >>> @@ -1149,22 +1149,22 @@ static int sprd_probe(struct platform_device *pdev) >>> { >>> struct resource *res; >>> struct uart_port *up; >>> + struct sprd_uart_port *sport; >>> int irq; >>> int index; >>> int ret; >>> >>> index = of_alias_get_id(pdev->dev.of_node, "serial"); >>> - if (index < 0 || index >= ARRAY_SIZE(sprd_port)) { >>> + if (index < 0 || index >= UART_NR_MAX) { >>> dev_err(&pdev->dev, "got a wrong serial alias id %d\n", index); >>> return -EINVAL; >>> } >>> >>> - sprd_port[index] = devm_kzalloc(&pdev->dev, sizeof(*sprd_port[index]), >>> - GFP_KERNEL); >>> - if (!sprd_port[index]) >>> + sport = devm_kzalloc(&pdev->dev, sizeof(*sport), GFP_KERNEL); >>> + if (!sport) >>> return -ENOMEM; >>> >>> - up = &sprd_port[index]->port; >>> + up = &sport->port; >>> up->dev = &pdev->dev; >>> up->line = index; >>> up->type = PORT_SPRD; >>> @@ -1195,7 +1195,7 @@ static int sprd_probe(struct platform_device *pdev) >>> * Allocate one dma buffer to prepare for receive transfer, in case >>> * memory allocation failure at runtime. >>> */ >>> - ret = sprd_rx_alloc_buf(sprd_port[index]); >>> + ret = sprd_rx_alloc_buf(sport); >>> if (ret) >>> return ret; >>> >>> @@ -1208,12 +1208,20 @@ static int sprd_probe(struct platform_device *pdev) >>> } >>> sprd_ports_num++; >>> >>> + sprd_port[index] = sport; >>> + >>> ret = uart_add_one_port(&sprd_uart_driver, up); >>> if (ret) >>> - sprd_remove(pdev); >>> + goto clean_port; >>> >>> platform_set_drvdata(pdev, up); >>> >>> + return 0; >>> + >>> +clean_port: >>> + sprd_port[index] = NULL; >>> + sprd_ports_num--; >>> + uart_unregister_driver(&sprd_uart_driver); >>> return ret; >>> } >>>