Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp9216232rwp;
        Thu, 20 Jul 2023 01:04:29 -0700 (PDT)
X-Google-Smtp-Source: APBJJlGAfy4rAAykm4fMm2VI+yUVQI3EXvqa5Pg2DcgtCFYK2oGtsJh9sTCC5NnohOa9CVpEpKHM
X-Received: by 2002:a17:906:2258:b0:992:9005:8302 with SMTP id 24-20020a170906225800b0099290058302mr3432628ejr.77.1689840269153;
        Thu, 20 Jul 2023 01:04:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689840269; cv=none;
        d=google.com; s=arc-20160816;
        b=VI9k9wbOAUi2+GU5uqtnC52TCqALwk5PUjhztBB4EirF70dQ9HkubbejMHR1EsZM3p
         8eZFjwehubb+5cIeAIZ1m/T5EfQ6cbmzpJBjOvcaRuQGV8tf72KiTJq6y5byP2Au5tD9
         FjKJ+gKwgtFqlfap6aTr0hhla5wodRHMHqF0Vitnc+OdpO9eqXXDDsyi+4FaVDZIJavv
         pN21YPRxNunSjHLtSV2qHkF1zpYSCpjlk88XL8jb4yNFOE4GeRm1fN0gaSjnaSjljn8D
         LVkWMHCz66yr+qyW7GJOcJ57KOx+NLPzaTiKu89ZjXu/jQYRwy6I46E6k3pob4QZNLfE
         sYqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:subject:user-agent:mime-version:date:message-id;
        bh=LUETuo5KwEQ5DHAJJRTryTprQs7D2TBF/rZiRM7gsH8=;
        fh=OgZrEhlWvvghRXXO5YWqL4tdeqx/7l39QdC5tdTMdVg=;
        b=GW0kMoXQWBSNMAqjMi6Ua2nfRklUeOa1FmHkOFBDrStYh+ATQ+zBTHYCUjete/P0Nj
         reX8MuqYzh6YUrxDtI38RX+edqvrPrHeWW6YBWi/a8cWAVL/Ry/QgrqnWKeli21JnJQ/
         1CuBUaVFeP+DAvwRGq9Nl0JR7AU4nfuH7wRnGKPenXkz+n09MIFizx+geaCkoySrUYXw
         bYSfCf1Jkm5LzG/cOCcUXpAzBWyGmqKwOuDaXpjzxavlLVHQ457X+SwwgGHU0bF1k0xY
         Z69owZ1RopcC6weXovKxW2qm8vIzu3vewEEmdpZRA013TuDCnqlqL7N6mcWw/NXLJH38
         Kc3Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id f20-20020a1709062c5400b00993211b85acsi345278ejh.216.2023.07.20.01.04.04;
        Thu, 20 Jul 2023 01:04:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231373AbjGTG5Y (ORCPT <rfc822;andreacani85to@gmail.com>
        + 99 others); Thu, 20 Jul 2023 02:57:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35774 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229651AbjGTG5W (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 Jul 2023 02:57:22 -0400
Received: from out30-101.freemail.mail.aliyun.com (out30-101.freemail.mail.aliyun.com [115.124.30.101])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FFEACC;
        Wed, 19 Jul 2023 23:57:18 -0700 (PDT)
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R131e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045176;MF=baolin.wang@linux.alibaba.com;NM=1;PH=DS;RN=7;SR=0;TI=SMTPD_---0VnovSVt_1689836233;
Received: from 30.97.48.52(mailfrom:baolin.wang@linux.alibaba.com fp:SMTPD_---0VnovSVt_1689836233)
          by smtp.aliyun-inc.com;
          Thu, 20 Jul 2023 14:57:14 +0800
Message-ID: <7c7e062f-40d2-a3d9-6a25-0ef3defe2caf@linux.alibaba.com>
Date:   Thu, 20 Jul 2023 14:57:34 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.13.0
Subject: Re: [PATCH V2 1/2] serial: sprd: Assign sprd_port after initialized
 to avoid wrong access
To:     Chunyan Zhang <chunyan.zhang@unisoc.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jirislaby@kernel.org>
Cc:     linux-serial@vger.kernel.org, Orson Zhai <orsonzhai@gmail.com>,
        Chunyan Zhang <zhang.lyra@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>
References: <20230713031904.12106-1-chunyan.zhang@unisoc.com>
From:   Baolin Wang <baolin.wang@linux.alibaba.com>
In-Reply-To: <20230713031904.12106-1-chunyan.zhang@unisoc.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-10.0 required=5.0 tests=BAYES_00,
        ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 7/13/2023 11:19 AM, Chunyan Zhang wrote:
> The global pointer 'sprd_port' may not zero when sprd_probe returns
> failure, that is a risk for sprd_port to be accessed afterward, and
> may lead to unexpected errors.
> 
> For example:
> 
> There are two UART ports, UART1 is used for console and configured in
> kernel command line, i.e. "console=";
> 
> The UART1 probe failed and the memory allocated to sprd_port[1] was
> released, but sprd_port[1] was not set to NULL;
> 
> In UART2 probe, the same virtual address was allocated to sprd_port[2],
> and UART2 probe process finally will go into sprd_console_setup() to
> register UART1 as console since it is configured as preferred console
> (filled to console_cmdline[]), but the console parameters (sprd_port[1])
> belong to UART2.
> 
> So move the sprd_port[] assignment to where the port already initialized
> can avoid the above issue.
> 
> Fixes: b7396a38fb28 ("tty/serial: Add Spreadtrum sc9836-uart driver support")
> Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
> ---
> V2:
> - Leave sprd_remove() to keep the unrelated code logic the same.
> ---
>   drivers/tty/serial/sprd_serial.c | 25 +++++++++++++++++--------
>   1 file changed, 17 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c
> index b58f51296ace..11de338a6122 100644
> --- a/drivers/tty/serial/sprd_serial.c
> +++ b/drivers/tty/serial/sprd_serial.c
> @@ -1106,7 +1106,7 @@ static bool sprd_uart_is_console(struct uart_port *uport)
>   static int sprd_clk_init(struct uart_port *uport)
>   {
>   	struct clk *clk_uart, *clk_parent;
> -	struct sprd_uart_port *u = sprd_port[uport->line];
> +	struct sprd_uart_port *u = container_of(uport, struct sprd_uart_port, port);
>   
>   	clk_uart = devm_clk_get(uport->dev, "uart");
>   	if (IS_ERR(clk_uart)) {
> @@ -1149,22 +1149,22 @@ static int sprd_probe(struct platform_device *pdev)
>   {
>   	struct resource *res;
>   	struct uart_port *up;
> +	struct sprd_uart_port *sport;
>   	int irq;
>   	int index;
>   	int ret;
>   
>   	index = of_alias_get_id(pdev->dev.of_node, "serial");
> -	if (index < 0 || index >= ARRAY_SIZE(sprd_port)) {
> +	if (index < 0 || index >= UART_NR_MAX) {
>   		dev_err(&pdev->dev, "got a wrong serial alias id %d\n", index);
>   		return -EINVAL;
>   	}
>   
> -	sprd_port[index] = devm_kzalloc(&pdev->dev, sizeof(*sprd_port[index]),
> -					GFP_KERNEL);
> -	if (!sprd_port[index])
> +	sport = devm_kzalloc(&pdev->dev, sizeof(*sport), GFP_KERNEL);
> +	if (!sport)
>   		return -ENOMEM;
>   
> -	up = &sprd_port[index]->port;
> +	up = &sport->port;
>   	up->dev = &pdev->dev;
>   	up->line = index;
>   	up->type = PORT_SPRD;
> @@ -1195,7 +1195,7 @@ static int sprd_probe(struct platform_device *pdev)
>   	 * Allocate one dma buffer to prepare for receive transfer, in case
>   	 * memory allocation failure at runtime.
>   	 */
> -	ret = sprd_rx_alloc_buf(sprd_port[index]);
> +	ret = sprd_rx_alloc_buf(sport);
>   	if (ret)
>   		return ret;
>   
> @@ -1208,12 +1208,21 @@ static int sprd_probe(struct platform_device *pdev)
>   	}
>   	sprd_ports_num++;
>   
> +	sprd_port[index] = sport;
> +
>   	ret = uart_add_one_port(&sprd_uart_driver, up);
>   	if (ret)
> -		sprd_remove(pdev);
> +		goto clean_port;
>   
>   	platform_set_drvdata(pdev, up);
>   
> +	return 0;
> +
> +clean_port:
> +	sprd_port[index] = NULL;
> +	sprd_ports_num--;
> +	uart_unregister_driver(&sprd_uart_driver);

I am not sure this is corect, in sprd_remove() it only calls 
uart_unregister_driver() when the 'sprd_ports_num' decreases to 0.

> +	sprd_remove(pdev);

I don't think calling sprd_remove() is helpful here, since we have not 
saved 'up' into the driver data, which means the 'sprd_rx_free_buf(sup)' 
will not be called in sprd_remove().

So, to simplify the code, I think you can just add the 
sprd_rx_free_buf() into the 'clean_port' label:

clean_port:
	sprd_rx_free_buf(sprd_port[index]);
	sprd_port[index] = NULL;
	sprd_ports_num--;
	if (!sprd_ports_num)
		uart_unregister_driver(&sprd_uart_driver);

Then in patch 2, you can move the sprd_rx_free_buf() to the correct 
place to fix another potential leak issue.