Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp2179729rdh; Tue, 26 Sep 2023 15:23:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHM6Rx5XHB4va/J+BXKscLSVwxP1HrUJdbqkX3ISkE/E9+u6RgY0eHSQWcQrm+bcq/6OHaF X-Received: by 2002:a05:6871:14e:b0:1dc:d8c6:39d with SMTP id z14-20020a056871014e00b001dcd8c6039dmr438917oab.2.1695767013046; Tue, 26 Sep 2023 15:23:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695767013; cv=none; d=google.com; s=arc-20160816; b=BUzraVDMcGOMJrUjjF1y73cezQR5zXEFin+gAsSVCa5aClaLcX/5c+WMcCYLJ4bYOS NhaZkkfq8RMiCC3LDPiA9URAiMMoDdM88i2mK6vlhOZS66KMQ378EStdU5cV/PdGu9nI JgXp7FXfU0DgcD9lumH7ax+MtBnYjgV/HNFQqDYqC1iqw4Ss/N/3dDyllUUlY8vvI/2n UnO3jldsHDZOpg8iY7yz5WpTK4GJ5XyBKZPF1hIgjOnEeJoZwn0ZHwoEAb1YYoqdtgGi 6Hq+Q+W3Ub/VgIolOw+GUtgSXo3jdAgmHpY4K5kAhqip4BPbf5DxzEXO3ZETgEBik1zT nunA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=9YAyRg25y1ds+4WMOQ2HhwyFuV1Nm/hS+8w3y9qqUyQ=; fh=bJwrAgo9Q8kEk7S96E1HJUX8CzFhxzSPUWFKbo9SYLw=; b=ny+dQ1LkwmD0n7jlUUfzBgOQJDu5U4reLEUAnixy2ta3y7vfs6W9NHj6YHe4xuE+z0 TXkdNjVLiET6u5f6DOYy5pa9VVj9Pt74uCjsgFiag2mtLIDT/vCzMBksQYZWHR3iaoWb Prqi1CL5g6xoMGsMXyGlyqRJBd2g/9+QeswA2EOnC2geKz8zFHZrezrZiqWObpgt4Uwu fkz20I1fTGjWvS/NqQlu7oZTABSIyAmqS1F7CUOwIz1DThzea7dcwIiNF3zONp+s0iIl HpDyRw1C/olTcX4BUnsPRGZkcaLIXoUkQ0yte+XjwsJ3i4SnGigosG1lM4rt2cg4SpaC 1p+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZKerJDtj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id f10-20020a65550a000000b0057744d09d2fsi13475301pgr.18.2023.09.26.15.23.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 15:23:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZKerJDtj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id BAFB7832C9F6; Tue, 26 Sep 2023 09:42:39 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235283AbjIZQmP (ORCPT + 99 others); Tue, 26 Sep 2023 12:42:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235370AbjIZQmE (ORCPT ); Tue, 26 Sep 2023 12:42:04 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 91DEF19A for ; Tue, 26 Sep 2023 09:41:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695746465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9YAyRg25y1ds+4WMOQ2HhwyFuV1Nm/hS+8w3y9qqUyQ=; b=ZKerJDtjqwgwk7OOFSz2q/lUaiN7G5diUcDWRF6AO8uOFmLyjwkcnx/7lZIv0EBGcnYsoL 39TFpfJpUZ/d9+KegKhycJqOgeQyCA2f78khQ9aYijgvm+jYFRwksHTub/KsMnHF4r/GVN SVF/mzLuQd69yH+M5cuvWDhz5xGcqUM= Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-358--e5a4y6SPwu5nm-8diJOAg-1; Tue, 26 Sep 2023 12:41:04 -0400 X-MC-Unique: -e5a4y6SPwu5nm-8diJOAg-1 Received: by mail-ej1-f69.google.com with SMTP id a640c23a62f3a-94a355cf318so793625466b.2 for ; Tue, 26 Sep 2023 09:41:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695746463; x=1696351263; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9YAyRg25y1ds+4WMOQ2HhwyFuV1Nm/hS+8w3y9qqUyQ=; b=w7c0k9tVj2IrZXaVzNsatgoGsd9f/DIBDwqI8bpbAW9KFEiqOQdqjSusH01x9z5mS2 rzQklGJ/VifYu9nA8KnWrwv8cpngipsQU7l4usauWCVpv5MGnens8oEYPq1jYiprC3Cv vzdoQa8Mf1N7X4ZWIhl533KAe/2eQv5PMP6KiFNDf6neEtuYg4jljM1BuH5tjlcn4dn8 pubjRFRmqy8U7n5X5aQRuYd6hnBQuQox/gntQfyEFfXiLixOplItccc2F6p6/nNc/8Pj +a4zXcMdtPljZLPGey9XClkSuH2GYdxfFWVOG9sVhthweHu4Yx89wmDkV3Ns2rUuxiIj GWUw== X-Gm-Message-State: AOJu0Yz/GUmCp8EukOK6KTEA7KXoZ5IcvjNHoi36wOv9nZ9RhMpRdcv/ 8A0nWCd3s2OemsWaWvW61j2VTe/+A+S4tMOAWMjJc7P0LMS1mbsx6BLNczFwP1Tkgs/zic3DAAn Gvxjt9zSlQAxVnHj/V057z/hUGdR8PmYY7izMFY0c X-Received: by 2002:a17:906:218a:b0:9ad:7d5c:3d4b with SMTP id 10-20020a170906218a00b009ad7d5c3d4bmr9170357eju.35.1695746462966; Tue, 26 Sep 2023 09:41:02 -0700 (PDT) X-Received: by 2002:a17:906:218a:b0:9ad:7d5c:3d4b with SMTP id 10-20020a170906218a00b009ad7d5c3d4bmr9170343eju.35.1695746462665; Tue, 26 Sep 2023 09:41:02 -0700 (PDT) MIME-Version: 1.0 References: <20230926032244.11560-1-dinghao.liu@zju.edu.cn> <20230926100202.011ab841@xps-13> In-Reply-To: From: Alexander Aring Date: Tue, 26 Sep 2023 12:40:51 -0400 Message-ID: Subject: Re: [PATCH] [v2] ieee802154: ca8210: Fix a potential UAF in ca8210_probe To: Stefan Schmidt Cc: Miquel Raynal , Dinghao Liu , Alexander Aring , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Marcel Holtmann , Harry Morris , linux-wpan@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 26 Sep 2023 09:42:39 -0700 (PDT) Hi, On Tue, Sep 26, 2023 at 4:29=E2=80=AFAM Stefan Schmidt wrote: > > Hello. > > On 26.09.23 10:02, Miquel Raynal wrote: > > Hi Dinghao, > > > > dinghao.liu@zju.edu.cn wrote on Tue, 26 Sep 2023 11:22:44 +0800: > > > >> If of_clk_add_provider() fails in ca8210_register_ext_clock(), > >> it calls clk_unregister() to release priv->clk and returns an > >> error. However, the caller ca8210_probe() then calls ca8210_remove(), > >> where priv->clk is freed again in ca8210_unregister_ext_clock(). In > >> this case, a use-after-free may happen in the second time we call > >> clk_unregister(). > >> > >> Fix this by removing the first clk_unregister(). Also, priv->clk could > >> be an error code on failure of clk_register_fixed_rate(). Use > >> IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock(). > >> > >> Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driv= er") > > > > Missing Cc stable, this needs to be backported. > > > >> Signed-off-by: Dinghao Liu > >> --- > >> > >> Changelog: > >> > >> v2: -Remove the first clk_unregister() instead of nulling priv->clk. > >> --- > >> drivers/net/ieee802154/ca8210.c | 3 +-- > >> 1 file changed, 1 insertion(+), 2 deletions(-) > >> > >> diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/= ca8210.c > >> index aebb19f1b3a4..b35c6f59bd1a 100644 > >> --- a/drivers/net/ieee802154/ca8210.c > >> +++ b/drivers/net/ieee802154/ca8210.c > >> @@ -2759,7 +2759,6 @@ static int ca8210_register_ext_clock(struct spi_= device *spi) > >> } > >> ret =3D of_clk_add_provider(np, of_clk_src_simple_get, priv->clk)= ; > >> if (ret) { > >> - clk_unregister(priv->clk); > >> dev_crit( > >> &spi->dev, > >> "Failed to register external clock as clock provi= der\n" > > > > I was hoping you would simplify this function a bit more. > > > >> @@ -2780,7 +2779,7 @@ static void ca8210_unregister_ext_clock(struct s= pi_device *spi) > >> { > >> struct ca8210_priv *priv =3D spi_get_drvdata(spi); > >> > >> - if (!priv->clk) > >> + if (IS_ERR_OR_NULL(priv->clk)) > >> return > >> > >> of_clk_del_provider(spi->dev.of_node); > > > > Alex, Stefan, who handles wpan and wpan/next this release? > > IIRC it would be me for wpan and Alex for wpan-next. That's okay for me. - Alex