Received: by 2002:ab2:b82:0:b0:1f3:401:3cfb with SMTP id 2csp636605lqh;
        Thu, 28 Mar 2024 11:32:35 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVLNOlTc/6zm9FMdKpNJyu09XskeqJ6xrhYeoTmhbkjYlYmHEfgPkDATirQPTk+yZUmX1iNJf3Y3J5fE5c2tyk5XWFDjd2DWIWgwFWCRg==
X-Google-Smtp-Source: AGHT+IE5JkxKStbDRpALTg1CK3FxdPQdMKpCWhO7oSCLtuj16kY9U4Eoqjp8+UHKvLH0EujLW0JN
X-Received: by 2002:a9d:6246:0:b0:6e6:9faa:e283 with SMTP id i6-20020a9d6246000000b006e69faae283mr69685otk.14.1711650755225;
        Thu, 28 Mar 2024 11:32:35 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711650755; cv=pass;
        d=google.com; s=arc-20160816;
        b=sgRpLLpuQtjgNRfjiPGHecS3n8FV53to88iO0LR8qPD2qW35oAMPjN++6oxNk1kn/g
         5it/IqDSZenx8Vh1/sBpJ1A1+vusEnZkNtFh+NvYfOB9WUEOqz7BpyTFXlkhFMHzMSMK
         MfoXjxjbvgMvcEm3dODoXF188FT3IcdJhGuVCRzWtdnQOmdNBL4hVFqo1BoIlmpBLYIb
         ovPHdi2+RrBxbN8x2dKANftWAF4glanzI48he31oJ9e9toUHTB4d4GTAyIcmMZnkbQxT
         RN9IEDi/KR/hVxh7S/pgofS+o33Ze36eY9dCb0W8HofAHiPKvgQrhMGz2fG7OLhSFiRk
         HvqQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:subject:cc:to:from
         :date:dkim-signature;
        bh=QgNWQEpyMHqaXDcGqHBS3tmSpSxkWgbW1cAuy0f8A+0=;
        fh=cHkD3vFtxAVeSUjpf0qarM/OJq+iRoH3iD2hmIbyeO0=;
        b=Dbqe53T7vn5hhRp0SSjM4bhbt/la/qy0DMUv032L1j+LBmtYw6pRKPGctC48XCUwY4
         MsWhdS33toSMZVZZEhuWsbvCEXLX4qQP8r1LNmA6E379FT09c/tuk5jkQdyCW1Hjdera
         fw0l39+BCI3cWBhedOPQu5YiecfVn4B8izUfk8LRtzSXQoMQyzXirkGPy06CUhiWjKq3
         2wBD9MP+YB7t8fYjoeZCh8Uc2yf2Cy6OUi9+aPtbzOB/yy6P92O1i7bFnamZFm33wlGs
         RlNOneH7ozRhveMbajUvRKlSfcVDkA9qAzywB7zRBQaO+HbMC4+6nsrAyFCaL99KhqSo
         35RA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="g7wY2/Sl";
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-123417-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-123417-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-123417-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id x6-20020a05620a098600b007886482b07csi1885750qkx.488.2024.03.28.11.32.35
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 28 Mar 2024 11:32:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-123417-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="g7wY2/Sl";
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-123417-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-123417-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id E9C501C25551
	for <linux.lists.archive@gmail.com>; Thu, 28 Mar 2024 18:32:34 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 363A2136E29;
	Thu, 28 Mar 2024 18:32:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="g7wY2/Sl"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FB42131753;
	Thu, 28 Mar 2024 18:32:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1711650745; cv=none; b=EBmGxceWwtdDtqX/Dbsa1virHZI5GEOWkUjMVi0gYwHooLQew6xlA0BqIFA5MRmmveya2ikWnjMoJUN/T9Z85RIaJ8w0YQdEhdCw+hNd9knKtSRFNRE/V7LTPZVIrwv16weIcFncLBdKQiWQs+8PHpJS7UMCEdnX4OAgNZ0/a5g=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1711650745; c=relaxed/simple;
	bh=hg6PwlbaPT4C5AHUB1lGhPAl6f+A+kPebtQkzZI08ys=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition:In-Reply-To; b=qD91vw4jcKjAUH5/7rEDlhkvXxd4TJ+1C0ZKIste5LLh9T7qMGdMVFnUDBSxhfd0FklE3vdqVgqRE8cTdjv2P3O8rj+Amq6zgQu8SPJqE6x/NZExy7FC9wcAYp2I7rmbpMSsNbvZ5tU8M3X3GNCUVd5QLsyqZvsSPERHLoefGyo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=g7wY2/Sl; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B2AA2C433C7;
	Thu, 28 Mar 2024 18:32:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1711650744;
	bh=hg6PwlbaPT4C5AHUB1lGhPAl6f+A+kPebtQkzZI08ys=;
	h=Date:From:To:Cc:Subject:In-Reply-To:From;
	b=g7wY2/Slf5uIyl47Rc/xg17pM4iEw1CCbZWM3zZmUqEretMUP40JBjp3VGuaEE+80
	 eJb2SpPGJsjFFD8ilbj2EDoNn2wD6O1znQyUZwM1onts0sUfLT2OD2NoN3ImC9H4Vy
	 2wG6WO05IA/s4PU89r2q2VPlbLq3OEd/4AWs8w/npIvzVpyLKSgVpzNHZS6aRowJoE
	 13ELyfO83HegHr8AJ/jQfIkdFqKAJB7XFZgiQhODc0HBTr5wSL2f3XG2MrdF4aOOeO
	 J+BcI5S3Iinl0jWiCvygkcEpEglKw6en4fcnfR5ypO4+ZQC2alOEZCj3lMuMNWaK6h
	 alSETf9sipEWA==
Date: Thu, 28 Mar 2024 13:32:23 -0500
From: Bjorn Helgaas <helgaas@kernel.org>
To: Aleksandr Mishin <amishin@t-argos.ru>
Cc: Jonathan Chocron <jonnyc@amazon.com>,
	Lorenzo Pieralisi <lpieralisi@kernel.org>,
	Krzysztof =?utf-8?Q?Wilczy=C5=84ski?= <kw@linux.com>,
	Rob Herring <robh@kernel.org>, Bjorn Helgaas <bhelgaas@google.com>,
	linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: Re: [PATCH] PCI: dwc: Fix potential NULL dereference
Message-ID: <20240328183223.GA1575271@bhelgaas>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240328180126.23574-1-amishin@t-argos.ru>

The subject line should be:

  PCI: al: ...

since this fix is specific to the "al" driver, not generic to "dwc".

On Thu, Mar 28, 2024 at 09:01:26PM +0300, Aleksandr Mishin wrote:
> In al_pcie_config_prepare() resource_list_first_type() may return
> NULL which is later dereferenced. Fix this bug by adding NULL check.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 0f71c60ffd26 ("PCI: dwc: Remove storing of PCI resources")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>  drivers/pci/controller/dwc/pcie-al.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/controller/dwc/pcie-al.c b/drivers/pci/controller/dwc/pcie-al.c
> index 6dfdda59f328..29bc99d48295 100644
> --- a/drivers/pci/controller/dwc/pcie-al.c
> +++ b/drivers/pci/controller/dwc/pcie-al.c
> @@ -252,7 +252,12 @@ static void al_pcie_config_prepare(struct al_pcie *pcie)
>  	u8 secondary_bus;
>  	u32 cfg_control;
>  	u32 reg;
> -	struct resource *bus = resource_list_first_type(&pp->bridge->windows, IORESOURCE_BUS)->res;
> +
> +	struct resource_entry *ft = resource_list_first_type(&pp->bridge->windows, IORESOURCE_BUS); 
> +	if (!ft)
> +		return;

I don't think this is right.  If we don't have an IORESOURCE_BUS
resource and we just silently return here, we will not write the
CFG_CONTROL register.  It looks essential that CFG_CONTROL be set, so
if we can't do that, the .probe() should fail.

But I think we are actually guaranteed that there is an IORESOURCE_BUS
resource because this path fabricates one if the "bus-range" DT
property doesn't exist:

 al_pcie_probe
    dw_pcie_host_init
      devm_pci_alloc_host_bridge
        devm_of_pci_bridge_init
          pci_parse_request_of_pci_ranges
            devm_of_pci_get_host_bridge_resources
              err = of_pci_parse_bus_range
                if (err)
                  bus_range->flags = IORESOURCE_BUS  # <--

I wouldn't necessarily object to doing something like other drivers
do:

  gen_pci_init
    bus = resource_list_first_type(&bridge->windows, IORESOURCE_BUS);
    if (!bus)
      return ERR_PTR(-ENODEV);

  xilinx_cpm_pcie_probe
    bus = resource_list_first_type(&bridge->windows, IORESOURCE_BUS);
    if (!bus)
      return -ENODEV;

But it would have to lead to .probe() failing, not just a silent
skipping of CFG_CONTROL setup.

> +	struct resource *bus = ft->res;
>  
>  	target_bus_cfg = &pcie->target_bus_cfg;
>  
> -- 
> 2.30.2
>