lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 27 Feb 2021 12:26:20 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     kbuild@...ts.01.org, Shawn Guo <shawn.guo@...aro.org>
Cc:     lkp@...el.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org,
        Viresh Kumar <viresh.kumar@...aro.org>
Subject: drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init()
 error: we previously assumed 'data' could be null (see line 327)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   8b83369ddcb3fb9cab5c1088987ce477565bb630
commit: 67fc209b527d023db4d087c68e44e9790aa089ef cpufreq: qcom-hw: drop devm_xxx() calls from init/exit hooks
config: arm64-randconfig-m031-20210226 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>

smatch warnings:
drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init() error: we previously assumed 'data' could be null (see line 327)
drivers/cpufreq/qcom-cpufreq-hw.c:377 qcom_cpufreq_hw_cpu_init() error: dereferencing freed memory 'data'

vim +/data +377 drivers/cpufreq/qcom-cpufreq-hw.c

2849dd8bc72b62 Taniya Das            2018-12-14  277  static int qcom_cpufreq_hw_cpu_init(struct cpufreq_policy *policy)
2849dd8bc72b62 Taniya Das            2018-12-14  278  {
bd74e286b35413 Manivannan Sadhasivam 2020-09-08  279  	struct platform_device *pdev = cpufreq_get_driver_data();
bd74e286b35413 Manivannan Sadhasivam 2020-09-08  280  	struct device *dev = &pdev->dev;
2849dd8bc72b62 Taniya Das            2018-12-14  281  	struct of_phandle_args args;
2849dd8bc72b62 Taniya Das            2018-12-14  282  	struct device_node *cpu_np;
55538fbc79e926 Taniya Das            2019-01-31  283  	struct device *cpu_dev;
67fc209b527d02 Shawn Guo             2021-01-19  284  	struct resource *res;
2849dd8bc72b62 Taniya Das            2018-12-14  285  	void __iomem *base;
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  286  	struct qcom_cpufreq_data *data;
2849dd8bc72b62 Taniya Das            2018-12-14  287  	int ret, index;
2849dd8bc72b62 Taniya Das            2018-12-14  288  
55538fbc79e926 Taniya Das            2019-01-31  289  	cpu_dev = get_cpu_device(policy->cpu);
55538fbc79e926 Taniya Das            2019-01-31  290  	if (!cpu_dev) {
55538fbc79e926 Taniya Das            2019-01-31  291  		pr_err("%s: failed to get cpu%d device\n", __func__,
55538fbc79e926 Taniya Das            2019-01-31  292  		       policy->cpu);
55538fbc79e926 Taniya Das            2019-01-31  293  		return -ENODEV;
55538fbc79e926 Taniya Das            2019-01-31  294  	}
55538fbc79e926 Taniya Das            2019-01-31  295  
2849dd8bc72b62 Taniya Das            2018-12-14  296  	cpu_np = of_cpu_device_node_get(policy->cpu);
2849dd8bc72b62 Taniya Das            2018-12-14  297  	if (!cpu_np)
2849dd8bc72b62 Taniya Das            2018-12-14  298  		return -EINVAL;
2849dd8bc72b62 Taniya Das            2018-12-14  299  
2849dd8bc72b62 Taniya Das            2018-12-14  300  	ret = of_parse_phandle_with_args(cpu_np, "qcom,freq-domain",
2849dd8bc72b62 Taniya Das            2018-12-14  301  					 "#freq-domain-cells", 0, &args);
2849dd8bc72b62 Taniya Das            2018-12-14  302  	of_node_put(cpu_np);
2849dd8bc72b62 Taniya Das            2018-12-14  303  	if (ret)
2849dd8bc72b62 Taniya Das            2018-12-14  304  		return ret;
2849dd8bc72b62 Taniya Das            2018-12-14  305  
2849dd8bc72b62 Taniya Das            2018-12-14  306  	index = args.args[0];
2849dd8bc72b62 Taniya Das            2018-12-14  307  
67fc209b527d02 Shawn Guo             2021-01-19  308  	res = platform_get_resource(pdev, IORESOURCE_MEM, index);
67fc209b527d02 Shawn Guo             2021-01-19  309  	if (!res) {
67fc209b527d02 Shawn Guo             2021-01-19  310  		dev_err(dev, "failed to get mem resource %d\n", index);
67fc209b527d02 Shawn Guo             2021-01-19  311  		return -ENODEV;
67fc209b527d02 Shawn Guo             2021-01-19  312  	}
67fc209b527d02 Shawn Guo             2021-01-19  313  
67fc209b527d02 Shawn Guo             2021-01-19  314  	if (!request_mem_region(res->start, resource_size(res), res->name)) {
67fc209b527d02 Shawn Guo             2021-01-19  315  		dev_err(dev, "failed to request resource %pR\n", res);
67fc209b527d02 Shawn Guo             2021-01-19  316  		return -EBUSY;
67fc209b527d02 Shawn Guo             2021-01-19  317  	}
2849dd8bc72b62 Taniya Das            2018-12-14  318  
67fc209b527d02 Shawn Guo             2021-01-19  319  	base = ioremap(res->start, resource_size(res));
67fc209b527d02 Shawn Guo             2021-01-19  320  	if (IS_ERR(base)) {
67fc209b527d02 Shawn Guo             2021-01-19  321  		dev_err(dev, "failed to map resource %pR\n", res);
67fc209b527d02 Shawn Guo             2021-01-19  322  		ret = PTR_ERR(base);
67fc209b527d02 Shawn Guo             2021-01-19  323  		goto release_region;
67fc209b527d02 Shawn Guo             2021-01-19  324  	}
67fc209b527d02 Shawn Guo             2021-01-19  325  
67fc209b527d02 Shawn Guo             2021-01-19  326  	data = kzalloc(sizeof(*data), GFP_KERNEL);
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15 @327  	if (!data) {
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  328  		ret = -ENOMEM;
67fc209b527d02 Shawn Guo             2021-01-19  329  		goto unmap_base;
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  330  	}
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  331  
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  332  	data->soc_data = of_device_get_match_data(&pdev->dev);
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  333  	data->base = base;
67fc209b527d02 Shawn Guo             2021-01-19  334  	data->res = res;
2849dd8bc72b62 Taniya Das            2018-12-14  335  
2849dd8bc72b62 Taniya Das            2018-12-14  336  	/* HW should be in enabled state to proceed */
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  337  	if (!(readl_relaxed(base + data->soc_data->reg_enable) & 0x1)) {
2849dd8bc72b62 Taniya Das            2018-12-14  338  		dev_err(dev, "Domain-%d cpufreq hardware not enabled\n", index);
2849dd8bc72b62 Taniya Das            2018-12-14  339  		ret = -ENODEV;
2849dd8bc72b62 Taniya Das            2018-12-14  340  		goto error;
2849dd8bc72b62 Taniya Das            2018-12-14  341  	}
2849dd8bc72b62 Taniya Das            2018-12-14  342  
2849dd8bc72b62 Taniya Das            2018-12-14  343  	qcom_get_related_cpus(index, policy->cpus);
2849dd8bc72b62 Taniya Das            2018-12-14  344  	if (!cpumask_weight(policy->cpus)) {
2849dd8bc72b62 Taniya Das            2018-12-14  345  		dev_err(dev, "Domain-%d failed to get related CPUs\n", index);
2849dd8bc72b62 Taniya Das            2018-12-14  346  		ret = -ENOENT;
2849dd8bc72b62 Taniya Das            2018-12-14  347  		goto error;
2849dd8bc72b62 Taniya Das            2018-12-14  348  	}
2849dd8bc72b62 Taniya Das            2018-12-14  349  
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  350  	policy->driver_data = data;
2849dd8bc72b62 Taniya Das            2018-12-14  351  
dcd1fd724c19fe Manivannan Sadhasivam 2020-09-15  352  	ret = qcom_cpufreq_hw_read_lut(cpu_dev, policy);
2849dd8bc72b62 Taniya Das            2018-12-14  353  	if (ret) {
2849dd8bc72b62 Taniya Das            2018-12-14  354  		dev_err(dev, "Domain-%d failed to read LUT\n", index);
2849dd8bc72b62 Taniya Das            2018-12-14  355  		goto error;
2849dd8bc72b62 Taniya Das            2018-12-14  356  	}
2849dd8bc72b62 Taniya Das            2018-12-14  357  
55538fbc79e926 Taniya Das            2019-01-31  358  	ret = dev_pm_opp_get_opp_count(cpu_dev);
55538fbc79e926 Taniya Das            2019-01-31  359  	if (ret <= 0) {
55538fbc79e926 Taniya Das            2019-01-31  360  		dev_err(cpu_dev, "Failed to add OPPs\n");
55538fbc79e926 Taniya Das            2019-01-31  361  		ret = -ENODEV;
55538fbc79e926 Taniya Das            2019-01-31  362  		goto error;
55538fbc79e926 Taniya Das            2019-01-31  363  	}
55538fbc79e926 Taniya Das            2019-01-31  364  
0e0ffa855d1590 Lukasz Luba           2020-05-27  365  	dev_pm_opp_of_register_em(cpu_dev, policy->cpus);
dab535052f67db Matthias Kaehlcke     2019-02-05  366  
266991721c15f9 Shawn Guo             2021-01-13  367  	if (policy_has_boost_freq(policy)) {
266991721c15f9 Shawn Guo             2021-01-13  368  		ret = cpufreq_enable_boost_support();
266991721c15f9 Shawn Guo             2021-01-13  369  		if (ret)
266991721c15f9 Shawn Guo             2021-01-13  370  			dev_warn(cpu_dev, "failed to enable boost: %d\n", ret);
266991721c15f9 Shawn Guo             2021-01-13  371  	}
266991721c15f9 Shawn Guo             2021-01-13  372  
2849dd8bc72b62 Taniya Das            2018-12-14  373  	return 0;
2849dd8bc72b62 Taniya Das            2018-12-14  374  error:
67fc209b527d02 Shawn Guo             2021-01-19  375  	kfree(data);
67fc209b527d02 Shawn Guo             2021-01-19  376  unmap_base:
67fc209b527d02 Shawn Guo             2021-01-19 @377  	iounmap(data->base);

Use after free.  iounmap(base);

67fc209b527d02 Shawn Guo             2021-01-19  378  release_region:
67fc209b527d02 Shawn Guo             2021-01-19  379  	release_mem_region(res->start, resource_size(res));
2849dd8bc72b62 Taniya Das            2018-12-14  380  	return ret;
2849dd8bc72b62 Taniya Das            2018-12-14  381  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (33206 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ