| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210826125020.GA7722@kadam>
Date: Thu, 26 Aug 2021 15:50:21 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: kbuild@...ts.01.org, Dan Williams <dan.j.williams@...el.com>
Cc: lkp@...el.com, kbuild-all@...ts.01.org,
Alison Schofield <alison.schofield@...el.com>,
Vishal Verma <vishal.l.verma@...el.com>,
Ira Weiny <ira.weiny@...el.com>,
Ben Widawsky <ben.widawsky@...el.com>,
linux-kernel@...r.kernel.org
Subject: Re: [cxl-cxl:pending 39/40] drivers/cxl/core/bus.c:501
devm_cxl_add_decoder() warn: variable dereferenced before check 'cxld' (see
line 497)
On Wed, Aug 25, 2021 at 10:12:32AM +0300, Dan Carpenter wrote:
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 494 int devm_cxl_add_decoder(struct device *host, struct cxl_decoder *cxld,
> 574d46ed53b527 drivers/cxl/core/bus.c Dan Williams 2021-08-24 495 int *target_map)
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 496 {
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 @497 struct cxl_port *port = to_cxl_port(cxld->dev.parent);
> ^^^^^^^^^^^^^^^^
> Dereference
>
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 498 struct device *dev;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 499 int rc = 0, i;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 500
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 @501 if (!cxld)
> ^^^^^
> Checked too late.
>
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 502 return -EINVAL;
> 574d46ed53b527 drivers/cxl/core/bus.c Dan Williams 2021-08-24 503
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 504 if (IS_ERR(cxld))
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 505 return PTR_ERR(cxld);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 506
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 507 if (cxld->interleave_ways < 1) {
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 508 rc = -EINVAL;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 509 goto err;
>
> "dev" not initialized at this point.
>
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 510 }
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 511
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 512 device_lock(&port->dev);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 513 if (list_empty(&port->dports))
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 514 rc = -EINVAL;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 515
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 516 for (i = 0; rc == 0 && target_map && i < cxld->nr_targets; i++) {
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 517 struct cxl_dport *dport = find_dport(port, target_map[i]);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 518
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 519 if (!dport) {
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 520 rc = -ENXIO;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 521 break;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 522 }
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 523 dev_dbg(host, "%s: target: %d\n", dev_name(dport->dport), i);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 524 cxld->target[i] = dport;
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 525 }
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 526 device_unlock(&port->dev);
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 527 if (rc)
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 528 goto err;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 529
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 530 dev = &cxld->dev;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 531 rc = dev_set_name(dev, "decoder%d.%d", port->id, cxld->id);
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 532 if (rc)
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 533 goto err;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 534
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 535 rc = device_add(dev);
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 536 if (rc)
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 537 goto err;
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 538
> b7ca54b6255144 drivers/cxl/core/bus.c Dan Williams 2021-08-24 539 return devm_add_action_or_reset(host, unregister_cxl_dev, dev);
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 540 err:
> 40ba17afdfabb0 drivers/cxl/core.c Dan Williams 2021-06-09 @541 put_device(dev);
>
> Should be:
>
> put_device(&cxld->dev);
>
> But it feels like a layering violation to drop a reference that was
> aquired by the caller.
This code hit linux-next yesterday so I reviewed it in context. The
put_device() should just be removed. It leads to a use after free.
regards,
dan carpenter
Powered by blists - more mailing lists