lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <afe15264-c05c-417c-9492-29b271e05747@kili.mountain>
Date:   Wed, 17 May 2023 09:43:53 +0300
From:   Dan Carpenter <dan.carpenter@...aro.org>
To:     Nishanth Menon <nm@...com>
Cc:     Markus Elfring <Markus.Elfring@....de>,
        kernel-janitors@...r.kernel.org,
        linux-arm-kernel@...ts.infradead.org,
        Santosh Shilimkar <ssantosh@...nel.org>,
        Tero Kristo <kristo@...nel.org>, cocci@...ia.fr,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [cocci] [PATCH] firmware: ti_sci: Fix exception handling in
 ti_sci_probe()

On Tue, May 16, 2023 at 10:20:43AM -0500, Nishanth Menon wrote:
> On 22:10-20230405, Markus Elfring wrote:
> > Date: Wed, 5 Apr 2023 22:00:18 +0200
> 
> B4 does'nt pick this patch up cleanly. And for some reason, I get
> mangled patch from public-inbox as well :( a clean git-send-email might
> help.
> 

It's an awkward thing.  B4 doesn't work because Markus was banned from
LKML because he doesn't listen to feedback.

> > 
> > The label “out” was used to jump to another pointer check despite of
> 
> Please use " for quotes.
> 
> > the detail in the implementation of the function “ti_sci_probe”
> > that it was determined already that the corresponding variable
> > contained an error pointer because of a failed call of
> > the function “mbox_request_channel_byname”.
> 
> > 
> > * Thus use more appropriate labels instead.
> > 
> > * Delete two redundant checks.
> > 
> 
> How about this:
> 
> Optimize out the redundant pointer check in exit path of "out" using
> appropriate labels to jump in the error path
> > 
> Drop the extra EoL
> 
> > This issue was detected by using the Coccinelle software.
> 
> Curious: what rule of coccicheck caught this?
> 
> > 
> > Fixes: aa276781a64a5f15ecc21e920960c5b1f84e5fee ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol")
> 
> 12 char sha please. Please read Documentation/process/submitting-patches.rst
> 

For example, Markus has been told to use 12 char shas several times
before.

> > Signed-off-by: Markus Elfring <elfring@...rs.sourceforge.net>
> > ---
> >  drivers/firmware/ti_sci.c | 19 ++++++++++---------
> >  1 file changed, 10 insertions(+), 9 deletions(-)
> > 
> > diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c
> > index 039d92a595ec..77012d2f4160 100644
> > --- a/drivers/firmware/ti_sci.c
> turns out as =2D-- instead of -- (might check the git format-patch
> output closer).
> 
> > +++ b/drivers/firmware/ti_sci.c
> > @@ -3433,18 +3433,18 @@ static int ti_sci_probe(struct platform_device *pdev)
> >  	info->chan_rx = mbox_request_channel_byname(cl, "rx");
> >  	if (IS_ERR(info->chan_rx)) {
> >  		ret = PTR_ERR(info->chan_rx);
> > -		goto out;
> > +		goto remove_debugfs;
> >  	}
> > 
> >  	info->chan_tx = mbox_request_channel_byname(cl, "tx");
> >  	if (IS_ERR(info->chan_tx)) {
> >  		ret = PTR_ERR(info->chan_tx);
> > -		goto out;
> > +		goto free_mbox_channel_rx;
> >  	}
> >  	ret = ti_sci_cmd_get_revision(info);
> >  	if (ret) {
> >  		dev_err(dev, "Unable to communicate with TISCI(%d)\n", ret);
> > -		goto out;
> > +		goto free_mbox_channel_tx;
> >  	}
> > 
> >  	ti_sci_setup_ops(info);
> > @@ -3456,7 +3456,7 @@ static int ti_sci_probe(struct platform_device *pdev)
> >  		ret = register_restart_handler(&info->nb);
> >  		if (ret) {
> >  			dev_err(dev, "reboot registration fail(%d)\n", ret);
> > -			goto out;
> > +			goto free_mbox_channel_tx;
> >  		}
> >  	}
> > 
> > @@ -3470,11 +3470,12 @@ static int ti_sci_probe(struct platform_device *pdev)
> >  	mutex_unlock(&ti_sci_list_mutex);
> > 
> >  	return of_platform_populate(dev->of_node, NULL, NULL, dev);

There is a bug here because the resources are not freed if
of_platform_populate() fails.  The "info" struct is devm_ allocated but
it's still on the &ti_sci_list list, so that will lead to a use after
free.

regards,
dan carpenter

> > -out:
> > -	if (!IS_ERR(info->chan_tx))
> > -		mbox_free_channel(info->chan_tx);
> > -	if (!IS_ERR(info->chan_rx))
> > -		mbox_free_channel(info->chan_rx);
> > +
> > +free_mbox_channel_tx:
> > +	mbox_free_channel(info->chan_tx);
> > +free_mbox_channel_rx:
> > +	mbox_free_channel(info->chan_rx);
> > +remove_debugfs:
> >  	debugfs_remove(info->d);
> >  	return ret;
> >  }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ