[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <42b77efb.28ab5.18acb86f1c3.Coremail.dinghao.liu@zju.edu.cn>
Date: Mon, 25 Sep 2023 16:48:53 +0800 (GMT+08:00)
From: dinghao.liu@....edu.cn
To: "Miquel Raynal" <miquel.raynal@...tlin.com>
Cc: "Alexander Aring" <alex.aring@...il.com>,
"Stefan Schmidt" <stefan@...enfreihafen.org>,
"David S. Miller" <davem@...emloft.net>,
"Eric Dumazet" <edumazet@...gle.com>,
"Jakub Kicinski" <kuba@...nel.org>,
"Paolo Abeni" <pabeni@...hat.com>,
"Marcel Holtmann" <marcel@...tmann.org>,
"Harry Morris" <harrymorris12@...il.com>, linux-wpan@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ieee802154: ca8210: Fix a potential UAF in ca8210_probe
Hi Miquèl,
> > index aebb19f1b3a4..1d545879c000 100644
> > --- a/drivers/net/ieee802154/ca8210.c
> > +++ b/drivers/net/ieee802154/ca8210.c
> > @@ -2760,6 +2760,7 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
> > ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
> > if (ret) {
> > clk_unregister(priv->clk);
> > + priv->clk = NULL;
>
> This function is a bit convoluted. You could just return the result of
> of_clk_add_provider() (keep the printk's if you want, they don't seem
> very useful) and let ca8210_unregister_ext_clock() do the cleanup.
Thanks for your advice! I will resend a new patch as suggested.
>
> > dev_crit(
> > &spi->dev,
> > "Failed to register external clock as clock provider\n"
> > @@ -2780,7 +2781,7 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi)
> > {
> > struct ca8210_priv *priv = spi_get_drvdata(spi);
> >
> > - if (!priv->clk)
> > + if (IS_ERR_OR_NULL(priv->clk))
>
> Does not look useful as you are enforcing priv->clock to be valid or
> NULL, it cannot be an error code.
I find that ca8210_register_ext_clock() uses IS_ERR to check priv->clk
after calling clk_register_fixed_rate(). So I think priv->clk could be
a non-null pointer even on failure. And a null pointer check may miss
this case in ca8210_unregister_ext_clock().
Regards,
Dinghao
Powered by blists - more mailing lists