| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Nov 2023 12:05:07 +0200
From: Roger Quadros <rogerq@...nel.org>
To: Uwe Kleine-König <u.kleine-koenig@...gutronix.de>
Cc: Siddharth Vadapalli <s-vadapalli@...com>,
Ravi Gunasekaran <r-gunasekaran@...com>, Simon Horman <horms@...nel.org>,
Yunsheng Lin <linyunsheng@...wei.com>, Stanislav Fomichev <sdf@...gle.com>,
Marek Majtyka <alardam@...il.com>, Rob Herring <robh@...nel.org>,
Mugunthan V N <mugunthanvnm@...com>, linux-omap@...r.kernel.org,
netdev@...r.kernel.org, kernel@...gutronix.de
Subject: Re: [PATCH 2/7] net: ethernet: ti: cpsw: Don't error out in .remove()
On 18/11/2023 12:00, Roger Quadros wrote:
>
>
> On 17/11/2023 11:16, Uwe Kleine-König wrote:
>> Returning early from .remove() with an error code still results in the
>> driver unbinding the device. So the driver core ignores the returned error
>> code and the resources that were not freed are never catched up. In
>> combination with devm this also often results in use-after-free bugs.
>>
>> If runtime resume fails, it's still important to free all resources, so
>> don't return with an error code, but emit an error message and continue
>> freeing acquired stuff.
>>
>> This prepares changing cpsw_remove() to return void.
>>
>> Fixes: 8a0b6dc958fd ("drivers: net: cpsw: fix wrong regs access in cpsw_remove")
>> Signed-off-by: Uwe Kleine-König <u.kleine-koenig@...gutronix.de>
>> ---
>> drivers/net/ethernet/ti/cpsw.c | 16 ++++++++++++----
>> 1 file changed, 12 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
>> index ca4d4548f85e..db5a2ba8a6d4 100644
>> --- a/drivers/net/ethernet/ti/cpsw.c
>> +++ b/drivers/net/ethernet/ti/cpsw.c
>> @@ -1727,16 +1727,24 @@ static int cpsw_remove(struct platform_device *pdev)
>> struct cpsw_common *cpsw = platform_get_drvdata(pdev);
>> int i, ret;
>>
>> - ret = pm_runtime_resume_and_get(&pdev->dev);
>> + ret = pm_runtime_get_sync(&pdev->dev);
>> if (ret < 0)
>> - return ret;
>> + /* There is no need to do something about that. The important
>> + * thing is to not exit early, but do all cleanup that doesn't
>> + * require register access.
>> + */
>> + dev_err(&pdev->dev, "runtime resume failed (%pe)\n",
>> + ERR_PTR(ret));
>>
>> for (i = 0; i < cpsw->data.slaves; i++)
>> if (cpsw->slaves[i].ndev)
>> unregister_netdev(cpsw->slaves[i].ndev);
>>
>> - cpts_release(cpsw->cpts);
>> - cpdma_ctlr_destroy(cpsw->dma);
>> + if (ret >= 0) {
>> + cpts_release(cpsw->cpts);
>
> cpts_release() only does clk_unprepare().
> Why not do that in the error path as well?
>
>> + cpdma_ctlr_destroy(cpsw->dma);
>
> cpdma_ctrl_destroy() not only stops the DMA controller
> but also frees up the channel and calls dma_free_coherent?
>
> We still want to free up the channel and dma_free_coherent in the
> error path?
cpdma_chan_destroy() does a cpdma_chan_stop() which does register
accesses so I suppose it cannot be called in the error path.
which leaves only the cpdma_desc_pool_destroy() call.
>
>> + }
>> +
>> cpsw_remove_dt(pdev);
>> pm_runtime_put_sync(&pdev->dev);
>> pm_runtime_disable(&pdev->dev);
>
--
cheers,
-roger
Powered by blists - more mailing lists