| Message ID | 20220712135357.918997-2-yangyingliang@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [-next,1/2] spi: microchip-core: fix UAF in mchp_corespi_remove() | expand |
On 12/07/2022 14:53, Yang Yingliang wrote: > [Some people who received this message don't often get email from yangyingliang@huawei.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe > > Switch to use devm_spi_alloc_master() to simpify error path. Hey Yang, Thanks for trying to fix my mistakes! Forgive my innocence here, but why is it okay to remove the spi_master_put() in remove() but not the one in the error path of the probe function? If the devm_add_action_or_reset() in devm_spi_register_controller() fails won't the same thing apply to the probe error path? IOW, I think this patch needs a fixes tag too b/c it also fixes a refcount underflow. Please correct me if I am misunderstanding. One other comment below. > > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > drivers/spi/spi-microchip-core.c | 20 +++++++------------- > 1 file changed, 7 insertions(+), 13 deletions(-) > > diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c > index c26767343176..1a24e47f8305 100644 > --- a/drivers/spi/spi-microchip-core.c > +++ b/drivers/spi/spi-microchip-core.c > @@ -513,7 +513,7 @@ static int mchp_corespi_probe(struct platform_device *pdev) > u32 num_cs; > int ret = 0; > > - master = spi_alloc_master(&pdev->dev, sizeof(*spi)); > + master = devm_spi_alloc_master(&pdev->dev, sizeof(*spi)); > if (!master) > return dev_err_probe(&pdev->dev, -ENOMEM, > "unable to allocate master for SPI controller\n"); > @@ -535,36 +535,32 @@ static int mchp_corespi_probe(struct platform_device *pdev) > spi = spi_master_get_devdata(master); > > spi->regs = devm_platform_get_and_ioremap_resource(pdev, 0, &res); > - if (IS_ERR(spi->regs)) { > - ret = PTR_ERR(spi->regs); > - goto error_release_master; > - } > + if (IS_ERR(spi->regs)) > + return PTR_ERR(spi->regs); > > spi->irq = platform_get_irq(pdev, 0); > if (spi->irq <= 0) { > dev_err(&pdev->dev, "invalid IRQ %d for SPI controller\n", spi->irq); > - ret = -ENXIO; > - goto error_release_master; > + return -ENXIO; Also these can now become dev_err_probe for further simplification? Thanks, Conor. > } > > ret = devm_request_irq(&pdev->dev, spi->irq, mchp_corespi_interrupt, > IRQF_SHARED, dev_name(&pdev->dev), master); > if (ret) { > dev_err(&pdev->dev, "could not request irq: %d\n", ret); > - goto error_release_master; > + return ret; > } > > spi->clk = devm_clk_get(&pdev->dev, NULL); > if (IS_ERR(spi->clk)) { > - ret = PTR_ERR(spi->clk); > dev_err(&pdev->dev, "could not get clk: %d\n", ret); > - goto error_release_master; > + return PTR_ERR(spi->clk); > } > > ret = clk_prepare_enable(spi->clk); > if (ret) { > dev_err(&pdev->dev, "failed to enable clock\n"); > - goto error_release_master; > + return ret; > } > > mchp_corespi_init(master, spi); > @@ -583,8 +579,6 @@ static int mchp_corespi_probe(struct platform_device *pdev) > error_release_hardware: > mchp_corespi_disable(spi); > clk_disable_unprepare(spi->clk); > -error_release_master: > - spi_master_put(master); > > return ret; > } > -- > 2.25.1 >
On 12/07/2022 15:03, Conor.Dooley@microchip.com wrote: > On 12/07/2022 14:53, Yang Yingliang wrote: >> [Some people who received this message don't often get email from yangyingliang@huawei.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] >> >> EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe >> >> Switch to use devm_spi_alloc_master() to simpify error path. > > Hey Yang, > Thanks for trying to fix my mistakes! > > Forgive my innocence here, but why is it okay to remove the > spi_master_put() in remove() but not the one in the error path of > the probe function? > > If the devm_add_action_or_reset() in devm_spi_register_controller() > fails won't the same thing apply to the probe error path? > > IOW, I think this patch needs a fixes tag too b/c it also fixes a > refcount underflow. Please correct me if I am misunderstanding. Ahh, I just saw your revert of 59ebbe40fb51 ("spi: simplify devm_spi register_controller"). With that, this makes a lot more sense. > > One other comment below. This comment still applies for this patch. dev_err_probe would be nice. Thanks, Conor. > >> >> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >> --- >> drivers/spi/spi-microchip-core.c | 20 +++++++------------- >> 1 file changed, 7 insertions(+), 13 deletions(-) >> >> diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c >> index c26767343176..1a24e47f8305 100644 >> --- a/drivers/spi/spi-microchip-core.c >> +++ b/drivers/spi/spi-microchip-core.c >> @@ -513,7 +513,7 @@ static int mchp_corespi_probe(struct platform_device *pdev) >> u32 num_cs; >> int ret = 0; >> >> - master = spi_alloc_master(&pdev->dev, sizeof(*spi)); >> + master = devm_spi_alloc_master(&pdev->dev, sizeof(*spi)); >> if (!master) >> return dev_err_probe(&pdev->dev, -ENOMEM, >> "unable to allocate master for SPI controller\n"); >> @@ -535,36 +535,32 @@ static int mchp_corespi_probe(struct platform_device *pdev) >> spi = spi_master_get_devdata(master); >> >> spi->regs = devm_platform_get_and_ioremap_resource(pdev, 0, &res); >> - if (IS_ERR(spi->regs)) { >> - ret = PTR_ERR(spi->regs); >> - goto error_release_master; >> - } >> + if (IS_ERR(spi->regs)) >> + return PTR_ERR(spi->regs); >> >> spi->irq = platform_get_irq(pdev, 0); >> if (spi->irq <= 0) { >> dev_err(&pdev->dev, "invalid IRQ %d for SPI controller\n", spi->irq); >> - ret = -ENXIO; >> - goto error_release_master; >> + return -ENXIO; > > Also these can now become dev_err_probe for further simplification? > Thanks, > Conor. > >> } >> >> ret = devm_request_irq(&pdev->dev, spi->irq, mchp_corespi_interrupt, >> IRQF_SHARED, dev_name(&pdev->dev), master); >> if (ret) { >> dev_err(&pdev->dev, "could not request irq: %d\n", ret); >> - goto error_release_master; >> + return ret; >> } >> >> spi->clk = devm_clk_get(&pdev->dev, NULL); >> if (IS_ERR(spi->clk)) { >> - ret = PTR_ERR(spi->clk); >> dev_err(&pdev->dev, "could not get clk: %d\n", ret); >> - goto error_release_master; >> + return PTR_ERR(spi->clk); >> } >> >> ret = clk_prepare_enable(spi->clk); >> if (ret) { >> dev_err(&pdev->dev, "failed to enable clock\n"); >> - goto error_release_master; >> + return ret; >> } >> >> mchp_corespi_init(master, spi); >> @@ -583,8 +579,6 @@ static int mchp_corespi_probe(struct platform_device *pdev) >> error_release_hardware: >> mchp_corespi_disable(spi); >> clk_disable_unprepare(spi->clk); >> -error_release_master: >> - spi_master_put(master); >> >> return ret; >> } >> -- >> 2.25.1 >> > > _______________________________________________ > linux-riscv mailing list > linux-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv
On 2022/7/13 4:50, Conor.Dooley@microchip.com wrote: > On 12/07/2022 15:03, Conor.Dooley@microchip.com wrote: >> On 12/07/2022 14:53, Yang Yingliang wrote: >>> [Some people who received this message don't often get email from yangyingliang@huawei.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] >>> >>> EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe >>> >>> Switch to use devm_spi_alloc_master() to simpify error path. >> Hey Yang, >> Thanks for trying to fix my mistakes! >> >> Forgive my innocence here, but why is it okay to remove the >> spi_master_put() in remove() but not the one in the error path of >> the probe function? >> >> If the devm_add_action_or_reset() in devm_spi_register_controller() >> fails won't the same thing apply to the probe error path? >> >> IOW, I think this patch needs a fixes tag too b/c it also fixes a >> refcount underflow. Please correct me if I am misunderstanding. > Ahh, I just saw your revert of 59ebbe40fb51 ("spi: simplify > devm_spi register_controller"). With that, this makes a lot more > sense. > >> One other comment below. > This comment still applies for this patch. dev_err_probe would be > nice. OK. Thanks, Yang > > Thanks, > Conor.
diff --git a/drivers/spi/spi-microchip-core.c b/drivers/spi/spi-microchip-core.c index c26767343176..1a24e47f8305 100644 --- a/drivers/spi/spi-microchip-core.c +++ b/drivers/spi/spi-microchip-core.c @@ -513,7 +513,7 @@ static int mchp_corespi_probe(struct platform_device *pdev) u32 num_cs; int ret = 0; - master = spi_alloc_master(&pdev->dev, sizeof(*spi)); + master = devm_spi_alloc_master(&pdev->dev, sizeof(*spi)); if (!master) return dev_err_probe(&pdev->dev, -ENOMEM, "unable to allocate master for SPI controller\n"); @@ -535,36 +535,32 @@ static int mchp_corespi_probe(struct platform_device *pdev) spi = spi_master_get_devdata(master); spi->regs = devm_platform_get_and_ioremap_resource(pdev, 0, &res); - if (IS_ERR(spi->regs)) { - ret = PTR_ERR(spi->regs); - goto error_release_master; - } + if (IS_ERR(spi->regs)) + return PTR_ERR(spi->regs); spi->irq = platform_get_irq(pdev, 0); if (spi->irq <= 0) { dev_err(&pdev->dev, "invalid IRQ %d for SPI controller\n", spi->irq); - ret = -ENXIO; - goto error_release_master; + return -ENXIO; } ret = devm_request_irq(&pdev->dev, spi->irq, mchp_corespi_interrupt, IRQF_SHARED, dev_name(&pdev->dev), master); if (ret) { dev_err(&pdev->dev, "could not request irq: %d\n", ret); - goto error_release_master; + return ret; } spi->clk = devm_clk_get(&pdev->dev, NULL); if (IS_ERR(spi->clk)) { - ret = PTR_ERR(spi->clk); dev_err(&pdev->dev, "could not get clk: %d\n", ret); - goto error_release_master; + return PTR_ERR(spi->clk); } ret = clk_prepare_enable(spi->clk); if (ret) { dev_err(&pdev->dev, "failed to enable clock\n"); - goto error_release_master; + return ret; } mchp_corespi_init(master, spi); @@ -583,8 +579,6 @@ static int mchp_corespi_probe(struct platform_device *pdev) error_release_hardware: mchp_corespi_disable(spi); clk_disable_unprepare(spi->clk); -error_release_master: - spi_master_put(master); return ret; }
Switch to use devm_spi_alloc_master() to simpify error path. Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/spi/spi-microchip-core.c | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-)