diff mbox series

remoteproc: imx_rproc: Adjust phandle parsing issue while remapping optional addresses in imx_rproc_addr_init()

Message ID 20240606075204.12354-1-amishin@t-argos.ru (mailing list archive)
State New
Headers show
Series remoteproc: imx_rproc: Adjust phandle parsing issue while remapping optional addresses in imx_rproc_addr_init() | expand

Commit Message

Aleksandr Mishin June 6, 2024, 7:52 a.m. UTC
In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts
number of phandles. But phandles may be empty. So of_parse_phandle() in
the parsing loop (0 < a < nph) may return NULL which is later dereferenced.
Adjust this issue by adding NULL-return check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/remoteproc/imx_rproc.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Peng Fan June 6, 2024, 8:42 a.m. UTC | #1
Hi Aleksandr,

> Subject: [PATCH] remoteproc: imx_rproc: Adjust phandle parsing issue while
> remapping optional addresses in imx_rproc_addr_init()
> 
> In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts
> number of phandles. But phandles may be empty. So of_parse_phandle() in
> the parsing loop (0 < a < nph) may return NULL which is later dereferenced.
> Adjust this issue by adding NULL-return check.

It is good to add a check here. But I am not sure whether this will really
happen.

> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc
> driver")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>

Anyway LGTM:
Reviewed-by: Peng Fan <peng.fan@nxp.com>

Thanks,
Peng.
Mathieu Poirier June 10, 2024, 4:47 p.m. UTC | #2
On Thu, Jun 06, 2024 at 10:52:04AM +0300, Aleksandr Mishin wrote:
> In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts
> number of phandles. But phandles may be empty. So of_parse_phandle() in
> the parsing loop (0 < a < nph) may return NULL which is later dereferenced.
> Adjust this issue by adding NULL-return check.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
>  drivers/remoteproc/imx_rproc.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
> index 5a3fb902acc9..39eacd90af14 100644
> --- a/drivers/remoteproc/imx_rproc.c
> +++ b/drivers/remoteproc/imx_rproc.c
> @@ -726,6 +726,8 @@ static int imx_rproc_addr_init(struct imx_rproc *priv,
>  		struct resource res;
>  
>  		node = of_parse_phandle(np, "memory-region", a);
> +		if (!node)

You're missing an "of_node_put()" before continuing.

> +			continue;
>  		/* Not map vdevbuffer, vdevring region */
>  		if (!strncmp(node->name, "vdev", strlen("vdev"))) {
>  			of_node_put(node);
> -- 
> 2.30.2
> 
>
Fedor Pchelkin June 10, 2024, 5:36 p.m. UTC | #3
On Mon, 10. Jun 10:47, Mathieu Poirier wrote:
> On Thu, Jun 06, 2024 at 10:52:04AM +0300, Aleksandr Mishin wrote:
> > In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts
> > number of phandles. But phandles may be empty. So of_parse_phandle() in
> > the parsing loop (0 < a < nph) may return NULL which is later dereferenced.
> > Adjust this issue by adding NULL-return check.
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
> > Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> > ---
> >  drivers/remoteproc/imx_rproc.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
> > index 5a3fb902acc9..39eacd90af14 100644
> > --- a/drivers/remoteproc/imx_rproc.c
> > +++ b/drivers/remoteproc/imx_rproc.c
> > @@ -726,6 +726,8 @@ static int imx_rproc_addr_init(struct imx_rproc *priv,
> >  		struct resource res;
> >  
> >  		node = of_parse_phandle(np, "memory-region", a);
> > +		if (!node)
> 
> You're missing an "of_node_put()" before continuing.
> 

The node is NULL in this case so of_node_put() is not needed..?

Btw, there is a "rsc-table" node->name check in the the end of the loop
body. It was added recently with commit 5e4c1243071d ("remoteproc:
imx_rproc: support remote cores booted before Linux Kernel"). Seems to me
it forgot that of_node_put() is called way before that.

Also commit 61afafe8b938 ("remoteproc: imx_rproc: Fix refcount leak in
imx_rproc_addr_init") was dealing with the last of_node_put() call here
but it's still not in the right place I'd say.

> > +			continue;
> >  		/* Not map vdevbuffer, vdevring region */
> >  		if (!strncmp(node->name, "vdev", strlen("vdev"))) {
> >  			of_node_put(node);
> > -- 
> > 2.30.2
> > 
> >
Mathieu Poirier June 11, 2024, 4:45 p.m. UTC | #4
On Mon, Jun 10, 2024 at 08:36:19PM +0300, Fedor Pchelkin wrote:
> On Mon, 10. Jun 10:47, Mathieu Poirier wrote:
> > On Thu, Jun 06, 2024 at 10:52:04AM +0300, Aleksandr Mishin wrote:
> > > In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts
> > > number of phandles. But phandles may be empty. So of_parse_phandle() in
> > > the parsing loop (0 < a < nph) may return NULL which is later dereferenced.
> > > Adjust this issue by adding NULL-return check.
> > > 
> > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > > 
> > > Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
> > > Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> > > ---
> > >  drivers/remoteproc/imx_rproc.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
> > > index 5a3fb902acc9..39eacd90af14 100644
> > > --- a/drivers/remoteproc/imx_rproc.c
> > > +++ b/drivers/remoteproc/imx_rproc.c
> > > @@ -726,6 +726,8 @@ static int imx_rproc_addr_init(struct imx_rproc *priv,
> > >  		struct resource res;
> > >  
> > >  		node = of_parse_phandle(np, "memory-region", a);
> > > +		if (!node)
> > 
> > You're missing an "of_node_put()" before continuing.
> > 
> 
> The node is NULL in this case so of_node_put() is not needed..?

Oh yeah, doing a of_node_put() with a NULL value is are really good idea...

I will pickup this patch.

> 
> Btw, there is a "rsc-table" node->name check in the the end of the loop
> body. It was added recently with commit 5e4c1243071d ("remoteproc:
> imx_rproc: support remote cores booted before Linux Kernel"). Seems to me
> it forgot that of_node_put() is called way before that.
> 

I agree.

> Also commit 61afafe8b938 ("remoteproc: imx_rproc: Fix refcount leak in
> imx_rproc_addr_init") was dealing with the last of_node_put() call here
> but it's still not in the right place I'd say.
>

You mean becaue of node->name being used after the last of_node_put() or is
there something else?

Aleksandr - Can you send another patch for the above?

Thanks,
Mathieu

> > > +			continue;
> > >  		/* Not map vdevbuffer, vdevring region */
> > >  		if (!strncmp(node->name, "vdev", strlen("vdev"))) {
> > >  			of_node_put(node);
> > > -- 
> > > 2.30.2
> > > 
> > >
Fedor Pchelkin June 12, 2024, 8:32 a.m. UTC | #5
On Tue, 11. Jun 10:45, Mathieu Poirier wrote:
> On Mon, Jun 10, 2024 at 08:36:19PM +0300, Fedor Pchelkin wrote:
> > Btw, there is a "rsc-table" node->name check in the the end of the loop
> > body. It was added recently with commit 5e4c1243071d ("remoteproc:
> > imx_rproc: support remote cores booted before Linux Kernel"). Seems to me
> > it forgot that of_node_put() is called way before that.
> > 
> 
> I agree.
> 
> > Also commit 61afafe8b938 ("remoteproc: imx_rproc: Fix refcount leak in
> > imx_rproc_addr_init") was dealing with the last of_node_put() call here
> > but it's still not in the right place I'd say.
> >
> 
> You mean becaue of node->name being used after the last of_node_put() or is

Yes, this one. Only that node->name is used after the last of_node_put().

> there something else?
Aleksandr Mishin June 12, 2024, 1:20 p.m. UTC | #6
On 11.06.2024 19:45, Mathieu Poirier wrote:
> On Mon, Jun 10, 2024 at 08:36:19PM +0300, Fedor Pchelkin wrote:
>> On Mon, 10. Jun 10:47, Mathieu Poirier wrote:
>>> On Thu, Jun 06, 2024 at 10:52:04AM +0300, Aleksandr Mishin wrote:
>>>> In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts
>>>> number of phandles. But phandles may be empty. So of_parse_phandle() in
>>>> the parsing loop (0 < a < nph) may return NULL which is later dereferenced.
>>>> Adjust this issue by adding NULL-return check.
>>>>
>>>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>>>
>>>> Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver")
>>>> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
>>>> ---
>>>>   drivers/remoteproc/imx_rproc.c | 2 ++
>>>>   1 file changed, 2 insertions(+)
>>>>
>>>> diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
>>>> index 5a3fb902acc9..39eacd90af14 100644
>>>> --- a/drivers/remoteproc/imx_rproc.c
>>>> +++ b/drivers/remoteproc/imx_rproc.c
>>>> @@ -726,6 +726,8 @@ static int imx_rproc_addr_init(struct imx_rproc *priv,
>>>>   		struct resource res;
>>>>   
>>>>   		node = of_parse_phandle(np, "memory-region", a);
>>>> +		if (!node)
>>>
>>> You're missing an "of_node_put()" before continuing.
>>>
>>
>> The node is NULL in this case so of_node_put() is not needed..?
> 
> Oh yeah, doing a of_node_put() with a NULL value is are really good idea...
> 
> I will pickup this patch.
> 
>>
>> Btw, there is a "rsc-table" node->name check in the the end of the loop
>> body. It was added recently with commit 5e4c1243071d ("remoteproc:
>> imx_rproc: support remote cores booted before Linux Kernel"). Seems to me
>> it forgot that of_node_put() is called way before that.
>>
> 
> I agree.
> 
>> Also commit 61afafe8b938 ("remoteproc: imx_rproc: Fix refcount leak in
>> imx_rproc_addr_init") was dealing with the last of_node_put() call here
>> but it's still not in the right place I'd say.
>>
> 
> You mean becaue of node->name being used after the last of_node_put() or is
> there something else?
> 
> Aleksandr - Can you send another patch for the above?

Patch is sent.
https://lore.kernel.org/all/20240612131714.12907-1-amishin@t-argos.ru/

> 
> Thanks,
> Mathieu
> 
>>>> +			continue;
>>>>   		/* Not map vdevbuffer, vdevring region */
>>>>   		if (!strncmp(node->name, "vdev", strlen("vdev"))) {
>>>>   			of_node_put(node);
>>>> -- 
>>>> 2.30.2
>>>>
>>>>
diff mbox series

Patch

diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
index 5a3fb902acc9..39eacd90af14 100644
--- a/drivers/remoteproc/imx_rproc.c
+++ b/drivers/remoteproc/imx_rproc.c
@@ -726,6 +726,8 @@  static int imx_rproc_addr_init(struct imx_rproc *priv,
 		struct resource res;
 
 		node = of_parse_phandle(np, "memory-region", a);
+		if (!node)
+			continue;
 		/* Not map vdevbuffer, vdevring region */
 		if (!strncmp(node->name, "vdev", strlen("vdev"))) {
 			of_node_put(node);