From patchwork Wed Oct 11 21:59:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Fainelli X-Patchwork-Id: 10000703 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 33DF260216 for ; Wed, 11 Oct 2017 21:59:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30D1528B08 for ; Wed, 11 Oct 2017 21:59:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2592E28B15; Wed, 11 Oct 2017 21:59:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C2E9D28B08 for ; Wed, 11 Oct 2017 21:59:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751853AbdJKV7d (ORCPT ); Wed, 11 Oct 2017 17:59:33 -0400 Received: from mail-qt0-f195.google.com ([209.85.216.195]:37691 "EHLO mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751433AbdJKV7c (ORCPT ); Wed, 11 Oct 2017 17:59:32 -0400 Received: by mail-qt0-f195.google.com with SMTP id 32so1467807qtp.4; Wed, 11 Oct 2017 14:59:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=7bj5QFGeMygxIR4cN0f6rJxqvHDG6RSy9FCCsyM9qOc=; b=EIS0yrdhtUuiTohmb1m/yBHkndjCEL08UrQ5QPgrNZmoyxdnnEE7zgWV12PhMo2kY/ HNLHphtrNbAK4+Mrypc/4yO0slte52Cjn91VUfY92KEI1+O2YpWBlgiQu73ty3ALYH3N a3//BqqHZ7eOaodArAAvvdSXbyDaruvHyk/F/ibM27I0ONRV00oizXXmcGZf5HG+HDna AYD0FiB3863m0BYxIg+HbH4xBwOl042sEAZoAEEqlpsXQne1E9pfuI26e5ZFeAR5Sy3b DTFy1xGtjgxP8OMyV89cUHMJgX3VN3KYRCBBRO1O/Y7IVJkMptjWCzc2Sp4nLEXoInTG 9hEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=7bj5QFGeMygxIR4cN0f6rJxqvHDG6RSy9FCCsyM9qOc=; b=bJtbBOdLeT7IKfdYgoFYTwiKz981zVGnQr+CM+POIlv5G5k/wtUAkbsjIE0A2WawrM RqQ7HJPVF7cJYysLhK1aScw45CH90yZi9GAC2tXY8ntjmwDGbUL1nR2EGMGdt8p3J1Og pLNmLEwxYBcMDWLcbIkgHY22Sq0h2DHvLgvw32KIdYqel0XPxRpo3ZB4mgkAm2cRwzLx X/AH3dl9H6wO8lL7+ZItt5R6ZFyvqQ0eQ4nbaav9TIgwTo+c1DUJln7GhRQ4pGcGubRv Za83b0Nb02iIO8VLKwmLvyR/kFVda/vJVsXFTEO4QuUrYg06jxSLTx2HxY8xVJX6IMku 1UNg== X-Gm-Message-State: AMCzsaWTBUXNFMbrHZQprXK0r45BFzbe70V0g0CLFUE+lj8etynUezPz /LPMdWOjRzqGGv26UdiLdQ0L2X1v X-Google-Smtp-Source: ABhQp+R3kcxP/wXqXMXooQJuBJ8V3gsH+3iWY+031h0YTVU7bJ8a3B8CGCmKSPWflVmckn2L074S3w== X-Received: by 10.55.162.73 with SMTP id l70mr635174qke.29.1507759171455; Wed, 11 Oct 2017 14:59:31 -0700 (PDT) Received: from fainelli-desktop.broadcom.com ([192.19.255.250]) by smtp.gmail.com with ESMTPSA id a8sm8708063qti.64.2017.10.11.14.59.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Oct 2017 14:59:30 -0700 (PDT) From: Florian Fainelli To: linux-kernel@vger.kernel.org Cc: kdasu.kdev@gmail.com, bcm-kernel-feedback-list@broadcom.com, Florian Fainelli , Mark Brown , linux-spi@vger.kernel.org (open list:SPI SUBSYSTEM) Subject: [PATCH] spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path Date: Wed, 11 Oct 2017 14:59:22 -0700 Message-Id: <20171011215922.20536-1-f.fainelli@gmail.com> X-Mailer: git-send-email 2.9.3 Sender: linux-spi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP There was an inversion in how the error path in bcm_qspi_probe() is done which would make us trip over a KASAN use-after-free report. Turns out that qspi->dev_ids does not get allocated until later in the probe process. Fix this by introducing a new lable: qspi_resource_err which takes care of cleaning up the SPI master instance. Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") Signed-off-by: Florian Fainelli --- drivers/spi/spi-bcm-qspi.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c index 6ef6c44f39f5..a172ab299e80 100644 --- a/drivers/spi/spi-bcm-qspi.c +++ b/drivers/spi/spi-bcm-qspi.c @@ -1250,7 +1250,7 @@ int bcm_qspi_probe(struct platform_device *pdev, goto qspi_probe_err; } } else { - goto qspi_probe_err; + goto qspi_resource_err; } res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); @@ -1272,7 +1272,7 @@ int bcm_qspi_probe(struct platform_device *pdev, qspi->base[CHIP_SELECT] = devm_ioremap_resource(dev, res); if (IS_ERR(qspi->base[CHIP_SELECT])) { ret = PTR_ERR(qspi->base[CHIP_SELECT]); - goto qspi_probe_err; + goto qspi_resource_err; } } @@ -1280,7 +1280,7 @@ int bcm_qspi_probe(struct platform_device *pdev, GFP_KERNEL); if (!qspi->dev_ids) { ret = -ENOMEM; - goto qspi_probe_err; + goto qspi_resource_err; } for (val = 0; val < num_irqs; val++) { @@ -1369,8 +1369,9 @@ int bcm_qspi_probe(struct platform_device *pdev, bcm_qspi_hw_uninit(qspi); clk_disable_unprepare(qspi->clk); qspi_probe_err: - spi_master_put(master); kfree(qspi->dev_ids); +qspi_resource_err: + spi_master_put(master); return ret; } /* probe function to be called by SoC specific platform driver probe */