From patchwork Fri Apr 21 10:44:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 13219865 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id ED411C77B75 for ; Fri, 21 Apr 2023 11:43:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:Cc:To: From:Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=d2lZ9HuoEjYjCaEc2yK+qtGzLTjF5dHbhbpWl+N7XSc=; b=MObkK3zehBsr6Y +gQWLqepN9UGNnw9a9jimc4Q0kNmD0UFJeylbZ6IX4gn2IsTfna9NW2cn9Cx/UvpVWyiwxFasRbcY NE4Np5Y6kG7QGK5rbqNzGl5P3R3796hWun4Dh0MuB929E4CxhnZYZMX6P3jXJjrcD5C7bsMfk0/4I e0w45/o/RoMN+gAn3Jfckx9m/QnkKljRSsp+VUw0hXYSqBabi8DHM5J/+HwY45s7A5mlGVkk+kUqQ OccUzq3lssKUSYTyKHSmqVDiqK0yo+TfgKdA4y81GQHZ6nosbcOs0g4qwVio/pFcUTmJzlT6UxSiC K4sI7r/ROptDHHXb6GNQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1pppA3-00Akvc-18; Fri, 21 Apr 2023 11:42:43 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pppA1-00Akuv-0q for linux-arm-kernel@bombadil.infradead.org; Fri, 21 Apr 2023 11:42:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Type:MIME-Version:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=BmqSgoVn+4GYHbRCGkxih6mgI9KXrJS4qZaVx99YBF0=; b=B+I4x9z/SyW2zJARMSDo0TqPJy 49PdBjTHAv94uTbX9yTtFrzGG16/paUIfDRQGoKvJQgG3YQoriOPBqmlRjp/MD+MWMiRY2KQJ2vV7 /MY66LkDTK2aJzcNV6svJXH41XfOylTvYEN6tw62J93NKiPzXorB1s85Ilckoj9X0kgKor9YdyQeh yDwaBxTyV0HeRao49YcHwJdlBm13Ggkom428Nkp9Vl576PTMZyHU8TgNGamm+iys49SKCuswY0mUW Hga3tvT9+NXteQ826AJI7zU6SvjU7E6VMll463T9kXtsgebaaCmsUG4sYox1IeTSD/Sq3+5c1nILh bJ11gpXg==; Received: from mail-wm1-x32c.google.com ([2a00:1450:4864:20::32c]) by desiato.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1ppoGA-005GJS-0H for linux-arm-kernel@lists.infradead.org; Fri, 21 Apr 2023 10:45:00 +0000 Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-3f1957e80a2so5393395e9.1 for ; Fri, 21 Apr 2023 03:44:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1682073897; x=1684665897; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=BmqSgoVn+4GYHbRCGkxih6mgI9KXrJS4qZaVx99YBF0=; b=FTOGGLy/4aVVYGpSAWcxoSFoKy7NS1c2I4lPWKmOr+cOGefYqCAripq+GvJz0clFvc gdD/ZSwGjGsoiQa4M4qnk4eQ6o+oJj+yYItNqCY3FXuDVQcVzGHOUAXMXKkth89GctPQ DNmYACDMfspf2v+ljSPoWQG+S4BUzXpw/z9RMmNBYw9+D8EQe60F+m2RdU48JhipyJNu KjiD9hDj7MJAGsfXrIzxlFM2N0D1u4HnNshGC49W64Bm8/R98GFr/4fg1D9TDZF4IDgx 1WgS3afclE8xJWSc+iqu9sJq29VdfKLAvTVcvAgnriEM/lX+qshDkUWZuf5f1rfzKAKC FyYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682073897; x=1684665897; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BmqSgoVn+4GYHbRCGkxih6mgI9KXrJS4qZaVx99YBF0=; b=P+EFJ1OMCeFcOk7gI6AqsfVF4nBLLEnvN1e+I7LZzL8w2zgBmfQvX5bStqqFeHwvZ6 mMrzwIDpIbQixvb5bvslazXYEgkYxeFthYvt6U8qQXkurkBYKuAHt8m0jq6VaivVBzfP 3ExMF6uksLzBI72AIS0ACjpQKV0jEzY/IHeZHHn5RqLN7i1/fuqCVsYEswpuGTeu/oGA BbJYbGcogNxnGb/Z3qNQnw7bBJiZTd+Dj6/G93e7R7WfACBfYPQrrcpfrnoe4jSj9CnL j1uphp+APSnikZJzpEtLzNpXoG+NAYKSpvMH3F+/wkyIzP+6ifBSnYnVUjl03DSqRH6S nTag== X-Gm-Message-State: AAQBX9cGxGtnCxZVz8eNSuCJrQOcLwC+yHIb4QPFeWatN+5+SEhue+/Q 1WYKvgd0o/MKoElQCrtqhE7CUA== X-Google-Smtp-Source: AKy350ZaT1G0S2zY1VUe0Yq2m3hK6Ma2A+K1oVpKfU0a6Bwjve9Lz1EVu8IMAzOCGQdABY03xmatBQ== X-Received: by 2002:a5d:6a11:0:b0:2f6:661:c03c with SMTP id m17-20020a5d6a11000000b002f60661c03cmr4068864wru.28.1682073896851; Fri, 21 Apr 2023 03:44:56 -0700 (PDT) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id p17-20020a056000019100b002fda1b12a0bsm4192642wrx.2.2023.04.21.03.44.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Apr 2023 03:44:56 -0700 (PDT) Date: Fri, 21 Apr 2023 13:44:54 +0300 From: Dan Carpenter To: Abhyuday Godhasara Cc: Michal Simek , Rajan Vaja , Greg Kroah-Hartman , Tejas Patel , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] driver: soc: xilinx: use _safe loop iterator to avoid a use after free Message-ID: <761e0e4a-4caf-4a71-8f47-1c6ad908a848@kili.mountain> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230421_114458_464748_0FC73C86 X-CRM114-Status: GOOD ( 13.68 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The hash_for_each_possible() loop dereferences "eve_data" to get the next item on the list. However the loop frees eve_data so it leads to a use after free. Use hash_for_each_possible_safe() instead. Fixes: c7fdb2404f66 ("drivers: soc: xilinx: add xilinx event management driver") Signed-off-by: Dan Carpenter --- Found by static analysis and not tested. drivers/soc/xilinx/xlnx_event_manager.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/soc/xilinx/xlnx_event_manager.c b/drivers/soc/xilinx/xlnx_event_manager.c index c76381899ef4..f9d9b82b562d 100644 --- a/drivers/soc/xilinx/xlnx_event_manager.c +++ b/drivers/soc/xilinx/xlnx_event_manager.c @@ -192,11 +192,12 @@ static int xlnx_remove_cb_for_suspend(event_cb_func_t cb_fun) struct registered_event_data *eve_data; struct agent_cb *cb_pos; struct agent_cb *cb_next; + struct hlist_node *tmp; is_need_to_unregister = false; /* Check for existing entry in hash table for given cb_type */ - hash_for_each_possible(reg_driver_map, eve_data, hentry, PM_INIT_SUSPEND_CB) { + hash_for_each_possible_safe(reg_driver_map, eve_data, tmp, hentry, PM_INIT_SUSPEND_CB) { if (eve_data->cb_type == PM_INIT_SUSPEND_CB) { /* Delete the list of callback */ list_for_each_entry_safe(cb_pos, cb_next, &eve_data->cb_list_head, list) { @@ -228,11 +229,12 @@ static int xlnx_remove_cb_for_notify_event(const u32 node_id, const u32 event, u64 key = ((u64)node_id << 32U) | (u64)event; struct agent_cb *cb_pos; struct agent_cb *cb_next; + struct hlist_node *tmp; is_need_to_unregister = false; /* Check for existing entry in hash table for given key id */ - hash_for_each_possible(reg_driver_map, eve_data, hentry, key) { + hash_for_each_possible_safe(reg_driver_map, eve_data, tmp, hentry, key) { if (eve_data->key == key) { /* Delete the list of callback */ list_for_each_entry_safe(cb_pos, cb_next, &eve_data->cb_list_head, list) {