Re: [PATCH] phy: ti: am654-serdes: fix an use-after-free in serdes_am654_clk_register()

From: Roger Quadros
Date: Tue Aug 06 2019 - 10:07:46 EST

Next message: Denis Efremov: "[PATCH] PCI: use PCI_SRIOV_NUM_BARS in loops instead of PCI_IOV_RESOURCE_END"
Previous message: Lucas Stach: "Re: Regression due to d98849aff879 (dma-direct: handle DMA_ATTR_NO_KERNEL_MAPPING in common code)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08/07/2019 09:19, Wen Yang wrote:
> The regmap_node variable is still being used in the syscon_node_to_regmap()
> call after the of_node_put() call, which may result in use-after-free.
>
> Fixes: 71e2f5c5c224 ("phy: ti: Add a new SERDES driver for TI's AM654x SoC")
> Signed-off-by: Wen Yang <wen.yang99@xxxxxxxxxx>
> Cc: Kishon Vijay Abraham I <kishon@xxxxxx>
> Cc: Roger Quadros <rogerq@xxxxxx>
> Cc: linux-kernel@xxxxxxxxxxxxxxx

Reviewed-by: Roger Quadros <rogerq@xxxxxx>

> ---
> drivers/phy/ti/phy-am654-serdes.c | 33 ++++++++++++++++++++++-----------
> 1 file changed, 22 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/phy/ti/phy-am654-serdes.c b/drivers/phy/ti/phy-am654-serdes.c
> index f8edd08..f14f1f0 100644
> --- a/drivers/phy/ti/phy-am654-serdes.c
> +++ b/drivers/phy/ti/phy-am654-serdes.c
> @@ -405,6 +405,7 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> const __be32 *addr;
> unsigned int reg;
> struct clk *clk;
> + int ret = 0;
>
> mux = devm_kzalloc(dev, sizeof(*mux), GFP_KERNEL);
> if (!mux)
> @@ -413,34 +414,40 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> init = &mux->clk_data;
>
> regmap_node = of_parse_phandle(node, "ti,serdes-clk", 0);
> - of_node_put(regmap_node);
> if (!regmap_node) {
> dev_err(dev, "Fail to get serdes-clk node\n");
> - return -ENODEV;
> + ret = -ENODEV;
> + goto out_put_node;
> }
>
> regmap = syscon_node_to_regmap(regmap_node->parent);
> if (IS_ERR(regmap)) {
> dev_err(dev, "Fail to get Syscon regmap\n");
> - return PTR_ERR(regmap);
> + ret = PTR_ERR(regmap);
> + goto out_put_node;
> }
>
> num_parents = of_clk_get_parent_count(node);
> if (num_parents < 2) {
> dev_err(dev, "SERDES clock must have parents\n");
> - return -EINVAL;
> + ret = -EINVAL;
> + goto out_put_node;
> }
>
> parent_names = devm_kzalloc(dev, (sizeof(char *) * num_parents),
> GFP_KERNEL);
> - if (!parent_names)
> - return -ENOMEM;
> + if (!parent_names) {
> + ret = -ENOMEM;
> + goto out_put_node;
> + }
>
> of_clk_parent_fill(node, parent_names, num_parents);
>
> addr = of_get_address(regmap_node, 0, NULL, NULL);
> - if (!addr)
> - return -EINVAL;
> + if (!addr) {
> + ret = -EINVAL;
> + goto out_put_node;
> + }
>
> reg = be32_to_cpu(*addr);
>
> @@ -456,12 +463,16 @@ static int serdes_am654_clk_register(struct serdes_am654 *am654_phy,
> mux->hw.init = init;
>
> clk = devm_clk_register(dev, &mux->hw);
> - if (IS_ERR(clk))
> - return PTR_ERR(clk);
> + if (IS_ERR(clk)) {
> + ret = PTR_ERR(clk);
> + goto out_put_node;
> + }
>
> am654_phy->clks[clock_num] = clk;
>
> - return 0;
> +out_put_node:
> + of_node_put(regmap_node);
> + return ret;
> }
>
> static const struct of_device_id serdes_am654_id_table[] = {
>

--
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki

Next message: Denis Efremov: "[PATCH] PCI: use PCI_SRIOV_NUM_BARS in loops instead of PCI_IOV_RESOURCE_END"
Previous message: Lucas Stach: "Re: Regression due to d98849aff879 (dma-direct: handle DMA_ATTR_NO_KERNEL_MAPPING in common code)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]