Re: [cocci] [PATCH] firmware: ti_sci: Fix exception handling in ti_sci_probe()
From: Dan Carpenter
Date: Wed May 17 2023 - 02:44:04 EST
On Tue, May 16, 2023 at 10:20:43AM -0500, Nishanth Menon wrote:
> On 22:10-20230405, Markus Elfring wrote:
> > Date: Wed, 5 Apr 2023 22:00:18 +0200
>
> B4 does'nt pick this patch up cleanly. And for some reason, I get
> mangled patch from public-inbox as well :( a clean git-send-email might
> help.
>
It's an awkward thing. B4 doesn't work because Markus was banned from
LKML because he doesn't listen to feedback.
> >
> > The label “out” was used to jump to another pointer check despite of
>
> Please use " for quotes.
>
> > the detail in the implementation of the function “ti_sci_probe”
> > that it was determined already that the corresponding variable
> > contained an error pointer because of a failed call of
> > the function “mbox_request_channel_byname”.
>
> >
> > * Thus use more appropriate labels instead.
> >
> > * Delete two redundant checks.
> >
>
> How about this:
>
> Optimize out the redundant pointer check in exit path of "out" using
> appropriate labels to jump in the error path
> >
> Drop the extra EoL
>
> > This issue was detected by using the Coccinelle software.
>
> Curious: what rule of coccicheck caught this?
>
> >
> > Fixes: aa276781a64a5f15ecc21e920960c5b1f84e5fee ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol")
>
> 12 char sha please. Please read Documentation/process/submitting-patches.rst
>
For example, Markus has been told to use 12 char shas several times
before.
> > Signed-off-by: Markus Elfring <elfring@xxxxxxxxxxxxxxxxxxxxx>
> > ---
> > drivers/firmware/ti_sci.c | 19 ++++++++++---------
> > 1 file changed, 10 insertions(+), 9 deletions(-)
> >
> > diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c
> > index 039d92a595ec..77012d2f4160 100644
> > --- a/drivers/firmware/ti_sci.c
> turns out as =2D-- instead of -- (might check the git format-patch
> output closer).
>
> > +++ b/drivers/firmware/ti_sci.c
> > @@ -3433,18 +3433,18 @@ static int ti_sci_probe(struct platform_device *pdev)
> > info->chan_rx = mbox_request_channel_byname(cl, "rx");
> > if (IS_ERR(info->chan_rx)) {
> > ret = PTR_ERR(info->chan_rx);
> > - goto out;
> > + goto remove_debugfs;
> > }
> >
> > info->chan_tx = mbox_request_channel_byname(cl, "tx");
> > if (IS_ERR(info->chan_tx)) {
> > ret = PTR_ERR(info->chan_tx);
> > - goto out;
> > + goto free_mbox_channel_rx;
> > }
> > ret = ti_sci_cmd_get_revision(info);
> > if (ret) {
> > dev_err(dev, "Unable to communicate with TISCI(%d)\n", ret);
> > - goto out;
> > + goto free_mbox_channel_tx;
> > }
> >
> > ti_sci_setup_ops(info);
> > @@ -3456,7 +3456,7 @@ static int ti_sci_probe(struct platform_device *pdev)
> > ret = register_restart_handler(&info->nb);
> > if (ret) {
> > dev_err(dev, "reboot registration fail(%d)\n", ret);
> > - goto out;
> > + goto free_mbox_channel_tx;
> > }
> > }
> >
> > @@ -3470,11 +3470,12 @@ static int ti_sci_probe(struct platform_device *pdev)
> > mutex_unlock(&ti_sci_list_mutex);
> >
> > return of_platform_populate(dev->of_node, NULL, NULL, dev);
There is a bug here because the resources are not freed if
of_platform_populate() fails. The "info" struct is devm_ allocated but
it's still on the &ti_sci_list list, so that will lead to a use after
free.
regards,
dan carpenter
> > -out:
> > - if (!IS_ERR(info->chan_tx))
> > - mbox_free_channel(info->chan_tx);
> > - if (!IS_ERR(info->chan_rx))
> > - mbox_free_channel(info->chan_rx);
> > +
> > +free_mbox_channel_tx:
> > + mbox_free_channel(info->chan_tx);
> > +free_mbox_channel_rx:
> > + mbox_free_channel(info->chan_rx);
> > +remove_debugfs:
> > debugfs_remove(info->d);
> > return ret;
> > }