* [PATCH 1/2] mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail
@ 2014-03-12 15:50 Krzysztof Kozlowski
2014-03-12 15:50 ` [PATCH 2/2] mfd: tps65910: Fix regmap_irq_chip_data leak on mfd_add_devices fail Krzysztof Kozlowski
2014-03-19 9:07 ` [PATCH 1/2] mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail Lee Jones
0 siblings, 2 replies; 4+ messages in thread
From: Krzysztof Kozlowski @ 2014-03-12 15:50 UTC (permalink / raw)
To: Samuel Ortiz, Lee Jones, linux-kernel; +Cc: Krzysztof Kozlowski, stable
tps65910_irq_init() sets the 'tps65910->chip_irq' before calling
regmap_add_irq_chip(). If this regmap_add_irq_chip() call fails in
memory allocation of regmap_irq_chip_data members then:
1. The 'tps65910->chip_irq' will still hold some value;
2. 'tps65910->irq_data' will be pointing to already freed memory
(because regmap_add_irq_chip() will free it on error);
This results in invalid memory access during driver remove because the
tps65910_irq_exit() tests whether 'tps65910->chip_irq' is not null.
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Cc: <stable@vger.kernel.org>
Fixes: 4aab3fadad32 ("mfd: tps65910: Move interrupt implementation code to mfd file")
---
drivers/mfd/tps65910.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c
index 1f142d76cbbc..d6573318977f 100644
--- a/drivers/mfd/tps65910.c
+++ b/drivers/mfd/tps65910.c
@@ -251,16 +251,18 @@ static int tps65910_irq_init(struct tps65910 *tps65910, int irq,
break;
}
tps65910->chip_irq = irq;
ret = regmap_add_irq_chip(tps65910->regmap, tps65910->chip_irq,
IRQF_ONESHOT, pdata->irq_base,
tps6591x_irqs_chip, &tps65910->irq_data);
- if (ret < 0)
+ if (ret < 0) {
dev_warn(tps65910->dev, "Failed to add irq_chip %d\n", ret);
+ tps65910->chip_irq = 0;
+ }
return ret;
}
static int tps65910_irq_exit(struct tps65910 *tps65910)
{
if (tps65910->chip_irq > 0)
regmap_del_irq_chip(tps65910->chip_irq, tps65910->irq_data);
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] mfd: tps65910: Fix regmap_irq_chip_data leak on mfd_add_devices fail
2014-03-12 15:50 [PATCH 1/2] mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail Krzysztof Kozlowski
@ 2014-03-12 15:50 ` Krzysztof Kozlowski
2014-03-19 9:07 ` Lee Jones
2014-03-19 9:07 ` [PATCH 1/2] mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail Lee Jones
1 sibling, 1 reply; 4+ messages in thread
From: Krzysztof Kozlowski @ 2014-03-12 15:50 UTC (permalink / raw)
To: Samuel Ortiz, Lee Jones, linux-kernel; +Cc: Krzysztof Kozlowski
The tps65910_i2c_probe() allocates regmap_irq_chip in
tps65910_irq_init() but it does not clean this up in case of
mfd_add_devices() failure.
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
---
drivers/mfd/tps65910.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c
index d6573318977f..460a014ca629 100644
--- a/drivers/mfd/tps65910.c
+++ b/drivers/mfd/tps65910.c
@@ -507,14 +507,15 @@ static int tps65910_i2c_probe(struct i2c_client *i2c,
ret = mfd_add_devices(tps65910->dev, -1,
tps65910s, ARRAY_SIZE(tps65910s),
NULL, 0,
regmap_irq_get_domain(tps65910->irq_data));
if (ret < 0) {
dev_err(&i2c->dev, "mfd_add_devices failed: %d\n", ret);
+ tps65910_irq_exit(tps65910);
return ret;
}
return ret;
}
static int tps65910_i2c_remove(struct i2c_client *i2c)
--
1.7.9.5
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 1/2] mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail
2014-03-12 15:50 [PATCH 1/2] mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail Krzysztof Kozlowski
2014-03-12 15:50 ` [PATCH 2/2] mfd: tps65910: Fix regmap_irq_chip_data leak on mfd_add_devices fail Krzysztof Kozlowski
@ 2014-03-19 9:07 ` Lee Jones
1 sibling, 0 replies; 4+ messages in thread
From: Lee Jones @ 2014-03-19 9:07 UTC (permalink / raw)
To: Krzysztof Kozlowski; +Cc: Samuel Ortiz, linux-kernel, stable
> tps65910_irq_init() sets the 'tps65910->chip_irq' before calling
> regmap_add_irq_chip(). If this regmap_add_irq_chip() call fails in
> memory allocation of regmap_irq_chip_data members then:
> 1. The 'tps65910->chip_irq' will still hold some value;
> 2. 'tps65910->irq_data' will be pointing to already freed memory
> (because regmap_add_irq_chip() will free it on error);
>
> This results in invalid memory access during driver remove because the
> tps65910_irq_exit() tests whether 'tps65910->chip_irq' is not null.
>
> Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
> Cc: <stable@vger.kernel.org>
> Fixes: 4aab3fadad32 ("mfd: tps65910: Move interrupt implementation code to mfd file")
> ---
> drivers/mfd/tps65910.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Applied after cleaning up the commit message a little.
--
Lee Jones
Linaro STMicroelectronics Landing Team Lead
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-03-19 9:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-12 15:50 [PATCH 1/2] mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail Krzysztof Kozlowski
2014-03-12 15:50 ` [PATCH 2/2] mfd: tps65910: Fix regmap_irq_chip_data leak on mfd_add_devices fail Krzysztof Kozlowski
2014-03-19 9:07 ` Lee Jones
2014-03-19 9:07 ` [PATCH 1/2] mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail Lee Jones
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.