Re: [PATCH v2 4/5] clocksource/timer-econet-en751221: Unmap io mem on probe error

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Caleb James DeLisle" <cjd@cjdns.fr>
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org,
	krzk+dt@kernel.org
Subject: Re: [PATCH v2 4/5] clocksource/timer-econet-en751221: Unmap io mem on probe error
Date: Thu, 14 May 2026 12:56:41 +0000	[thread overview]
Message-ID: <20260514125641.C94F2C2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260514000601.3430262-5-cjd@cjdns.fr>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Unmapping IO memory after a successful `clocksource_mmio_init()` registration introduces a fatal use-after-unmap vulnerability.
--

commit dd9c92736c75fb466e09313766fb39cf62c86394
Author: Caleb James DeLisle <cjd@cjdns.fr>
clocksource/timer-econet-en751221: Unmap io mem on probe error

This commit updates the econet timer initialization to unmap the IO
memory blocks if an error occurs during probe.

> --- a/drivers/clocksource/timer-econet-en751221.c
> +++ b/drivers/clocksource/timer-econet-en751221.c
[ ... ]
> @@ -198,12 +199,12 @@ static int __init timer_init(struct device_node *np)
>  				    clocksource_mmio_readl_up);
>  	if (ret) {
>  		pr_err("%pOFn: clocksource_mmio_init failed: %d", np, ret);
> -		return ret;
> +		goto err_unmap;
>  	}
>  
>  	ret = cevt_init(np);
>  	if (ret < 0)
> -		return ret;
> +		goto err_unmap;

If clocksource_mmio_init() succeeds, it registers the clocksource and saves
the mapped IO pointer. If the subsequent cevt_init() fails, the code now
jumps to err_unmap and unmaps the memory via iounmap().

Since clocksource_mmio_init() does not provide a way to unregister the
clocksource, the registered clocksource will remain active. When the kernel
reads from this clocksource later, will it dereference the unmapped IO memory
and cause a use-after-unmap regression?

Looking at clocksource_mmio_init() in drivers/clocksource/mmio.c:

clocksource_mmio_init() {
        ...
        cs->reg = base;
        cs->clksrc.read = read;
        ...
        return clocksource_register_hz(&cs->clksrc, hz);
}

Before this patch, if cevt_init() failed, the driver returned an error
without unmapping the memory, which allowed the already-registered
clocksource to safely continue functioning.

[ ... ]
> +err_unmap:
> +	for (int i = 0; i < ARRAY_SIZE(econet_timer.membase); i++) {
> +		if (econet_timer.membase[i])
> +			iounmap(econet_timer.membase[i]);
> +	}
> +
> +	return ret;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260514000601.3430262-1-cjd@cjdns.fr?part=4

next prev parent reply	other threads:[~2026-05-14 12:56 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-14  0:05 [PATCH v2 0/5] clocksource/timer-econet-en751221: Support irq number per timer Caleb James DeLisle
2026-05-14  0:05 ` [PATCH v2 1/5] dt-bindings: timer: econet: Update EN751627 for multi-IRQ Caleb James DeLisle
2026-05-14 11:42   ` sashiko-bot
2026-05-14 15:22     ` Caleb James DeLisle
2026-05-14 18:22       ` Conor Dooley
2026-05-14  0:05 ` [PATCH v2 2/5] clocksource/timer-econet-en751221: Move generic logic out of cevt_init Caleb James DeLisle
2026-05-14 12:05   ` sashiko-bot
2026-05-14 15:57     ` Caleb James DeLisle
2026-05-14  0:05 ` [PATCH v2 3/5] clocksource/timer-econet-en751221: Always map all membase blocks Caleb James DeLisle
2026-05-14 12:30   ` sashiko-bot
2026-05-14 16:52     ` Caleb James DeLisle
2026-05-14  0:06 ` [PATCH v2 4/5] clocksource/timer-econet-en751221: Unmap io mem on probe error Caleb James DeLisle
2026-05-14 12:56   ` sashiko-bot [this message]
2026-05-14 16:56     ` Caleb James DeLisle
2026-05-14  0:06 ` [PATCH v2 5/5] clocksource/timer-econet-en751221: Support irq number per timer Caleb James DeLisle
2026-05-14 16:18   ` sashiko-bot
2026-05-14 20:32     ` Caleb James DeLisle

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260514125641.C94F2C2BCB3@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=cjd@cjdns.fr \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=krzk+dt@kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.