[tip:irq/urgent] irqchip/renesas-rza1: Prevent use-after-free in rza1_irqc_probe()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: tip-bot for Wen Yang <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: hpa@zytor.com, linux-kernel@vger.kernel.org,
	wen.yang99@zte.com.cn, mingo@kernel.org, geert+renesas@glider.be,
	tglx@linutronix.de
Subject: [tip:irq/urgent] irqchip/renesas-rza1: Prevent use-after-free in rza1_irqc_probe()
Date: Tue, 9 Jul 2019 05:58:09 -0700	[thread overview]
Message-ID: <tip-7c8e90ddf02f139a90bc29c04302e9914818f0c8@git.kernel.org> (raw)
In-Reply-To: <1562566745-7447-3-git-send-email-wen.yang99@zte.com.cn>

Commit-ID:  7c8e90ddf02f139a90bc29c04302e9914818f0c8
Gitweb:     https://git.kernel.org/tip/7c8e90ddf02f139a90bc29c04302e9914818f0c8
Author:     Wen Yang <wen.yang99@zte.com.cn>
AuthorDate: Mon, 8 Jul 2019 14:19:04 +0800
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Tue, 9 Jul 2019 14:53:50 +0200

irqchip/renesas-rza1: Prevent use-after-free in rza1_irqc_probe()

The gic_node is still being used in the rza1_irqc_parse_map() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a644ccb819bc ("irqchip: Add Renesas RZ/A1 Interrupt Controller driver")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lkml.kernel.org/r/1562566745-7447-3-git-send-email-wen.yang99@zte.com.cn
---
 drivers/irqchip/irq-renesas-rza1.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/irqchip/irq-renesas-rza1.c b/drivers/irqchip/irq-renesas-rza1.c
index b1f19b210190..b0d46ac42b89 100644
--- a/drivers/irqchip/irq-renesas-rza1.c
+++ b/drivers/irqchip/irq-renesas-rza1.c
@@ -208,20 +208,19 @@ static int rza1_irqc_probe(struct platform_device *pdev)
 		return PTR_ERR(priv->base);
 
 	gic_node = of_irq_find_parent(np);
-	if (gic_node) {
+	if (gic_node)
 		parent = irq_find_host(gic_node);
-		of_node_put(gic_node);
-	}
 
 	if (!parent) {
 		dev_err(dev, "cannot find parent domain\n");
-		return -ENODEV;
+		ret = -ENODEV;
+		goto out_put_node;
 	}
 
 	ret = rza1_irqc_parse_map(priv, gic_node);
 	if (ret) {
 		dev_err(dev, "cannot parse %s: %d\n", "interrupt-map", ret);
-		return ret;
+		goto out_put_node;
 	}
 
 	priv->chip.name = "rza1-irqc",
@@ -237,10 +236,12 @@ static int rza1_irqc_probe(struct platform_device *pdev)
 						    priv);
 	if (!priv->irq_domain) {
 		dev_err(dev, "cannot initialize irq domain\n");
-		return -ENOMEM;
+		ret = -ENOMEM;
 	}
 
-	return 0;
+out_put_node:
+	of_node_put(gic_node);
+	return ret;
 }
 
 static int rza1_irqc_remove(struct platform_device *pdev)

next prev parent reply	other threads:[~2019-07-09 12:58 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-08  6:19 [PATCH] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init() Wen Yang
2019-07-08  6:19 ` Wen Yang
2019-07-08  6:19 ` [PATCH] crypto: crypto4xx: fix a potential double free in ppc4xx_trng_probe Wen Yang
2019-07-08  6:27   ` Julia Lawall
2019-07-09 12:14   ` [Cocci] Coccinelle: Checking the deletion of duplicate of_node_put() calls with SmPL Markus Elfring
2019-07-09 12:14     ` Markus Elfring
2019-07-10  5:55     ` [Cocci] " Markus Elfring
2019-07-10  5:55       ` Markus Elfring
2019-07-12 10:17   ` [PATCH] crypto: crypto4xx: fix a potential double free in ppc4xx_trng_probe Herbert Xu
2019-07-08  6:19 ` [PATCH] irqchip: renesas-rza1: fix an use-after-free in rza1_irqc_probe() Wen Yang
2019-07-08  7:36   ` Geert Uytterhoeven
2019-07-09 12:58   ` tip-bot for Wen Yang [this message]
2019-07-26 13:41   ` Marc Zyngier
2019-07-08  6:19 ` [PATCH] phy: ti: am654-serdes: fix an use-after-free in serdes_am654_clk_register() Wen Yang
2019-08-06 14:07   ` Roger Quadros
2019-07-08  6:27 ` [PATCH] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init() Viresh Kumar
2019-07-08  6:27   ` Viresh Kumar
2019-07-08  7:03   ` [PATCH] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init() wen.yang99

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b1f19b21019 dfblob:b0d46ac42b8 )
 OR (
bs:"[tip:irq/urgent] irqchip/renesas-rza1: Prevent use-after-free in rza1_irqc_probe()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tip-7c8e90ddf02f139a90bc29c04302e9914818f0c8@git.kernel.org \
    --to=tipbot@zytor.com \
    --cc=geert+renesas@glider.be \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=wen.yang99@zte.com.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.