* [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference
@ 2024-04-29 1:31 Li Zhijian
2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian
` (3 more replies)
0 siblings, 4 replies; 20+ messages in thread
From: Li Zhijian @ 2024-04-29 1:31 UTC (permalink / raw)
To: dave, jonathan.cameron, dave.jiang, alison.schofield,
vishal.l.verma, ira.weiny, dan.j.williams, linux-cxl
Cc: linux-kernel, Li Zhijian
construct_region() could return a PTR_ERR() which cannot be derefernced.
Moving the dereference behind the error checking to make sure the
pointer is valid.
Fixes: a32320b71f08 ("cxl/region: Add region autodiscovery")
Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
---
drivers/cxl/core/region.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
index 8535718a20f0..3c80aa263a65 100644
--- a/drivers/cxl/core/region.c
+++ b/drivers/cxl/core/region.c
@@ -3086,10 +3086,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled)
mutex_lock(&cxlrd->range_lock);
region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa,
match_region_by_range);
- if (!region_dev) {
+ if (!region_dev)
cxlr = construct_region(cxlrd, cxled);
- region_dev = &cxlr->dev;
- } else
+ else
cxlr = to_cxl_region(region_dev);
mutex_unlock(&cxlrd->range_lock);
@@ -3097,6 +3096,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled)
if (rc)
goto out;
+ if (!region_dev)
+ region_dev = &cxlr->dev;
+
attach_target(cxlr, cxled, -1, TASK_UNINTERRUPTIBLE);
down_read(&cxl_region_rwsem);
--
2.29.2
^ permalink raw reply related [flat|nested] 20+ messages in thread* [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 1:31 [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Li Zhijian @ 2024-04-29 1:31 ` Li Zhijian 2024-04-29 1:51 ` Zhijian Li (Fujitsu) ` (4 more replies) 2024-04-29 7:50 ` [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Markus Elfring ` (2 subsequent siblings) 3 siblings, 5 replies; 20+ messages in thread From: Li Zhijian @ 2024-04-29 1:31 UTC (permalink / raw) To: dave, jonathan.cameron, dave.jiang, alison.schofield, vishal.l.verma, ira.weiny, dan.j.williams, linux-cxl Cc: linux-kernel, Li Zhijian > mutex_lock(&cxlrd->range_lock); > region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, > match_region_by_range); > if (!region_dev) > cxlr = construct_region(cxlrd, cxled); > else > cxlr = to_cxl_region(region_dev); > mutex_unlock(&cxlrd->range_lock); > > rc = PTR_ERR_OR_ZERO(cxlr); > if (rc) > goto out; > > if (!region_dev) > region_dev = &cxlr->dev; When to_cxl_region(region_dev) fails, put_device(region_dev) should be called to decrease the reference count added by device_find_child(). Simply put_device(region_dev) if region_dev is valid in the error path. Fixes: a32320b71f08 ("cxl/region: Add region autodiscovery") Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> --- drivers/cxl/core/region.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index 3c80aa263a65..75390865382f 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -3117,8 +3117,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled) p->res); } - put_device(region_dev); out: + if (region_dev) + put_device(region_dev); put_device(cxlrd_dev); return rc; } -- 2.29.2 ^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian @ 2024-04-29 1:51 ` Zhijian Li (Fujitsu) 2024-04-29 8:00 ` Markus Elfring ` (3 subsequent siblings) 4 siblings, 0 replies; 20+ messages in thread From: Zhijian Li (Fujitsu) @ 2024-04-29 1:51 UTC (permalink / raw) To: dave@stgolabs.net, jonathan.cameron@huawei.com, dave.jiang@intel.com, alison.schofield@intel.com, vishal.l.verma@intel.com, ira.weiny@intel.com, dan.j.williams@intel.com, linux-cxl@vger.kernel.org Cc: linux-kernel@vger.kernel.org On 29/04/2024 09:31, Li Zhijian wrote: >> mutex_lock(&cxlrd->range_lock); >> region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, >> match_region_by_range); >> if (!region_dev) >> cxlr = construct_region(cxlrd, cxled); >> else >> cxlr = to_cxl_region(region_dev); >> mutex_unlock(&cxlrd->range_lock); >> >> rc = PTR_ERR_OR_ZERO(cxlr); Think again, PTR_ERR_OR_ZERO() here should be IS_ERR_OR_NULL()? PTR_ERR_OR_ZERO() returns 0 if cxlr is NULL, but the cxlr will be dereferenced later. >> if (rc) >> goto out; >> >> if (!region_dev) >> region_dev = &cxlr->dev; > > When to_cxl_region(region_dev) fails, put_device(region_dev) should be > called to decrease the reference count added by device_find_child(). > > Simply put_device(region_dev) if region_dev is valid in the error path. > > Fixes: a32320b71f08 ("cxl/region: Add region autodiscovery") > Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> > --- > drivers/cxl/core/region.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c > index 3c80aa263a65..75390865382f 100644 > --- a/drivers/cxl/core/region.c > +++ b/drivers/cxl/core/region.c > @@ -3117,8 +3117,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled) > p->res); > } > > - put_device(region_dev); > out: > + if (region_dev) > + put_device(region_dev); > put_device(cxlrd_dev); > return rc; > } ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian 2024-04-29 1:51 ` Zhijian Li (Fujitsu) @ 2024-04-29 8:00 ` Markus Elfring 2024-04-29 8:26 ` Zhijian Li (Fujitsu) 2024-04-29 8:35 ` Zhijian Li (Fujitsu) ` (2 subsequent siblings) 4 siblings, 1 reply; 20+ messages in thread From: Markus Elfring @ 2024-04-29 8:00 UTC (permalink / raw) To: Li Zhijian, linux-cxl, kernel-janitors, Alison Schofield, Dan Williams, Dave Jiang, Davidlohr Bueso, Ira Weiny, Jonathan Cameron, Vishal Verma Cc: LKML … > Simply put_device(region_dev) if region_dev is valid in the error path. Please improve the change description with a corresponding imperative wording. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9-rc5#n94 Regards, Markus ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 8:00 ` Markus Elfring @ 2024-04-29 8:26 ` Zhijian Li (Fujitsu) 2024-04-29 10:00 ` Dan Carpenter 0 siblings, 1 reply; 20+ messages in thread From: Zhijian Li (Fujitsu) @ 2024-04-29 8:26 UTC (permalink / raw) To: Markus Elfring, linux-cxl@vger.kernel.org, kernel-janitors@vger.kernel.org, Alison Schofield, Dan Williams, Dave Jiang, Davidlohr Bueso, Ira Weiny, Jonathan Cameron, Vishal Verma Cc: LKML On 29/04/2024 16:00, Markus Elfring wrote: > … >> Simply put_device(region_dev) if region_dev is valid in the error path. > > Please improve the change description with a corresponding imperative wording. Yeah, I always overlook this point. thank you. Thanks Zhijian > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9-rc5#n94 > > Regards, > Markus ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 8:26 ` Zhijian Li (Fujitsu) @ 2024-04-29 10:00 ` Dan Carpenter 2024-04-29 10:11 ` Zhijian Li (Fujitsu) 0 siblings, 1 reply; 20+ messages in thread From: Dan Carpenter @ 2024-04-29 10:00 UTC (permalink / raw) To: Zhijian Li (Fujitsu) Cc: Markus Elfring, linux-cxl@vger.kernel.org, kernel-janitors@vger.kernel.org, Alison Schofield, Dan Williams, Dave Jiang, Davidlohr Bueso, Ira Weiny, Jonathan Cameron, Vishal Verma, LKML On Mon, Apr 29, 2024 at 08:26:19AM +0000, Zhijian Li (Fujitsu) wrote: > > > On 29/04/2024 16:00, Markus Elfring wrote: > > … > >> Simply put_device(region_dev) if region_dev is valid in the error path. > > > > Please improve the change description with a corresponding imperative wording. > > Yeah, I always overlook this point. thank you. > Greg has a bot that responds to Markus's reviews for USB. https://lore.kernel.org/all/2024042547-shimmy-guileless-c7f2@gregkh/ regards, dan carpenter ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 10:00 ` Dan Carpenter @ 2024-04-29 10:11 ` Zhijian Li (Fujitsu) 0 siblings, 0 replies; 20+ messages in thread From: Zhijian Li (Fujitsu) @ 2024-04-29 10:11 UTC (permalink / raw) To: Dan Carpenter Cc: Markus Elfring, linux-cxl@vger.kernel.org, kernel-janitors@vger.kernel.org, Alison Schofield, Dan Williams, Dave Jiang, Davidlohr Bueso, Ira Weiny, Jonathan Cameron, Vishal Verma, LKML On 29/04/2024 18:00, Dan Carpenter wrote: > On Mon, Apr 29, 2024 at 08:26:19AM +0000, Zhijian Li (Fujitsu) wrote: >> >> >> On 29/04/2024 16:00, Markus Elfring wrote: >>> … >>>> Simply put_device(region_dev) if region_dev is valid in the error path. >>> >>> Please improve the change description with a corresponding imperative wording. >> >> Yeah, I always overlook this point. thank you. >> > > Greg has a bot that responds to Markus's reviews for USB.> > https://lore.kernel.org/all/2024042547-shimmy-guileless-c7f2@gregkh/ Wow!! Thanks for your reminder. > > regards, > dan carpenter > ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian 2024-04-29 1:51 ` Zhijian Li (Fujitsu) 2024-04-29 8:00 ` Markus Elfring @ 2024-04-29 8:35 ` Zhijian Li (Fujitsu) 2024-04-29 10:17 ` Dan Carpenter 2024-04-29 16:14 ` Ira Weiny 4 siblings, 0 replies; 20+ messages in thread From: Zhijian Li (Fujitsu) @ 2024-04-29 8:35 UTC (permalink / raw) To: dave@stgolabs.net, jonathan.cameron@huawei.com, dave.jiang@intel.com, alison.schofield@intel.com, vishal.l.verma@intel.com, ira.weiny@intel.com, dan.j.williams@intel.com, linux-cxl@vger.kernel.org Cc: linux-kernel@vger.kernel.org TBH, even though this patch seems correct, there are still a few to_cxl_region() callers where they dereference the return value directly without checking if it's NULL. So I'm fine to drop this one because to_cxl_region() will trigger a WARN before returning NULL. static struct cxl_region *to_cxl_region(struct device *dev) { if (dev_WARN_ONCE(dev, dev->type != &cxl_region_type, "not a cxl_region device\n")) return NULL; return container_of(dev, struct cxl_region, dev); } Let me know your thoughts. Thanks Zhijian On 29/04/2024 09:31, Li Zhijian wrote: >> mutex_lock(&cxlrd->range_lock); >> region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, >> match_region_by_range); >> if (!region_dev) >> cxlr = construct_region(cxlrd, cxled); >> else >> cxlr = to_cxl_region(region_dev); >> mutex_unlock(&cxlrd->range_lock); >> >> rc = PTR_ERR_OR_ZERO(cxlr); >> if (rc) >> goto out; >> >> if (!region_dev) >> region_dev = &cxlr->dev; > > When to_cxl_region(region_dev) fails, put_device(region_dev) should be > called to decrease the reference count added by device_find_child(). > > Simply put_device(region_dev) if region_dev is valid in the error path. > > Fixes: a32320b71f08 ("cxl/region: Add region autodiscovery") > Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> > --- > drivers/cxl/core/region.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c > index 3c80aa263a65..75390865382f 100644 > --- a/drivers/cxl/core/region.c > +++ b/drivers/cxl/core/region.c > @@ -3117,8 +3117,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled) > p->res); > } > > - put_device(region_dev); > out: > + if (region_dev) > + put_device(region_dev); > put_device(cxlrd_dev); > return rc; > } ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian ` (2 preceding siblings ...) 2024-04-29 8:35 ` Zhijian Li (Fujitsu) @ 2024-04-29 10:17 ` Dan Carpenter 2024-04-29 10:26 ` Zhijian Li (Fujitsu) 2024-04-29 16:14 ` Ira Weiny 4 siblings, 1 reply; 20+ messages in thread From: Dan Carpenter @ 2024-04-29 10:17 UTC (permalink / raw) To: Li Zhijian Cc: dave, jonathan.cameron, dave.jiang, alison.schofield, vishal.l.verma, ira.weiny, dan.j.williams, linux-cxl, linux-kernel On Mon, Apr 29, 2024 at 09:31:54AM +0800, Li Zhijian wrote: > > mutex_lock(&cxlrd->range_lock); > > region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, > > match_region_by_range); > > if (!region_dev) > > cxlr = construct_region(cxlrd, cxled); > > else > > cxlr = to_cxl_region(region_dev); > > mutex_unlock(&cxlrd->range_lock); > > > > rc = PTR_ERR_OR_ZERO(cxlr); > > if (rc) > > goto out; > > > > if (!region_dev) > > region_dev = &cxlr->dev; > > When to_cxl_region(region_dev) fails, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to_cxl_region() will return NULL if "region_dev" is not a region device. 2215 static struct cxl_region *to_cxl_region(struct device *dev) 2216 { 2217 if (dev_WARN_ONCE(dev, dev->type != &cxl_region_type, 2218 "not a cxl_region device\n")) 2219 return NULL; 2220 2221 return container_of(dev, struct cxl_region, dev); 2222 } It won't fail. If it does fail, we're already in bad shape and it's not worth worrying about resource leaks at that point. regards, dan carpenter ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 10:17 ` Dan Carpenter @ 2024-04-29 10:26 ` Zhijian Li (Fujitsu) 2024-04-29 10:32 ` Dan Carpenter 0 siblings, 1 reply; 20+ messages in thread From: Zhijian Li (Fujitsu) @ 2024-04-29 10:26 UTC (permalink / raw) To: Dan Carpenter Cc: dave@stgolabs.net, jonathan.cameron@huawei.com, dave.jiang@intel.com, alison.schofield@intel.com, vishal.l.verma@intel.com, ira.weiny@intel.com, dan.j.williams@intel.com, linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org On 29/04/2024 18:17, Dan Carpenter wrote: > On Mon, Apr 29, 2024 at 09:31:54AM +0800, Li Zhijian wrote: >>> mutex_lock(&cxlrd->range_lock); >>> region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, >>> match_region_by_range); >>> if (!region_dev) >>> cxlr = construct_region(cxlrd, cxled); >>> else >>> cxlr = to_cxl_region(region_dev); >>> mutex_unlock(&cxlrd->range_lock); >>> >>> rc = PTR_ERR_OR_ZERO(cxlr); >>> if (rc) >>> goto out; >>> >>> if (!region_dev) >>> region_dev = &cxlr->dev; >> >> When to_cxl_region(region_dev) fails, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > to_cxl_region() will return NULL if "region_dev" is not a region device. > > 2215 static struct cxl_region *to_cxl_region(struct device *dev) > 2216 { > 2217 if (dev_WARN_ONCE(dev, dev->type != &cxl_region_type, > 2218 "not a cxl_region device\n")) > 2219 return NULL; > 2220 > 2221 return container_of(dev, struct cxl_region, dev); > 2222 } > > It won't fail. > > If it does fail, we're already in bad shape and it's not worth worrying > about resource leaks at that point. > Sounds good to me, Thanks Zhijian > regards, > dan carpenter > > ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 10:26 ` Zhijian Li (Fujitsu) @ 2024-04-29 10:32 ` Dan Carpenter 0 siblings, 0 replies; 20+ messages in thread From: Dan Carpenter @ 2024-04-29 10:32 UTC (permalink / raw) To: Zhijian Li (Fujitsu) Cc: dave@stgolabs.net, jonathan.cameron@huawei.com, dave.jiang@intel.com, alison.schofield@intel.com, vishal.l.verma@intel.com, ira.weiny@intel.com, dan.j.williams@intel.com, linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org Btw, I assume you're doing some kind of static analysis? Looking for missing NULL checks is very tricky and I haven't found a way to do it well except for looking at failed allocations. Allocations have to be checked. There are so many other functions where we leave off the NULL check because the caller knows it can't fail. regards, dan carpenter ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) 2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian ` (3 preceding siblings ...) 2024-04-29 10:17 ` Dan Carpenter @ 2024-04-29 16:14 ` Ira Weiny 4 siblings, 0 replies; 20+ messages in thread From: Ira Weiny @ 2024-04-29 16:14 UTC (permalink / raw) To: Li Zhijian, dave, jonathan.cameron, dave.jiang, alison.schofield, vishal.l.verma, ira.weiny, dan.j.williams, linux-cxl Cc: linux-kernel, Li Zhijian Li Zhijian wrote: > > mutex_lock(&cxlrd->range_lock); > > region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, > > match_region_by_range); > > if (!region_dev) > > cxlr = construct_region(cxlrd, cxled); > > else > > cxlr = to_cxl_region(region_dev); > > mutex_unlock(&cxlrd->range_lock); > > > > rc = PTR_ERR_OR_ZERO(cxlr); > > if (rc) > > goto out; > > > > if (!region_dev) > > region_dev = &cxlr->dev; This diff hunk in the commit message is very odd. I would drop it. We know this builds on patch 1 where you made the above change. > > When to_cxl_region(region_dev) fails, put_device(region_dev) should be > called to decrease the reference count added by device_find_child(). I __think__ this is what Dan was pointing out but I'm not sure. I wanted to point out that to_cxl_region() can't fail because the device_find_child() is checking that the device is a region device. Dan, is that what you were saying when you mentioned there were more serious issues if to_cxl_region() were to fail? Ira > > Simply put_device(region_dev) if region_dev is valid in the error path. > > Fixes: a32320b71f08 ("cxl/region: Add region autodiscovery") > Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> > --- > drivers/cxl/core/region.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c > index 3c80aa263a65..75390865382f 100644 > --- a/drivers/cxl/core/region.c > +++ b/drivers/cxl/core/region.c > @@ -3117,8 +3117,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled) > p->res); > } > > - put_device(region_dev); > out: > + if (region_dev) > + put_device(region_dev); > put_device(cxlrd_dev); > return rc; > } > -- > 2.29.2 > ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference 2024-04-29 1:31 [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Li Zhijian 2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian @ 2024-04-29 7:50 ` Markus Elfring 2024-04-29 8:43 ` Zhijian Li (Fujitsu) 2024-04-29 10:10 ` [PATCH 1/2] " Dan Carpenter 2024-04-29 16:05 ` Ira Weiny 3 siblings, 1 reply; 20+ messages in thread From: Markus Elfring @ 2024-04-29 7:50 UTC (permalink / raw) To: Li Zhijian, linux-cxl, kernel-janitors, Alison Schofield, Dan Williams, Dave Jiang, Davidlohr Bueso, Ira Weiny, Jonathan Cameron, Vishal Verma Cc: LKML I would usually expect a corresponding cover letter for patch series. > construct_region() could return a PTR_ERR() which cannot be derefernced. I hope that a typo will be avoided in the last word of this sentence. > Moving the dereference behind the error checking to make sure the > pointer is valid. Please choose an imperative wording for an improved change description. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9-rc5#n94 … > +++ b/drivers/cxl/core/region.c > @@ -3086,10 +3086,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled) > mutex_lock(&cxlrd->range_lock); > region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, > match_region_by_range); > - if (!region_dev) { > + if (!region_dev) > cxlr = construct_region(cxlrd, cxled); > - region_dev = &cxlr->dev; > - } else > + else > cxlr = to_cxl_region(region_dev); > mutex_unlock(&cxlrd->range_lock); I suggest to simplify such source code by using a conditional operator expression. Regards, Markus ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference 2024-04-29 7:50 ` [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Markus Elfring @ 2024-04-29 8:43 ` Zhijian Li (Fujitsu) 2024-04-29 8:55 ` [1/2] " Markus Elfring 0 siblings, 1 reply; 20+ messages in thread From: Zhijian Li (Fujitsu) @ 2024-04-29 8:43 UTC (permalink / raw) To: Markus Elfring, linux-cxl@vger.kernel.org, kernel-janitors@vger.kernel.org, Alison Schofield, Dan Williams, Dave Jiang, Davidlohr Bueso, Ira Weiny, Jonathan Cameron, Vishal Verma Cc: LKML On 29/04/2024 15:50, Markus Elfring wrote: > I would usually expect a corresponding cover letter for patch series. > > >> construct_region() could return a PTR_ERR() which cannot be derefernced. > > I hope that a typo will be avoided in the last word of this sentence. Thanks, hate my fat fingers, I will fix it later. > > >> Moving the dereference behind the error checking to make sure the >> pointer is valid. > > Please choose an imperative wording for an improved change description. > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9-rc5#n94 > > > … >> +++ b/drivers/cxl/core/region.c >> @@ -3086,10 +3086,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled) >> mutex_lock(&cxlrd->range_lock); >> region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, >> match_region_by_range); >> - if (!region_dev) { >> + if (!region_dev) >> cxlr = construct_region(cxlrd, cxled); >> - region_dev = &cxlr->dev; >> - } else >> + else >> cxlr = to_cxl_region(region_dev); >> mutex_unlock(&cxlrd->range_lock); > > I suggest to simplify such source code by using a conditional operator expression. Thanks for your suggestion. Do you mean something like: cxlr = region_dev ? to_cxl_region(region_dev) : construct_region(cxlrd, cxled); If so, I'm open to this option, but the kernel does not always obey this convention. For example, static inline int __must_check PTR_ERR_OR_ZERO(__force const void *ptr) { if (IS_ERR(ptr)) return PTR_ERR(ptr); else return 0; } Thanks Zhijian > > Regards, > Markus ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [1/2] cxl/region: Fix potential invalid pointer dereference 2024-04-29 8:43 ` Zhijian Li (Fujitsu) @ 2024-04-29 8:55 ` Markus Elfring 0 siblings, 0 replies; 20+ messages in thread From: Markus Elfring @ 2024-04-29 8:55 UTC (permalink / raw) To: Li Zhijian, linux-cxl, kernel-janitors, Alison Schofield, Dan Williams, Dave Jiang, Davidlohr Bueso, Ira Weiny, Jonathan Cameron, Vishal Verma Cc: LKML >> I suggest to simplify such source code by using a conditional operator expression. > > Thanks for your suggestion. Do you mean something like: > cxlr = region_dev ? to_cxl_region(region_dev) : construct_region(cxlrd, cxled); Yes. > If so, I'm open to this option, but the kernel does not always obey this convention. Involved developers present different coding style preferences. I hope that further source code parts can become a bit more succinct. Regards, Markus ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference 2024-04-29 1:31 [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Li Zhijian 2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian 2024-04-29 7:50 ` [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Markus Elfring @ 2024-04-29 10:10 ` Dan Carpenter 2024-04-29 10:25 ` Zhijian Li (Fujitsu) 2024-04-29 16:17 ` Ira Weiny 2024-04-29 16:05 ` Ira Weiny 3 siblings, 2 replies; 20+ messages in thread From: Dan Carpenter @ 2024-04-29 10:10 UTC (permalink / raw) To: Li Zhijian Cc: dave, jonathan.cameron, dave.jiang, alison.schofield, vishal.l.verma, ira.weiny, dan.j.williams, linux-cxl, linux-kernel On Mon, Apr 29, 2024 at 09:31:53AM +0800, Li Zhijian wrote: > construct_region() could return a PTR_ERR() which cannot be derefernced. > Moving the dereference behind the error checking to make sure the > pointer is valid. > No, this patch is unnecessary. drivers/cxl/core/region.c 3080 /* 3081 * Ensure that if multiple threads race to construct_region() for @hpa 3082 * one does the construction and the others add to that. 3083 */ 3084 mutex_lock(&cxlrd->range_lock); 3085 region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, 3086 match_region_by_range); 3087 if (!region_dev) { 3088 cxlr = construct_region(cxlrd, cxled); 3089 region_dev = &cxlr->dev; ^^^^^^^^^^^ This is not a dereference, it's just pointer math. In in this case it's the same as saying: region_dev = (void *)cxlr; 3090 } else 3091 cxlr = to_cxl_region(region_dev); 3092 mutex_unlock(&cxlrd->range_lock); 3093 3094 rc = PTR_ERR_OR_ZERO(cxlr); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ This check means that if cxlr is an error pointer then we will clean up and return an error. regards, dan carpenter 3095 if (rc) 3096 goto out; 3097 3098 attach_target(cxlr, cxled, -1, TASK_UNINTERRUPTIBLE); 3099 3100 down_read(&cxl_region_rwsem); 3101 p = &cxlr->params; 3102 attach = p->state == CXL_CONFIG_COMMIT; 3103 up_read(&cxl_region_rwsem); 3104 3105 if (attach) { 3106 /* 3107 * If device_attach() fails the range may still be active via 3108 * the platform-firmware memory map, otherwise the driver for 3109 * regions is local to this file, so driver matching can't fail. 3110 */ 3111 if (device_attach(&cxlr->dev) < 0) 3112 dev_err(&cxlr->dev, "failed to enable, range: %pr\n", 3113 p->res); 3114 } 3115 3116 put_device(region_dev); 3117 out: 3118 put_device(cxlrd_dev); 3119 return rc; 3120 } ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference 2024-04-29 10:10 ` [PATCH 1/2] " Dan Carpenter @ 2024-04-29 10:25 ` Zhijian Li (Fujitsu) 2024-04-29 10:30 ` Dan Carpenter 2024-04-29 16:17 ` Ira Weiny 1 sibling, 1 reply; 20+ messages in thread From: Zhijian Li (Fujitsu) @ 2024-04-29 10:25 UTC (permalink / raw) To: Dan Carpenter Cc: dave@stgolabs.net, jonathan.cameron@huawei.com, dave.jiang@intel.com, alison.schofield@intel.com, vishal.l.verma@intel.com, ira.weiny@intel.com, dan.j.williams@intel.com, linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org On 29/04/2024 18:10, Dan Carpenter wrote: > On Mon, Apr 29, 2024 at 09:31:53AM +0800, Li Zhijian wrote: >> construct_region() could return a PTR_ERR() which cannot be derefernced. >> Moving the dereference behind the error checking to make sure the >> pointer is valid. >> > > No, this patch is unnecessary. Agree, > > drivers/cxl/core/region.c > 3080 /* > 3081 * Ensure that if multiple threads race to construct_region() for @hpa > 3082 * one does the construction and the others add to that. > 3083 */ > 3084 mutex_lock(&cxlrd->range_lock); > 3085 region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, > 3086 match_region_by_range); > 3087 if (!region_dev) { > 3088 cxlr = construct_region(cxlrd, cxled); > 3089 region_dev = &cxlr->dev; > ^^^^^^^^^^^ > This is not a dereference, it's just pointer math. In in this case it's > the same as saying: > > region_dev = (void *)cxlr; You are right, a equivalent code could be: region_dev = ((char *)cxlr) + offsetof(struct cxl_region, dev); Thanks > > 3090 } else > 3091 cxlr = to_cxl_region(region_dev); > 3092 mutex_unlock(&cxlrd->range_lock); > 3093 > 3094 rc = PTR_ERR_OR_ZERO(cxlr); > ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > This check means that if cxlr is an error pointer then we will clean up > and return an error. > > regards, > dan carpenter > > 3095 if (rc) > 3096 goto out; > 3097 > 3098 attach_target(cxlr, cxled, -1, TASK_UNINTERRUPTIBLE); > 3099 > 3100 down_read(&cxl_region_rwsem); > 3101 p = &cxlr->params; > 3102 attach = p->state == CXL_CONFIG_COMMIT; > 3103 up_read(&cxl_region_rwsem); > 3104 > 3105 if (attach) { > 3106 /* > 3107 * If device_attach() fails the range may still be active via > 3108 * the platform-firmware memory map, otherwise the driver for > 3109 * regions is local to this file, so driver matching can't fail. > 3110 */ > 3111 if (device_attach(&cxlr->dev) < 0) > 3112 dev_err(&cxlr->dev, "failed to enable, range: %pr\n", > 3113 p->res); > 3114 } > 3115 > 3116 put_device(region_dev); > 3117 out: > 3118 put_device(cxlrd_dev); > 3119 return rc; > 3120 } > > ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference 2024-04-29 10:25 ` Zhijian Li (Fujitsu) @ 2024-04-29 10:30 ` Dan Carpenter 0 siblings, 0 replies; 20+ messages in thread From: Dan Carpenter @ 2024-04-29 10:30 UTC (permalink / raw) To: Zhijian Li (Fujitsu) Cc: dave@stgolabs.net, jonathan.cameron@huawei.com, dave.jiang@intel.com, alison.schofield@intel.com, vishal.l.verma@intel.com, ira.weiny@intel.com, dan.j.williams@intel.com, linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org On Mon, Apr 29, 2024 at 10:25:35AM +0000, Zhijian Li (Fujitsu) wrote: > > 3084 mutex_lock(&cxlrd->range_lock); > > 3085 region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, > > 3086 match_region_by_range); > > 3087 if (!region_dev) { > > 3088 cxlr = construct_region(cxlrd, cxled); > > 3089 region_dev = &cxlr->dev; > > ^^^^^^^^^^^ > > This is not a dereference, it's just pointer math. In in this case it's > > the same as saying: > > > > region_dev = (void *)cxlr; > > > You are right, a equivalent code could be: > region_dev = ((char *)cxlr) + offsetof(struct cxl_region, dev); > > Correct. But offsetof() is zero. It's the same math that to_cxl_region() does. regards, dan carpenter ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference 2024-04-29 10:10 ` [PATCH 1/2] " Dan Carpenter 2024-04-29 10:25 ` Zhijian Li (Fujitsu) @ 2024-04-29 16:17 ` Ira Weiny 1 sibling, 0 replies; 20+ messages in thread From: Ira Weiny @ 2024-04-29 16:17 UTC (permalink / raw) To: Dan Carpenter, Li Zhijian Cc: dave, jonathan.cameron, dave.jiang, alison.schofield, vishal.l.verma, ira.weiny, dan.j.williams, linux-cxl, linux-kernel Dan Carpenter wrote: > On Mon, Apr 29, 2024 at 09:31:53AM +0800, Li Zhijian wrote: > > construct_region() could return a PTR_ERR() which cannot be derefernced. > > Moving the dereference behind the error checking to make sure the > > pointer is valid. > > > > No, this patch is unnecessary. > > drivers/cxl/core/region.c > 3080 /* > 3081 * Ensure that if multiple threads race to construct_region() for @hpa > 3082 * one does the construction and the others add to that. > 3083 */ > 3084 mutex_lock(&cxlrd->range_lock); > 3085 region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, > 3086 match_region_by_range); > 3087 if (!region_dev) { > 3088 cxlr = construct_region(cxlrd, cxled); > 3089 region_dev = &cxlr->dev; > ^^^^^^^^^^^ > This is not a dereference, it's just pointer math. In in this case it's > the same as saying: > > region_dev = (void *)cxlr; Ah... OK I guess we can ignore the change. Still odd to my eyes though. Ira > > 3090 } else > 3091 cxlr = to_cxl_region(region_dev); > 3092 mutex_unlock(&cxlrd->range_lock); > 3093 > 3094 rc = PTR_ERR_OR_ZERO(cxlr); > ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > This check means that if cxlr is an error pointer then we will clean up > and return an error. > > regards, > dan carpenter > > 3095 if (rc) > 3096 goto out; > 3097 > 3098 attach_target(cxlr, cxled, -1, TASK_UNINTERRUPTIBLE); > 3099 > 3100 down_read(&cxl_region_rwsem); > 3101 p = &cxlr->params; > 3102 attach = p->state == CXL_CONFIG_COMMIT; > 3103 up_read(&cxl_region_rwsem); > 3104 > 3105 if (attach) { > 3106 /* > 3107 * If device_attach() fails the range may still be active via > 3108 * the platform-firmware memory map, otherwise the driver for > 3109 * regions is local to this file, so driver matching can't fail. > 3110 */ > 3111 if (device_attach(&cxlr->dev) < 0) > 3112 dev_err(&cxlr->dev, "failed to enable, range: %pr\n", > 3113 p->res); > 3114 } > 3115 > 3116 put_device(region_dev); > 3117 out: > 3118 put_device(cxlrd_dev); > 3119 return rc; > 3120 } > > ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference 2024-04-29 1:31 [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Li Zhijian ` (2 preceding siblings ...) 2024-04-29 10:10 ` [PATCH 1/2] " Dan Carpenter @ 2024-04-29 16:05 ` Ira Weiny 3 siblings, 0 replies; 20+ messages in thread From: Ira Weiny @ 2024-04-29 16:05 UTC (permalink / raw) To: Li Zhijian, dave, jonathan.cameron, dave.jiang, alison.schofield, vishal.l.verma, ira.weiny, dan.j.williams, linux-cxl Cc: linux-kernel, Li Zhijian Li Zhijian wrote: > construct_region() could return a PTR_ERR() which cannot be derefernced. ^^^^ dereferenced > Moving the dereference behind the error checking to make sure the > pointer is valid. > Reviewed-by: Ira Weiny <ira.weiny@intel.com> > Fixes: a32320b71f08 ("cxl/region: Add region autodiscovery") > Signed-off-by: Li Zhijian <lizhijian@fujitsu.com> > --- > drivers/cxl/core/region.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c > index 8535718a20f0..3c80aa263a65 100644 > --- a/drivers/cxl/core/region.c > +++ b/drivers/cxl/core/region.c > @@ -3086,10 +3086,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled) > mutex_lock(&cxlrd->range_lock); > region_dev = device_find_child(&cxlrd->cxlsd.cxld.dev, hpa, > match_region_by_range); > - if (!region_dev) { > + if (!region_dev) > cxlr = construct_region(cxlrd, cxled); > - region_dev = &cxlr->dev; > - } else > + else > cxlr = to_cxl_region(region_dev); > mutex_unlock(&cxlrd->range_lock); > > @@ -3097,6 +3096,9 @@ int cxl_add_to_region(struct cxl_port *root, struct cxl_endpoint_decoder *cxled) > if (rc) > goto out; > > + if (!region_dev) > + region_dev = &cxlr->dev; > + > attach_target(cxlr, cxled, -1, TASK_UNINTERRUPTIBLE); > > down_read(&cxl_region_rwsem); > -- > 2.29.2 > ^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2024-04-29 16:17 UTC | newest] Thread overview: 20+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-04-29 1:31 [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Li Zhijian 2024-04-29 1:31 ` [PATCH 2/2] cxl/region: Fix missing put_device(region_dev) Li Zhijian 2024-04-29 1:51 ` Zhijian Li (Fujitsu) 2024-04-29 8:00 ` Markus Elfring 2024-04-29 8:26 ` Zhijian Li (Fujitsu) 2024-04-29 10:00 ` Dan Carpenter 2024-04-29 10:11 ` Zhijian Li (Fujitsu) 2024-04-29 8:35 ` Zhijian Li (Fujitsu) 2024-04-29 10:17 ` Dan Carpenter 2024-04-29 10:26 ` Zhijian Li (Fujitsu) 2024-04-29 10:32 ` Dan Carpenter 2024-04-29 16:14 ` Ira Weiny 2024-04-29 7:50 ` [PATCH 1/2] cxl/region: Fix potential invalid pointer dereference Markus Elfring 2024-04-29 8:43 ` Zhijian Li (Fujitsu) 2024-04-29 8:55 ` [1/2] " Markus Elfring 2024-04-29 10:10 ` [PATCH 1/2] " Dan Carpenter 2024-04-29 10:25 ` Zhijian Li (Fujitsu) 2024-04-29 10:30 ` Dan Carpenter 2024-04-29 16:17 ` Ira Weiny 2024-04-29 16:05 ` Ira Weiny
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox