Re: [PATCH v5 2/3] clk: en7523: generalize register clocks function

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The PCIe clock backing structure is allocated with `devm_kzalloc()` but registered with non-managed `clk_hw_register()`, leading to a UAF if probe fails.
--

commit 8b129b6c8b9f7c7f67a06021102b7f5673eead5f
Author: Christian Marangi <ansuelsmth@gmail.com>

clk: en7523: generalize register clocks function

This commit generalizes the clock registration logic used by the Airoha
EN7581 SoC to also support the AN7583 SoC. It updates the implementation
to register clocks defined in the new soc_data structures.

> diff --git a/drivers/clk/clk-en7523.c b/drivers/clk/clk-en7523.c
> index 1ab0e2eca5d32..087ff4568124f 100644
> --- a/drivers/clk/clk-en7523.c
> +++ b/drivers/clk/clk-en7523.c
[ ... ]
> @@ -711,12 +712,15 @@ static int en7523_clk_hw_init(struct platform_device *pdev,
>  static void en7581_register_clocks(struct device *dev, struct clk_hw_onecell_data *clk_data,
>  				   struct regmap *map, void __iomem *base)
>  {

[Severity: High]
This isn't a bug introduced by this patch, but looking at 
en7523_register_pcie_clk() which is called at the end of this function, it 
appears the clock backing structure is allocated with devm_kzalloc() but 
registered with the non-managed clk_hw_register().

If probe fails later, the driver core will automatically unwind devm resources 
and free the structure. However, because the clock was not registered with 
devm_clk_hw_register(), CCF is never notified to unregister the clock and 
retains dangling pointers to it.

Could this lead to a use-after-free if the CCF is subsequently accessed, for 
example by reading clk_summary? Should en7523_register_pcie_clk() be updated 
to use devm_clk_hw_register() instead?

> +	const struct en_clk_soc_data *soc_data;
>  	struct clk_hw *hw;
>  	u32 rate;
>  	int i;
>  
> -	for (i = 0; i < ARRAY_SIZE(en7581_base_clks); i++) {
> -		const struct en_clk_desc *desc = &en7581_base_clks[i];
> +	soc_data = device_get_match_data(dev);
> +
> +	for (i = 0; i < soc_data->num_clocks - 1; i++) {
> +		const struct en_clk_desc *desc = &soc_data->base_clks[i];
>  		u32 val, reg = desc->div_reg ? desc->div_reg : desc->base_reg;
>  		int err;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260528190000.9164-1-ansuelsmth@gmail.com?part=2