* [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p
@ 2025-06-24 20:29 Colin Ian King
2025-06-24 21:31 ` Dan Carpenter
2025-06-25 21:40 ` Ira Weiny
0 siblings, 2 replies; 7+ messages in thread
From: Colin Ian King @ 2025-06-24 20:29 UTC (permalink / raw)
To: Rafael J . Wysocki, Len Brown, James Morse, Tony Luck,
Borislav Petkov, Ira Weiny, linux-acpi
Cc: kernel-janitors, linux-kernel
In the case where a request_mem_region call fails and pointer r is null
the error exit path via label 'out' will check for a non-null pointer
p and try to iounmap it. However, pointer p has not been assigned a
value at this point, so it may potentially contain any garbage value.
Fix this by ensuring pointer p is initialized to NULL.
Fixes: 1a35c88302a3 ("ACPI: APEI: EINJ: Fix kernel test sparse warnings")
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
---
drivers/acpi/apei/einj-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
index 7930acd1d3f3..fc801587df8e 100644
--- a/drivers/acpi/apei/einj-core.c
+++ b/drivers/acpi/apei/einj-core.c
@@ -401,7 +401,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
u32 table_size;
int rc = -EIO;
struct acpi_generic_address *trigger_param_region = NULL;
- struct acpi_einj_trigger __iomem *p;
+ struct acpi_einj_trigger __iomem *p = NULL;
r = request_mem_region(trigger_paddr, sizeof(trigger_tab),
"APEI EINJ Trigger Table");
--
2.50.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p
2025-06-24 20:29 [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p Colin Ian King
@ 2025-06-24 21:31 ` Dan Carpenter
2025-06-25 11:50 ` Dan Carpenter
2025-06-25 21:40 ` Ira Weiny
1 sibling, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2025-06-24 21:31 UTC (permalink / raw)
To: Colin Ian King
Cc: Rafael J . Wysocki, Len Brown, James Morse, Tony Luck,
Borislav Petkov, Ira Weiny, linux-acpi, kernel-janitors,
linux-kernel
On Tue, Jun 24, 2025 at 09:29:37PM +0100, Colin Ian King wrote:
> In the case where a request_mem_region call fails and pointer r is null
> the error exit path via label 'out' will check for a non-null pointer
> p and try to iounmap it. However, pointer p has not been assigned a
> value at this point, so it may potentially contain any garbage value.
> Fix this by ensuring pointer p is initialized to NULL.
>
> Fixes: 1a35c88302a3 ("ACPI: APEI: EINJ: Fix kernel test sparse warnings")
> Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
> ---
Good catch. Apparently this isn't in my allyesconfig. It's weird the
zero day bot didn't catch this either.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p
2025-06-24 21:31 ` Dan Carpenter
@ 2025-06-25 11:50 ` Dan Carpenter
0 siblings, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2025-06-25 11:50 UTC (permalink / raw)
To: Colin Ian King
Cc: Rafael J . Wysocki, Len Brown, James Morse, Tony Luck,
Borislav Petkov, Ira Weiny, linux-acpi, kernel-janitors,
linux-kernel
On Wed, Jun 25, 2025 at 12:31:10AM +0300, Dan Carpenter wrote:
> On Tue, Jun 24, 2025 at 09:29:37PM +0100, Colin Ian King wrote:
> > In the case where a request_mem_region call fails and pointer r is null
> > the error exit path via label 'out' will check for a non-null pointer
> > p and try to iounmap it. However, pointer p has not been assigned a
> > value at this point, so it may potentially contain any garbage value.
> > Fix this by ensuring pointer p is initialized to NULL.
> >
> > Fixes: 1a35c88302a3 ("ACPI: APEI: EINJ: Fix kernel test sparse warnings")
> > Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
> > ---
>
> Good catch. Apparently this isn't in my allyesconfig. It's weird the
> zero day bot didn't catch this either.
Never mind. This is definitely in my allyesconfig.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p
2025-06-24 20:29 [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p Colin Ian King
2025-06-24 21:31 ` Dan Carpenter
@ 2025-06-25 21:40 ` Ira Weiny
2025-06-25 21:43 ` Colin King (gmail)
1 sibling, 1 reply; 7+ messages in thread
From: Ira Weiny @ 2025-06-25 21:40 UTC (permalink / raw)
To: Colin Ian King, Rafael J . Wysocki, Len Brown, James Morse,
Tony Luck, Borislav Petkov, Ira Weiny, linux-acpi
Cc: kernel-janitors, linux-kernel
Colin Ian King wrote:
> In the case where a request_mem_region call fails and pointer r is null
> the error exit path via label 'out' will check for a non-null pointer
> p and try to iounmap it. However, pointer p has not been assigned a
> value at this point, so it may potentially contain any garbage value.
> Fix this by ensuring pointer p is initialized to NULL.
>
> Fixes: 1a35c88302a3 ("ACPI: APEI: EINJ: Fix kernel test sparse warnings")
> Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
> ---
> drivers/acpi/apei/einj-core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> index 7930acd1d3f3..fc801587df8e 100644
> --- a/drivers/acpi/apei/einj-core.c
> +++ b/drivers/acpi/apei/einj-core.c
> @@ -401,7 +401,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> u32 table_size;
> int rc = -EIO;
> struct acpi_generic_address *trigger_param_region = NULL;
> - struct acpi_einj_trigger __iomem *p;
> + struct acpi_einj_trigger __iomem *p = NULL;
Apparently my review of these was pretty weak... :-/
That said; Why not skip a goto as well?
Ira
diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
index d6d7e36e3647..fae01795e7f6 100644
--- a/drivers/acpi/apei/einj-core.c
+++ b/drivers/acpi/apei/einj-core.c
@@ -410,7 +410,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
(unsigned long long)trigger_paddr,
(unsigned long long)trigger_paddr +
sizeof(trigger_tab) - 1);
- goto out;
+ return -EIO;
}
p = ioremap_cache(trigger_paddr, sizeof(*p));
if (!p) {
@@ -502,7 +502,6 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
table_size - sizeof(trigger_tab));
out_rel_header:
release_mem_region(trigger_paddr, sizeof(trigger_tab));
-out:
if (p)
iounmap(p);
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p
2025-06-25 21:40 ` Ira Weiny
@ 2025-06-25 21:43 ` Colin King (gmail)
2025-06-26 14:29 ` Ira Weiny
2025-06-26 18:53 ` Rafael J. Wysocki
0 siblings, 2 replies; 7+ messages in thread
From: Colin King (gmail) @ 2025-06-25 21:43 UTC (permalink / raw)
To: Ira Weiny, Rafael J . Wysocki, Len Brown, James Morse, Tony Luck,
Borislav Petkov, linux-acpi
Cc: kernel-janitors, linux-kernel
[-- Attachment #1.1.1: Type: text/plain, Size: 2344 bytes --]
On 25/06/2025 22:40, Ira Weiny wrote:
> Colin Ian King wrote:
>> In the case where a request_mem_region call fails and pointer r is null
>> the error exit path via label 'out' will check for a non-null pointer
>> p and try to iounmap it. However, pointer p has not been assigned a
>> value at this point, so it may potentially contain any garbage value.
>> Fix this by ensuring pointer p is initialized to NULL.
>>
>> Fixes: 1a35c88302a3 ("ACPI: APEI: EINJ: Fix kernel test sparse warnings")
>> Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
>> ---
>> drivers/acpi/apei/einj-core.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
>> index 7930acd1d3f3..fc801587df8e 100644
>> --- a/drivers/acpi/apei/einj-core.c
>> +++ b/drivers/acpi/apei/einj-core.c
>> @@ -401,7 +401,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
>> u32 table_size;
>> int rc = -EIO;
>> struct acpi_generic_address *trigger_param_region = NULL;
>> - struct acpi_einj_trigger __iomem *p;
>> + struct acpi_einj_trigger __iomem *p = NULL;
>
> Apparently my review of these was pretty weak... :-/
>
> That said; Why not skip a goto as well?
Because the goto uses a shared return path and hence reduces the amount
of return epilogue used in the generated code.
Colin
>
> Ira
>
> diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> index d6d7e36e3647..fae01795e7f6 100644
> --- a/drivers/acpi/apei/einj-core.c
> +++ b/drivers/acpi/apei/einj-core.c
> @@ -410,7 +410,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> (unsigned long long)trigger_paddr,
> (unsigned long long)trigger_paddr +
> sizeof(trigger_tab) - 1);
> - goto out;
> + return -EIO;
> }
> p = ioremap_cache(trigger_paddr, sizeof(*p));
> if (!p) {
> @@ -502,7 +502,6 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> table_size - sizeof(trigger_tab));
> out_rel_header:
> release_mem_region(trigger_paddr, sizeof(trigger_tab));
> -out:
> if (p)
> iounmap(p);
>
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 4901 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p
2025-06-25 21:43 ` Colin King (gmail)
@ 2025-06-26 14:29 ` Ira Weiny
2025-06-26 18:53 ` Rafael J. Wysocki
1 sibling, 0 replies; 7+ messages in thread
From: Ira Weiny @ 2025-06-26 14:29 UTC (permalink / raw)
To: Colin King (gmail), Ira Weiny, Rafael J . Wysocki, Len Brown,
James Morse, Tony Luck, Borislav Petkov, linux-acpi
Cc: kernel-janitors, linux-kernel
Colin King (gmail) wrote:
> On 25/06/2025 22:40, Ira Weiny wrote:
> > Colin Ian King wrote:
> >> In the case where a request_mem_region call fails and pointer r is null
> >> the error exit path via label 'out' will check for a non-null pointer
> >> p and try to iounmap it. However, pointer p has not been assigned a
> >> value at this point, so it may potentially contain any garbage value.
> >> Fix this by ensuring pointer p is initialized to NULL.
> >>
> >> Fixes: 1a35c88302a3 ("ACPI: APEI: EINJ: Fix kernel test sparse warnings")
> >> Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
> >> ---
> >> drivers/acpi/apei/einj-core.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> >> index 7930acd1d3f3..fc801587df8e 100644
> >> --- a/drivers/acpi/apei/einj-core.c
> >> +++ b/drivers/acpi/apei/einj-core.c
> >> @@ -401,7 +401,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> >> u32 table_size;
> >> int rc = -EIO;
> >> struct acpi_generic_address *trigger_param_region = NULL;
> >> - struct acpi_einj_trigger __iomem *p;
> >> + struct acpi_einj_trigger __iomem *p = NULL;
> >
> > Apparently my review of these was pretty weak... :-/
> >
> > That said; Why not skip a goto as well?
>
> Because the goto uses a shared return path and hence reduces the amount
> of return epilogue used in the generated code.
Is that really important in a debugfs triggered code path?
I'm not seeing the benefit vs reducing the complexity of the code.
Frankly we probably aught to be using the new cleanup features in this
function but I refrained from requesting such a big change.
Ira
>
> Colin
>
> >
> > Ira
> >
> > diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> > index d6d7e36e3647..fae01795e7f6 100644
> > --- a/drivers/acpi/apei/einj-core.c
> > +++ b/drivers/acpi/apei/einj-core.c
> > @@ -410,7 +410,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> > (unsigned long long)trigger_paddr,
> > (unsigned long long)trigger_paddr +
> > sizeof(trigger_tab) - 1);
> > - goto out;
> > + return -EIO;
> > }
> > p = ioremap_cache(trigger_paddr, sizeof(*p));
> > if (!p) {
> > @@ -502,7 +502,6 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> > table_size - sizeof(trigger_tab));
> > out_rel_header:
> > release_mem_region(trigger_paddr, sizeof(trigger_tab));
> > -out:
> > if (p)
> > iounmap(p);
> >
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p
2025-06-25 21:43 ` Colin King (gmail)
2025-06-26 14:29 ` Ira Weiny
@ 2025-06-26 18:53 ` Rafael J. Wysocki
1 sibling, 0 replies; 7+ messages in thread
From: Rafael J. Wysocki @ 2025-06-26 18:53 UTC (permalink / raw)
To: Colin King (gmail)
Cc: Ira Weiny, Rafael J . Wysocki, Len Brown, James Morse, Tony Luck,
Borislav Petkov, linux-acpi, kernel-janitors, linux-kernel
On Wed, Jun 25, 2025 at 11:43 PM Colin King (gmail)
<colin.i.king@gmail.com> wrote:
>
> On 25/06/2025 22:40, Ira Weiny wrote:
> > Colin Ian King wrote:
> >> In the case where a request_mem_region call fails and pointer r is null
> >> the error exit path via label 'out' will check for a non-null pointer
> >> p and try to iounmap it. However, pointer p has not been assigned a
> >> value at this point, so it may potentially contain any garbage value.
> >> Fix this by ensuring pointer p is initialized to NULL.
> >>
> >> Fixes: 1a35c88302a3 ("ACPI: APEI: EINJ: Fix kernel test sparse warnings")
> >> Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
> >> ---
> >> drivers/acpi/apei/einj-core.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> >> index 7930acd1d3f3..fc801587df8e 100644
> >> --- a/drivers/acpi/apei/einj-core.c
> >> +++ b/drivers/acpi/apei/einj-core.c
> >> @@ -401,7 +401,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> >> u32 table_size;
> >> int rc = -EIO;
> >> struct acpi_generic_address *trigger_param_region = NULL;
> >> - struct acpi_einj_trigger __iomem *p;
> >> + struct acpi_einj_trigger __iomem *p = NULL;
> >
> > Apparently my review of these was pretty weak... :-/
> >
> > That said; Why not skip a goto as well?
>
> Because the goto uses a shared return path and hence reduces the amount
> of return epilogue used in the generated code.
Applied, thanks!
> > diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> > index d6d7e36e3647..fae01795e7f6 100644
> > --- a/drivers/acpi/apei/einj-core.c
> > +++ b/drivers/acpi/apei/einj-core.c
> > @@ -410,7 +410,7 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> > (unsigned long long)trigger_paddr,
> > (unsigned long long)trigger_paddr +
> > sizeof(trigger_tab) - 1);
> > - goto out;
> > + return -EIO;
> > }
> > p = ioremap_cache(trigger_paddr, sizeof(*p));
> > if (!p) {
> > @@ -502,7 +502,6 @@ static int __einj_error_trigger(u64 trigger_paddr, u32 type,
> > table_size - sizeof(trigger_tab));
> > out_rel_header:
> > release_mem_region(trigger_paddr, sizeof(trigger_tab));
> > -out:
> > if (p)
> > iounmap(p);
> >
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-06-26 18:54 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-24 20:29 [PATCH][next] ACPI: APEI: EINJ: Fix check and iounmap of uninitialized pointer p Colin Ian King
2025-06-24 21:31 ` Dan Carpenter
2025-06-25 11:50 ` Dan Carpenter
2025-06-25 21:40 ` Ira Weiny
2025-06-25 21:43 ` Colin King (gmail)
2025-06-26 14:29 ` Ira Weiny
2025-06-26 18:53 ` Rafael J. Wysocki
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).