From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Zhou Qingyang <zhou1615@umn.edu>,
Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 29/53] spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op()
Date: Mon, 28 Feb 2022 18:24:27 +0100 [thread overview]
Message-ID: <20220228172250.404297965@linuxfoundation.org> (raw)
In-Reply-To: <20220228172248.232273337@linuxfoundation.org>
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit ab3824427b848da10e9fe2727f035bbeecae6ff4 ]
In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),
which could lead to a NULL pointer dereference on failure of
kzalloc().
Fix this bug by adding a check of tmpbuf.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130172253.203700-1-zhou1615@umn.edu
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-zynq-qspi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
index 1ced6eb8b3303..b3588240eb39b 100644
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -558,6 +558,9 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
if (op->dummy.nbytes) {
tmpbuf = kzalloc(op->dummy.nbytes, GFP_KERNEL);
+ if (!tmpbuf)
+ return -ENOMEM;
+
memset(tmpbuf, 0xff, op->dummy.nbytes);
reinit_completion(&xqspi->data_completion);
xqspi->txbuf = tmpbuf;
--
2.34.1
next prev parent reply other threads:[~2022-02-28 17:41 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-28 17:23 [PATCH 5.4 00/53] 5.4.182-rc1 review Greg Kroah-Hartman
2022-02-28 17:23 ` [PATCH 5.4 01/53] cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 02/53] clk: jz4725b: fix mmc0 clock gating Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 03/53] vhost/vsock: dont check owner in vhost_vsock_stop() while releasing Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 04/53] parisc/unaligned: Fix fldd and fstd unaligned handlers on 32-bit kernel Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 05/53] parisc/unaligned: Fix ldw() and stw() unalignment handlers Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 06/53] drm/amdgpu: disable MMHUB PG for Picasso Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 07/53] sr9700: sanity check for packet length Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 08/53] USB: zaurus: support another broken Zaurus Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 09/53] netfilter: nf_tables_offload: incorrect flow offload action array size Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 10/53] x86/fpu: Correct pkru/xstate inconsistency Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 11/53] tee: export teedev_open() and teedev_close_context() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 12/53] optee: use driver internal tee_context for some rpc Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 13/53] lan743x: fix deadlock in lan743x_phy_link_status_change() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 14/53] ping: remove pr_err from ping_lookup Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 15/53] perf data: Fix double free in perf_session__delete() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 16/53] bpf: Do not try bpf_msg_push_data with len 0 Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 17/53] net: __pskb_pull_tail() & pskb_carve_frag_list() drop_monitor friends Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 18/53] tipc: Fix end of loop tests for list_for_each_entry() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 19/53] gso: do not skip outer ip header in case of ipip and net_failover Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 20/53] openvswitch: Fix setting ipv6 fields causing hw csum failure Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 21/53] drm/edid: Always set RGB444 Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 22/53] net/mlx5e: Fix wrong return value on ioctl EEPROM query failure Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 23/53] net: ll_temac: check the return value of devm_kmalloc() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 24/53] net: Force inlining of checksum functions in net/checksum.h Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 25/53] nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 26/53] netfilter: nf_tables: fix memory leak during stateful obj update Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 27/53] net/mlx5: Fix possible deadlock on rule deletion Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 28/53] net/mlx5: Fix wrong limitation of metadata match on ecpf Greg Kroah-Hartman
2022-02-28 17:24 ` Greg Kroah-Hartman [this message]
2022-02-28 17:24 ` [PATCH 5.4 30/53] configfs: fix a race in configfs_{,un}register_subsystem() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 31/53] RDMA/ib_srp: Fix a deadlock Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 32/53] tracing: Have traceon and traceoff trigger honor the instance Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 33/53] iio: adc: men_z188_adc: Fix a resource leak in an error handling path Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 34/53] iio: adc: ad7124: fix mask used for setting AIN_BUFP & AIN_BUFM bits Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 35/53] iio: Fix error handling for PM Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 36/53] ata: pata_hpt37x: disable primary channel on HPT371 Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 37/53] Revert "USB: serial: ch341: add new Product ID for CH341A" Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 38/53] usb: gadget: rndis: add spinlock for rndis response list Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 39/53] USB: gadget: validate endpoint index for xilinx udc Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 40/53] tracefs: Set the group ownership in apply_options() not parse_options() Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 41/53] USB: serial: option: add support for DW5829e Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 42/53] USB: serial: option: add Telit LE910R1 compositions Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 43/53] usb: dwc3: pci: Fix Bay Trail phy GPIO mappings Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 44/53] usb: dwc3: gadget: Let the interrupt handler disable bottom halves Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 45/53] xhci: re-initialize the HC during resume if HCE was set Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 46/53] xhci: Prevent futile URB re-submissions due to incorrect return value Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 47/53] tty: n_gsm: fix encoding of control signal octet bit DV Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 48/53] tty: n_gsm: fix proper link termination after failed open Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 49/53] tty: n_gsm: fix NULL pointer access due to DLCI release Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 50/53] gpio: tegra186: Fix chip_data type confusion Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 51/53] Revert "drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR" Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 52/53] memblock: use kfree() to release kmalloced memblock regions Greg Kroah-Hartman
2022-02-28 17:24 ` [PATCH 5.4 53/53] fget: clarify and improve __fget_files() implementation Greg Kroah-Hartman
2022-02-28 21:42 ` [PATCH 5.4 00/53] 5.4.182-rc1 review Shuah Khan
2022-02-28 23:12 ` Florian Fainelli
2022-03-01 11:34 ` Sudip Mukherjee
2022-03-01 16:45 ` Naresh Kamboju
2022-03-01 19:13 ` Guenter Roeck
2022-03-02 7:04 ` Slade Watkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220228172250.404297965@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=broonie@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zhou1615@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox