From: Lee Jones <lee@kernel.org>
To: Pengpeng Hou <pengpeng@iscas.ac.cn>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mfd: sm501: unwind common init failures
Date: Thu, 2 Jul 2026 11:57:30 +0100 [thread overview]
Message-ID: <20260702105730.GJ2108533@google.com> (raw)
In-Reply-To: <20260616004159.90144-1-pengpeng@iscas.ac.cn>
Can you consider these please.
Also, we don't allow forward declarations.
/* Sashiko Automation: Reviewed (2 Findings) */
On Tue, 16 Jun 2026, Pengpeng Hou wrote:
> sm501_init_dev() creates the debug sysfs file and can register child
> devices before the final clock-source sanity check. If that check fails,
> the caller tears down the parent mapping but the children and debug file
> remain published. The PCI probe path also ignored the return value from
> sm501_init_dev().
>
> Unwind the common SM501 registrations before returning the clock-check
> failure, and make the PCI probe path propagate sm501_init_dev() errors.
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
> drivers/mfd/sm501.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
> index 0ee6d8940e69..b21b4fc18e87 100644
> --- a/drivers/mfd/sm501.c
> +++ b/drivers/mfd/sm501.c
> @@ -1249,6 +1249,8 @@ static unsigned int sm501_mem_local[] = {
> [5] = 2*1024*1024,
> };
>
> +static void sm501_dev_remove(struct sm501_devdata *sm);
> +
> /* sm501_init_dev
> *
> * Common init code for an SM501
> @@ -1321,6 +1323,7 @@ static int sm501_init_dev(struct sm501_devdata *sm)
> if (ret) {
> dev_err(sm->dev, "M1X and M clocks sourced from different "
> "PLLs\n");
> + sm501_dev_remove(sm);
[Severity: High]
This isn't a bug introduced by this patch, but can this error path unwinding
lead to a Use-After-Free?
When sm501_dev_remove() unregisters the child platform devices in
sm501_remove_sub(), the devres framework automatically frees the memory
allocated for the GPIO lookup table.
However, since gpiod_remove_lookup_table() is never called to remove it
from the global gpio_lookup_list, the freed memory remains linked. Will any
subsequent GPIO lookup system-wide traverse this corrupted list, resulting
in a Use-After-Free?
[Severity: High]
This is another pre-existing issue, but does calling devm_kzalloc() on an
uninitialized platform device trigger a kernel panic here?
Earlier in initialization, sm501_register_gpio_i2c_instance() allocates the
platform device using kzalloc() and then immediately calls devm_kzalloc()
to allocate the GPIO lookup table:
drivers/mfd/sm501.c:sm501_register_gpio_i2c_instance() {
...
pdev = sm501_create_subdev(sm, "i2c-gpio", 0,
sizeof(struct i2c_gpio_platform_data));
...
lookup = devm_kzalloc(&pdev->dev, struct_size(lookup, table, 3),
GFP_KERNEL);
...
}
Because device_initialize() hasn't been called on pdev yet,
pdev->dev.devres_head is completely uninitialized. When devres attempts to
attach the node, wouldn't it call list_add_tail() on an uninitialized list
head and dereference a NULL pointer?
> return -EINVAL;
> }
>
> @@ -1583,9 +1586,14 @@ static int sm501_pci_probe(struct pci_dev *dev,
> goto err4;
> }
>
> - sm501_init_dev(sm);
> + err = sm501_init_dev(sm);
> + if (err)
> + goto err5;
> +
> return 0;
>
> + err5:
> + iounmap(sm->regs);
> err4:
> release_mem_region(sm->io_res->start, 0x100);
> err3:
> --
> 2.50.1 (Apple Git-155)
>
--
Lee Jones
next prev parent reply other threads:[~2026-07-02 10:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 0:41 [PATCH] mfd: sm501: unwind common init failures Pengpeng Hou
2026-07-02 10:57 ` Lee Jones [this message]
2026-07-02 11:11 ` Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702105730.GJ2108533@google.com \
--to=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pengpeng@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox