* [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe
@ 2023-10-01 5:49 Dinghao Liu
2023-10-01 7:19 ` kernel test robot
0 siblings, 1 reply; 4+ messages in thread
From: Dinghao Liu @ 2023-10-01 5:49 UTC (permalink / raw)
To: dinghao.liu
Cc: stable, Alexander Aring, Stefan Schmidt, Miquel Raynal,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Harry Morris, Marcel Holtmann, linux-wpan, netdev, linux-kernel
If of_clk_add_provider() fails in ca8210_register_ext_clock(),
it calls clk_unregister() to release priv->clk and returns an
error. However, the caller ca8210_probe() then calls ca8210_remove(),
where priv->clk is freed again in ca8210_unregister_ext_clock(). In
this case, a use-after-free may happen in the second time we call
clk_unregister().
Fix this by removing the first clk_unregister(). Also, priv->clk could
be an error code on failure of clk_register_fixed_rate(). Use
IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().
Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
---
Changelog:
v2: -Remove the first clk_unregister() instead of nulling priv->clk.
v3: -Simplify ca8210_register_ext_clock().
-Add a ';' after return in ca8210_unregister_ext_clock().
---
drivers/net/ieee802154/ca8210.c | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index aebb19f1b3a4..ae44a9133937 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -2757,18 +2757,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
dev_crit(&spi->dev, "Failed to register external clk\n");
return PTR_ERR(priv->clk);
}
- ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
- if (ret) {
- clk_unregister(priv->clk);
- dev_crit(
- &spi->dev,
- "Failed to register external clock as clock provider\n"
- );
- } else {
- dev_info(&spi->dev, "External clock set as clock provider\n");
- }
- return ret;
+ return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
}
/**
@@ -2780,8 +2770,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi)
{
struct ca8210_priv *priv = spi_get_drvdata(spi);
- if (!priv->clk)
- return
+ if (IS_ERR_OR_NULL(priv->clk))
+ return;
of_clk_del_provider(spi->dev.of_node);
clk_unregister(priv->clk);
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe
2023-10-01 5:49 [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe Dinghao Liu
@ 2023-10-01 7:19 ` kernel test robot
2023-10-05 18:25 ` Stefan Schmidt
0 siblings, 1 reply; 4+ messages in thread
From: kernel test robot @ 2023-10-01 7:19 UTC (permalink / raw)
To: Dinghao Liu
Cc: oe-kbuild-all, stable, Alexander Aring, Stefan Schmidt,
Miquel Raynal, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Harry Morris, Marcel Holtmann, linux-wpan, netdev, linux-kernel
Hi Dinghao,
kernel test robot noticed the following build warnings:
[auto build test WARNING on linus/master]
[also build test WARNING on v6.6-rc3 next-20230929]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Dinghao-Liu/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_probe/20231001-135130
base: linus/master
patch link: https://lore.kernel.org/r/20231001054949.14624-1-dinghao.liu%40zju.edu.cn
patch subject: [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe
config: m68k-allyesconfig (https://download.01.org/0day-ci/archive/20231001/202310011548.qyQMuodI-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231001/202310011548.qyQMuodI-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202310011548.qyQMuodI-lkp@intel.com/
All warnings (new ones prefixed by >>):
drivers/net/ieee802154/ca8210.c: In function 'ca8210_register_ext_clock':
>> drivers/net/ieee802154/ca8210.c:2743:13: warning: unused variable 'ret' [-Wunused-variable]
2743 | int ret = 0;
| ^~~
vim +/ret +2743 drivers/net/ieee802154/ca8210.c
ded845a781a578 Harry Morris 2017-03-28 2731
ded845a781a578 Harry Morris 2017-03-28 2732 /**
ded845a781a578 Harry Morris 2017-03-28 2733 * ca8210_register_ext_clock() - Register ca8210's external clock with kernel
ded845a781a578 Harry Morris 2017-03-28 2734 * @spi: Pointer to target ca8210 spi device
ded845a781a578 Harry Morris 2017-03-28 2735 *
ded845a781a578 Harry Morris 2017-03-28 2736 * Return: 0 or linux error code
ded845a781a578 Harry Morris 2017-03-28 2737 */
ded845a781a578 Harry Morris 2017-03-28 2738 static int ca8210_register_ext_clock(struct spi_device *spi)
ded845a781a578 Harry Morris 2017-03-28 2739 {
ded845a781a578 Harry Morris 2017-03-28 2740 struct device_node *np = spi->dev.of_node;
ded845a781a578 Harry Morris 2017-03-28 2741 struct ca8210_priv *priv = spi_get_drvdata(spi);
ded845a781a578 Harry Morris 2017-03-28 2742 struct ca8210_platform_data *pdata = spi->dev.platform_data;
ded845a781a578 Harry Morris 2017-03-28 @2743 int ret = 0;
ded845a781a578 Harry Morris 2017-03-28 2744
ded845a781a578 Harry Morris 2017-03-28 2745 if (!np)
ded845a781a578 Harry Morris 2017-03-28 2746 return -EFAULT;
ded845a781a578 Harry Morris 2017-03-28 2747
ded845a781a578 Harry Morris 2017-03-28 2748 priv->clk = clk_register_fixed_rate(
ded845a781a578 Harry Morris 2017-03-28 2749 &spi->dev,
ded845a781a578 Harry Morris 2017-03-28 2750 np->name,
ded845a781a578 Harry Morris 2017-03-28 2751 NULL,
ded845a781a578 Harry Morris 2017-03-28 2752 0,
ded845a781a578 Harry Morris 2017-03-28 2753 pdata->extclockfreq
ded845a781a578 Harry Morris 2017-03-28 2754 );
ded845a781a578 Harry Morris 2017-03-28 2755
ded845a781a578 Harry Morris 2017-03-28 2756 if (IS_ERR(priv->clk)) {
ded845a781a578 Harry Morris 2017-03-28 2757 dev_crit(&spi->dev, "Failed to register external clk\n");
ded845a781a578 Harry Morris 2017-03-28 2758 return PTR_ERR(priv->clk);
ded845a781a578 Harry Morris 2017-03-28 2759 }
ded845a781a578 Harry Morris 2017-03-28 2760
d0603f3c78f0aa Dinghao Liu 2023-10-01 2761 return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
ded845a781a578 Harry Morris 2017-03-28 2762 }
ded845a781a578 Harry Morris 2017-03-28 2763
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe
2023-10-01 7:19 ` kernel test robot
@ 2023-10-05 18:25 ` Stefan Schmidt
2023-10-07 1:35 ` dinghao.liu
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Schmidt @ 2023-10-05 18:25 UTC (permalink / raw)
To: kernel test robot, Dinghao Liu
Cc: oe-kbuild-all, stable, Alexander Aring, Miquel Raynal,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Harry Morris,
Marcel Holtmann, linux-wpan, netdev, linux-kernel
Hello Dinghao,
On 01.10.23 09:19, kernel test robot wrote:
> Hi Dinghao,
>
> kernel test robot noticed the following build warnings:
>
> [auto build test WARNING on linus/master]
> [also build test WARNING on v6.6-rc3 next-20230929]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Dinghao-Liu/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_probe/20231001-135130
> base: linus/master
> patch link: https://lore.kernel.org/r/20231001054949.14624-1-dinghao.liu%40zju.edu.cn
> patch subject: [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe
> config: m68k-allyesconfig (https://download.01.org/0day-ci/archive/20231001/202310011548.qyQMuodI-lkp@intel.com/config)
> compiler: m68k-linux-gcc (GCC) 13.2.0
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231001/202310011548.qyQMuodI-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202310011548.qyQMuodI-lkp@intel.com/
>
> All warnings (new ones prefixed by >>):
>
> drivers/net/ieee802154/ca8210.c: In function 'ca8210_register_ext_clock':
>>> drivers/net/ieee802154/ca8210.c:2743:13: warning: unused variable 'ret' [-Wunused-variable]
> 2743 | int ret = 0;
> | ^~~
>
Please take care of this now unused variable after your re-factor.
With this fixed and send out as v4 I am happy to get this applied to the
wpan tree.
regards
Stefan Schmidt
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe
2023-10-05 18:25 ` Stefan Schmidt
@ 2023-10-07 1:35 ` dinghao.liu
0 siblings, 0 replies; 4+ messages in thread
From: dinghao.liu @ 2023-10-07 1:35 UTC (permalink / raw)
To: Stefan Schmidt
Cc: kernel test robot, oe-kbuild-all, stable, Alexander Aring,
Miquel Raynal, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Harry Morris, Marcel Holtmann, linux-wpan, netdev, linux-kernel
> Hello Dinghao,
>
>
> On 01.10.23 09:19, kernel test robot wrote:
> > Hi Dinghao,
> >
> > kernel test robot noticed the following build warnings:
> >
> > [auto build test WARNING on linus/master]
> > [also build test WARNING on v6.6-rc3 next-20230929]
> > [If your patch is applied to the wrong git tree, kindly drop us a note.
> > And when submitting patch, we suggest to use '--base' as documented in
> > https://git-scm.com/docs/git-format-patch#_base_tree_information]
> >
> > url: https://github.com/intel-lab-lkp/linux/commits/Dinghao-Liu/ieee802154-ca8210-Fix-a-potential-UAF-in-ca8210_probe/20231001-135130
> > base: linus/master
> > patch link: https://lore.kernel.org/r/20231001054949.14624-1-dinghao.liu%40zju.edu.cn
> > patch subject: [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe
> > config: m68k-allyesconfig (https://download.01.org/0day-ci/archive/20231001/202310011548.qyQMuodI-lkp@intel.com/config)
> > compiler: m68k-linux-gcc (GCC) 13.2.0
> > reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231001/202310011548.qyQMuodI-lkp@intel.com/reproduce)
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <lkp@intel.com>
> > | Closes: https://lore.kernel.org/oe-kbuild-all/202310011548.qyQMuodI-lkp@intel.com/
> >
> > All warnings (new ones prefixed by >>):
> >
> > drivers/net/ieee802154/ca8210.c: In function 'ca8210_register_ext_clock':
> >>> drivers/net/ieee802154/ca8210.c:2743:13: warning: unused variable 'ret' [-Wunused-variable]
> > 2743 | int ret = 0;
> > | ^~~
> >
>
> Please take care of this now unused variable after your re-factor.
> With this fixed and send out as v4 I am happy to get this applied to the
> wpan tree.
I will resend the v4 patch soon, thanks!
Regards,
Dinghao
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-10-07 1:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-01 5:49 [PATCH] [v3] ieee802154: ca8210: Fix a potential UAF in ca8210_probe Dinghao Liu
2023-10-01 7:19 ` kernel test robot
2023-10-05 18:25 ` Stefan Schmidt
2023-10-07 1:35 ` dinghao.liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).