[net,v2] net: mdio-ipq4019: fix possible invalid pointer dereference

Message ID 20221117090514.118296-1-tanghui20@huawei.com
State New
Headers
Series [net,v2] net: mdio-ipq4019: fix possible invalid pointer dereference |

Commit Message

Hui Tang Nov. 17, 2022, 9:05 a.m. UTC
  priv->eth_ldo_rdy is saved the return value of devm_ioremap_resource(),
which !IS_ERR() should be used to check.

Fixes: 23a890d493e3 ("net: mdio: Add the reset function for IPQ MDIO driver")
Signed-off-by: Hui Tang <tanghui20@huawei.com>
---
v1 -> v2: set priv->eth_ldo_rdy NULL, if devm_ioremap_resource() failed
---
 drivers/net/mdio/mdio-ipq4019.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
  

Comments

Andrew Lunn Nov. 17, 2022, 1:57 p.m. UTC | #1
On Thu, Nov 17, 2022 at 05:05:14PM +0800, Hui Tang wrote:
> priv->eth_ldo_rdy is saved the return value of devm_ioremap_resource(),
> which !IS_ERR() should be used to check.
> 
> Fixes: 23a890d493e3 ("net: mdio: Add the reset function for IPQ MDIO driver")
> Signed-off-by: Hui Tang <tanghui20@huawei.com>
> ---
> v1 -> v2: set priv->eth_ldo_rdy NULL, if devm_ioremap_resource() failed
> ---
>  drivers/net/mdio/mdio-ipq4019.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mdio/mdio-ipq4019.c b/drivers/net/mdio/mdio-ipq4019.c
> index 4eba5a91075c..dfd1647eac36 100644
> --- a/drivers/net/mdio/mdio-ipq4019.c
> +++ b/drivers/net/mdio/mdio-ipq4019.c
> @@ -231,8 +231,11 @@ static int ipq4019_mdio_probe(struct platform_device *pdev)
>  	/* The platform resource is provided on the chipset IPQ5018 */
>  	/* This resource is optional */
>  	res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
> -	if (res)
> +	if (res) {
>  		priv->eth_ldo_rdy = devm_ioremap_resource(&pdev->dev, res);
> +		if (IS_ERR(priv->eth_ldo_rdy))
> +			priv->eth_ldo_rdy = NULL;
> +	}

As i said, please add devm_ioremap_resource_optional().  Follow the
concept of devm_clk_get_optional(), devm_gpiod_get_optional(),
devm_reset_control_get_optional(), devm_reset_control_get_optional(),
platform_get_irq_byname_optional() etc.

All these will not return an error if the resource you are trying to
get does not exist. They instead return NULL, or something which other
API members understand as does not exist, but thats O.K.

These functions however do return errors for real problem, ENOMEM,
EINVAL etc. These should not be ignored.

You should then use this new function for all your other patches where
the resource is optional.

       Andrew
  
Hui Tang Nov. 18, 2022, 7:21 a.m. UTC | #2
On 2022/11/17 21:57, Andrew Lunn wrote:
> On Thu, Nov 17, 2022 at 05:05:14PM +0800, Hui Tang wrote:
>> priv->eth_ldo_rdy is saved the return value of devm_ioremap_resource(),
>> which !IS_ERR() should be used to check.
>>
>> Fixes: 23a890d493e3 ("net: mdio: Add the reset function for IPQ MDIO driver")
>> Signed-off-by: Hui Tang <tanghui20@huawei.com>
>> ---
>> v1 -> v2: set priv->eth_ldo_rdy NULL, if devm_ioremap_resource() failed
>> ---
>>  drivers/net/mdio/mdio-ipq4019.c | 5 ++++-
>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/mdio/mdio-ipq4019.c b/drivers/net/mdio/mdio-ipq4019.c
>> index 4eba5a91075c..dfd1647eac36 100644
>> --- a/drivers/net/mdio/mdio-ipq4019.c
>> +++ b/drivers/net/mdio/mdio-ipq4019.c
>> @@ -231,8 +231,11 @@ static int ipq4019_mdio_probe(struct platform_device *pdev)
>>  	/* The platform resource is provided on the chipset IPQ5018 */
>>  	/* This resource is optional */
>>  	res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
>> -	if (res)
>> +	if (res) {
>>  		priv->eth_ldo_rdy = devm_ioremap_resource(&pdev->dev, res);
>> +		if (IS_ERR(priv->eth_ldo_rdy))
>> +			priv->eth_ldo_rdy = NULL;
>> +	}
>
> As i said, please add devm_ioremap_resource_optional().  Follow the
> concept of devm_clk_get_optional(), devm_gpiod_get_optional(),
> devm_reset_control_get_optional(), devm_reset_control_get_optional(),
> platform_get_irq_byname_optional() etc.
>
> All these will not return an error if the resource you are trying to
> get does not exist. They instead return NULL, or something which other
> API members understand as does not exist, but thats O.K.
>
> These functions however do return errors for real problem, ENOMEM,
> EINVAL etc. These should not be ignored.
>
> You should then use this new function for all your other patches where
> the resource is optional.


I finally understand what you mean now.

I need add devm_ioremap_resource_optional() helper, which return NULL
if the resource does not exist, and if it return other errors we need
to deal with errors. In my case, it returns -ENOMEM if the resource
does not exist.

So, the code should be as follows, is that right?

+	void __iomem *devm_ioremap_resource_optional(struct device *dev,
+                                    	     const struct resource *res)
+	{
+		void __iomem *base;
+
+		base = __devm_ioremap_resource(dev, res, DEVM_IOREMAP);
+		if (IS_ERR(base) && PTR_ERR(base) == -ENOMEM)
+			return NULL;
+
+		return base;
+	}


[...]
	res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
-	if (res)
+	if (res) {
+		priv->eth_ldo_rdy = devm_ioremap_resource_optional(&pdev->dev, res)
+		if (IS_ERR(priv->eth_ldo_rdy))
+			return PTR_ERR(priv->eth_ldo_rdy);
+	}
[...]

thanks.
  
Andrew Lunn Nov. 18, 2022, 1:44 p.m. UTC | #3
> So, the code should be as follows, is that right?
> 
> +	void __iomem *devm_ioremap_resource_optional(struct device *dev,
> +                                    	     const struct resource *res)
> +	{
> +		void __iomem *base;
> +
> +		base = __devm_ioremap_resource(dev, res, DEVM_IOREMAP);
> +		if (IS_ERR(base) && PTR_ERR(base) == -ENOMEM)
> +			return NULL;
> +
> +		return base;
> +	}
> 
> 
> [...]
> 	res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
> -	if (res)
> +	if (res) {
> +		priv->eth_ldo_rdy = devm_ioremap_resource_optional(&pdev->dev, res)
> +		if (IS_ERR(priv->eth_ldo_rdy))
> +			return PTR_ERR(priv->eth_ldo_rdy);
> +	}
> [...]

Yes, that is the basic concept.

The only thing i might change is the double meaning of -ENOMEM.
__devm_ioremap_resource() allocates memory, and if that memory
allocation fails, it returns -ENOMEM. If the resource does not exist,
it also returns -ENOMEM. So you cannot tell these two error conditions
apart. Most of the other get_foo() calls return -ENODEV if the
gpio/regulator/clock does not exist, so you can tell if you are out of
memory. But ioremap is specifically about memory so -ENOMEM actually
makes sense.

If you are out of memory, it seems likely the problem is not going to
go away quickly, so the next allocation will also fail, and hopefully
the error handling will then work. So i don't think it is major
issue. So yes, go with the code above.

      Andrew
  
Hui Tang Nov. 19, 2022, 5:41 a.m. UTC | #4
On 2022/11/18 21:44, Andrew Lunn wrote:
>> So, the code should be as follows, is that right?
>>
>> +	void __iomem *devm_ioremap_resource_optional(struct device *dev,
>> +                                    	     const struct resource *res)
>> +	{
>> +		void __iomem *base;
>> +
>> +		base = __devm_ioremap_resource(dev, res, DEVM_IOREMAP);
>> +		if (IS_ERR(base) && PTR_ERR(base) == -ENOMEM)
>> +			return NULL;
>> +
>> +		return base;
>> +	}
>>
>>
>> [...]
>> 	res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
>> -	if (res)
>> +	if (res) {
>> +		priv->eth_ldo_rdy = devm_ioremap_resource_optional(&pdev->dev, res)
>> +		if (IS_ERR(priv->eth_ldo_rdy))
>> +			return PTR_ERR(priv->eth_ldo_rdy);
>> +	}
>> [...]
>
> Yes, that is the basic concept.
>
> The only thing i might change is the double meaning of -ENOMEM.
> __devm_ioremap_resource() allocates memory, and if that memory
> allocation fails, it returns -ENOMEM. If the resource does not exist,
> it also returns -ENOMEM. So you cannot tell these two error conditions
> apart. Most of the other get_foo() calls return -ENODEV if the
> gpio/regulator/clock does not exist, so you can tell if you are out of
> memory. But ioremap is specifically about memory so -ENOMEM actually
> makes sense.
>
> If you are out of memory, it seems likely the problem is not going to
> go away quickly, so the next allocation will also fail, and hopefully
> the error handling will then work. So i don't think it is major
> issue. So yes, go with the code above.
>

Hi, Andrew

My new patchset is ready, but I just found out that another patch has been
applied to netdev/net.git. Can I solve the problem in present way? And I
will add devm_ioremap_resource_optional() helper later to optimize related
drivers. How about this?

Thanks.
  
Andrew Lunn Nov. 21, 2022, 2:36 p.m. UTC | #5
> Hi, Andrew
> 
> My new patchset is ready, but I just found out that another patch has been
> applied to netdev/net.git. Can I solve the problem in present way? And I
> will add devm_ioremap_resource_optional() helper later to optimize related
> drivers. How about this?

This is one of those harder to merge changes. patches to lib/devres.c
generally go via GregKH. Networking changes are merged via the netdev
list.

Did you find this issue via a static analyser? I assume you are
running it over the entire tree and are finding problems in multiple
subsystems? So devm_ioremap_resource_optional() is potentially going
to be needed in lots of places?

One way to get this merged is to cross post the patch adding
devm_ioremap_resource_optional() and ask GregKH to ACK it, and then
get netdev to merge it. You can then use it within the netdev
subsystem. What you cannot do is use it in other subsystems until the
next kernel cycle when it will be globally available.

So three patches. One adding devm_ioremap_resource_optional(), one to
revert the 'fix', and one with the real fix using
devm_ioremap_resource_optional().

     Andrew
  
Hui Tang Nov. 23, 2022, 1:10 a.m. UTC | #6
On 2022/11/21 22:36, Andrew Lunn wrote:
>> Hi, Andrew
>>
>> My new patchset is ready, but I just found out that another patch has been
>> applied to netdev/net.git. Can I solve the problem in present way? And I
>> will add devm_ioremap_resource_optional() helper later to optimize related
>> drivers. How about this?
>
> This is one of those harder to merge changes. patches to lib/devres.c
> generally go via GregKH. Networking changes are merged via the netdev
> list.
>
> Did you find this issue via a static analyser? I assume you are
> running it over the entire tree and are finding problems in multiple
> subsystems? So devm_ioremap_resource_optional() is potentially going
> to be needed in lots of places?

Yes, I grep the entire drives, some drivers is really going to
be needed for devm_ioremap_resource_optional() case.

For example:

drivers/mmc/host/mtk-sd.c
drivers/mmc/host/sdhci-st.c
drivers/ufs/host/ufs-qcom.c
drivers/mfd/bcm2835-pm.c
net/mdio/mdio-ipq4019.c
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c

> One way to get this merged is to cross post the patch adding
> devm_ioremap_resource_optional() and ask GregKH to ACK it, and then
> get netdev to merge it. You can then use it within the netdev
> subsystem. What you cannot do is use it in other subsystems until the
> next kernel cycle when it will be globally available.
>
> So three patches. One adding devm_ioremap_resource_optional(), one to
> revert the 'fix', and one with the real fix using
> devm_ioremap_resource_optional().

Thanks
  

Patch

diff --git a/drivers/net/mdio/mdio-ipq4019.c b/drivers/net/mdio/mdio-ipq4019.c
index 4eba5a91075c..dfd1647eac36 100644
--- a/drivers/net/mdio/mdio-ipq4019.c
+++ b/drivers/net/mdio/mdio-ipq4019.c
@@ -231,8 +231,11 @@  static int ipq4019_mdio_probe(struct platform_device *pdev)
 	/* The platform resource is provided on the chipset IPQ5018 */
 	/* This resource is optional */
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
-	if (res)
+	if (res) {
 		priv->eth_ldo_rdy = devm_ioremap_resource(&pdev->dev, res);
+		if (IS_ERR(priv->eth_ldo_rdy))
+			priv->eth_ldo_rdy = NULL;
+	}
 
 	bus->name = "ipq4019_mdio";
 	bus->read = ipq4019_mdio_read;