195521 – xillybus: unchecked return value of of_address_to_resource() in function xilly_drv_probe()

Bug 195521 - xillybus: unchecked return value of of_address_to_resource() in function xilly_drv_probe()

Summary: xillybus: unchecked return value of of_address_to_resource() in function xill...

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	drivers_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-04-22 15:16 UTC by bianpan
Modified:	2017-04-22 15:16 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	linux-4.11-rc7
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description bianpan 2017-04-22 15:16:56 UTC

Function of_address_to_resource() tries to translate device tree address and return as resource. If the translation fails, it will return a negative errno. However, function xilly_drv_probe() does not validate its return value (see line 139), which may result in bad memory access. Related code snippets are shown as follows.
xilly_drv_probe @@ drivers/char/xillybus/xillybus_of.c:120
120 static int xilly_drv_probe(struct platform_device *op)
121 {
122     struct device *dev = &op->dev;
123     struct xilly_endpoint *endpoint;
124     int rc;
125     int irq;
126     struct resource res;
127     struct xilly_endpoint_hardware *ephw = &of_hw;
128 
129     if (of_property_read_bool(dev->of_node, "dma-coherent"))
130         ephw = &of_hw_coherent;
131 
132     endpoint = xillybus_init_endpoint(NULL, dev, ephw);
133 
134     if (!endpoint)
135         return -ENOMEM;
136 
137     dev_set_drvdata(dev, endpoint);
138 
139     rc = of_address_to_resource(dev->of_node, 0, &res);
140     endpoint->registers = devm_ioremap_resource(dev, &res);
141 
142     if (IS_ERR(endpoint->registers))
143         return PTR_ERR(endpoint->registers);
144 
145     irq = irq_of_parse_and_map(dev->of_node, 0);
146 
147     rc = devm_request_irq(dev, irq, xillybus_isr, 0, xillyname, endpoint);
148 
149     if (rc) {
150         dev_err(endpoint->dev,
151             "Failed to register IRQ handler. Aborting.\n");
152         return -ENODEV;
153     }
154 
155     return xillybus_endpoint_discovery(endpoint);
156 }

Generally, the return value of function of_address_to_resource() should be checked as follows.
xgene_edac_l3_add @@ drivers/edac/xgene_edac.c: 1196
1196 static int xgene_edac_l3_add(struct xgene_edac *edac, struct device_node *np,
1197                  int version)
1198 {
         ...
1209     rc = of_address_to_resource(np, 0, &res);
1210     if (rc < 0) {
1211         dev_err(edac->dev, "no L3 resource address\n");
1212         goto err_release_group;
1213     }
1214     dev_csr = devm_ioremap_resource(edac->dev, &res);
1215     if (IS_ERR(dev_csr)) {
1216         dev_err(edac->dev,
1217             "devm_ioremap_resource failed for L3 resource address\n");
1218         rc = PTR_ERR(dev_csr);
1219         goto err_release_group;
1220     }
         ...
1272     return rc;
1273 }


Thanks very much for your attention!

Pan Bian

Note You need to log in before you can comment on or make changes to this bug.