| Message ID | 20220120133739.4170298-1-alexander.sverdlin@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ep93xx: clock: Fix UAF in ep93xx_clk_register_gate() | expand |
On Tue, Jan 25, 2022 at 1:10 PM Nick Desaulniers <ndesaulniers@google.com> wrote: > > On Thu, Jan 20, 2022 at 02:37:38PM +0100, Alexander Sverdlin wrote: Also, consider adding the first line of the warning to your commit message, please: arch/arm/mach-ep93xx/clock.c:154:2: warning: Use of memory after it is freed [clang-analyzer-unix.Malloc] > > arch/arm/mach-ep93xx/clock.c:151:2: note: Taking true branch > > if (IS_ERR(clk)) > > ^ > > arch/arm/mach-ep93xx/clock.c:152:3: note: Memory is released > > kfree(psc); > > ^~~~~~~~~~ > > arch/arm/mach-ep93xx/clock.c:154:2: note: Use of memory after it is freed > > return &psc->hw; > > ^ ~~~~~~~~ > > > > Link: https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org/thread/B5YCO2NJEXINCYE26Y255LCVMO55BGWW/ > > Reported-by: kernel test robot <lkp@intel.com> > > Fixes: 9645ccc7bd7a ("ep93xx: clock: convert in-place to COMMON_CLK") > > Cc: stable@vger.kernel.org > > Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com> > > --- > > arch/arm/mach-ep93xx/clock.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/arch/arm/mach-ep93xx/clock.c b/arch/arm/mach-ep93xx/clock.c > > index cc75087134d3..4aee14f18123 100644 > > --- a/arch/arm/mach-ep93xx/clock.c > > +++ b/arch/arm/mach-ep93xx/clock.c > > @@ -148,8 +148,10 @@ static struct clk_hw *ep93xx_clk_register_gate(const char *name, > > psc->lock = &clk_lock; > > > > clk = clk_register(NULL, &psc->hw); > > - if (IS_ERR(clk)) > > + if (IS_ERR(clk)) { > > kfree(psc); > > + return (void *)clk; > > Prefer ERR_CAST to the raw cast. I think that's nicer when we're already > using the IS_ERR macros. > > > + } > > > > return &psc->hw; > > } > > -- > > 2.34.1 > >
diff --git a/arch/arm/mach-ep93xx/clock.c b/arch/arm/mach-ep93xx/clock.c index cc75087134d3..4aee14f18123 100644 --- a/arch/arm/mach-ep93xx/clock.c +++ b/arch/arm/mach-ep93xx/clock.c @@ -148,8 +148,10 @@ static struct clk_hw *ep93xx_clk_register_gate(const char *name, psc->lock = &clk_lock; clk = clk_register(NULL, &psc->hw); - if (IS_ERR(clk)) + if (IS_ERR(clk)) { kfree(psc); + return (void *)clk; + } return &psc->hw; }
arch/arm/mach-ep93xx/clock.c:151:2: note: Taking true branch if (IS_ERR(clk)) ^ arch/arm/mach-ep93xx/clock.c:152:3: note: Memory is released kfree(psc); ^~~~~~~~~~ arch/arm/mach-ep93xx/clock.c:154:2: note: Use of memory after it is freed return &psc->hw; ^ ~~~~~~~~ Link: https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org/thread/B5YCO2NJEXINCYE26Y255LCVMO55BGWW/ Reported-by: kernel test robot <lkp@intel.com> Fixes: 9645ccc7bd7a ("ep93xx: clock: convert in-place to COMMON_CLK") Cc: stable@vger.kernel.org Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com> --- arch/arm/mach-ep93xx/clock.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)