[PATCH v2 0/3] serial: liteuart: fix driver unbind

[PATCH v2 0/3] serial: liteuart: fix driver unbind

[Johan Hovold]

Ilia Sergachev noted that the liteuart remove() function would trigger a
NULL-pointer dereference if it was ever called since the driver data
pointer was never initialised.

Turns out there are more bugs in this part of the driver which clearly
has never been tested.

Also relax the Kconfig dependencies so that the driver can be
compile-tested without first enabling a seemingly unrelated SoC
controller driver.

Note that this series depends on the fix by Ilia:

        https://lore.kernel.org/r/20211115031808.7ab632ef@dtkw

Johan


Changes in v2
 - allow compile testing without CONFIG_OF (Andy)
 - reword commit message to clarify that LITEX is neither a build or
   runtime dependency and that the change only makes it easier to
   compile test the driver
 - move the Kconfig patch last in the series
 - add Stafford's reviewed by tags to the two unmodified patches


Johan Hovold (3):
  serial: liteuart: fix use-after-free and memleak on unbind
  serial: liteuart: fix minor-number leak on probe errors
  serial: liteuart: relax compile-test dependencies

 drivers/tty/serial/Kconfig    |  2 +-
 drivers/tty/serial/liteuart.c | 18 +++++++++++++++---
 2 files changed, 16 insertions(+), 4 deletions(-)

-- 
2.32.0

[PATCH v2 1/3] serial: liteuart: fix use-after-free and memleak on unbind

[Johan Hovold]

Deregister the port when unbinding the driver to prevent it from being
used after releasing the driver data and leaking memory allocated by
serial core.

Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver")
Cc: stable@vger.kernel.org      # 5.11
Cc: Filip Kokosinski <fkokosinski@antmicro.com>
Cc: Mateusz Holenko <mholenko@antmicro.com>
Reviewed-by: Stafford Horne <shorne@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/tty/serial/liteuart.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/tty/serial/liteuart.c b/drivers/tty/serial/liteuart.c
index f075f4ff5fcf..da792d0df790 100644
--- a/drivers/tty/serial/liteuart.c
+++ b/drivers/tty/serial/liteuart.c
@@ -295,6 +295,7 @@ static int liteuart_remove(struct platform_device *pdev)
 	struct uart_port *port = platform_get_drvdata(pdev);
 	struct liteuart_port *uart = to_liteuart_port(port);
 
+	uart_remove_one_port(&liteuart_driver, port);
 	xa_erase(&liteuart_array, uart->id);
 
 	return 0;
-- 
2.32.0

[PATCH v2 2/3] serial: liteuart: fix minor-number leak on probe errors

[Johan Hovold]

Make sure to release the allocated minor number before returning on
probe errors.

Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver")
Cc: stable@vger.kernel.org      # 5.11
Cc: Filip Kokosinski <fkokosinski@antmicro.com>
Cc: Mateusz Holenko <mholenko@antmicro.com>
Reviewed-by: Stafford Horne <shorne@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/tty/serial/liteuart.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/drivers/tty/serial/liteuart.c b/drivers/tty/serial/liteuart.c
index da792d0df790..2941659e5274 100644
--- a/drivers/tty/serial/liteuart.c
+++ b/drivers/tty/serial/liteuart.c
@@ -270,8 +270,10 @@ static int liteuart_probe(struct platform_device *pdev)
 
 	/* get membase */
 	port->membase = devm_platform_get_and_ioremap_resource(pdev, 0, NULL);
-	if (IS_ERR(port->membase))
-		return PTR_ERR(port->membase);
+	if (IS_ERR(port->membase)) {
+		ret = PTR_ERR(port->membase);
+		goto err_erase_id;
+	}
 
 	/* values not from device tree */
 	port->dev = &pdev->dev;
@@ -287,7 +289,16 @@ static int liteuart_probe(struct platform_device *pdev)
 
 	platform_set_drvdata(pdev, port);
 
-	return uart_add_one_port(&liteuart_driver, &uart->port);
+	ret = uart_add_one_port(&liteuart_driver, &uart->port);
+	if (ret)
+		goto err_erase_id;
+
+	return 0;
+
+err_erase_id:
+	xa_erase(&liteuart_array, uart->id);
+
+	return ret;
 }
 
 static int liteuart_remove(struct platform_device *pdev)
-- 
2.32.0

[PATCH v2 3/3] serial: liteuart: relax compile-test dependencies

[Johan Hovold]

The LITEX symbol is neither a build or runtime dependency for the
liteuart serial driver.

LITEX is selected by the "LiteX SoC Controller" driver, which does a
probe-time register-access sanity check and panics if the SoC has not
been configured correctly. That driver's Kconfig entry asserts that any
LiteX driver using the LiteX register accessors should depend on LITEX,
but currently only the serial driver complies.

Relax this LITEX "dependency" in order to make it easier to compile test
the driver.

Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/tty/serial/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
index 6ff94cfcd9db..fc543ac97c13 100644
--- a/drivers/tty/serial/Kconfig
+++ b/drivers/tty/serial/Kconfig
@@ -1533,7 +1533,7 @@ config SERIAL_LITEUART
 	tristate "LiteUART serial port support"
 	depends on HAS_IOMEM
 	depends on OF || COMPILE_TEST
-	depends on LITEX
+	depends on LITEX || COMPILE_TEST
 	select SERIAL_CORE
 	help
 	  This driver is for the FPGA-based LiteUART serial controller from LiteX
-- 
2.32.0

Re: [PATCH v2 0/3] serial: liteuart: fix driver unbind

[Andy Shevchenko]

On Wed, Nov 17, 2021 at 12:05 PM Johan Hovold <johan@kernel.org> wrote:
>
> Ilia Sergachev noted that the liteuart remove() function would trigger a
> NULL-pointer dereference if it was ever called since the driver data
> pointer was never initialised.
>
> Turns out there are more bugs in this part of the driver which clearly
> has never been tested.
>
> Also relax the Kconfig dependencies so that the driver can be
> compile-tested without first enabling a seemingly unrelated SoC
> controller driver.
>
> Note that this series depends on the fix by Ilia:
>
>         https://lore.kernel.org/r/20211115031808.7ab632ef@dtkw


FWIW,
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>

> Johan
>
>
> Changes in v2
>  - allow compile testing without CONFIG_OF (Andy)
>  - reword commit message to clarify that LITEX is neither a build or
>    runtime dependency and that the change only makes it easier to
>    compile test the driver
>  - move the Kconfig patch last in the series
>  - add Stafford's reviewed by tags to the two unmodified patches
>
>
> Johan Hovold (3):
>   serial: liteuart: fix use-after-free and memleak on unbind
>   serial: liteuart: fix minor-number leak on probe errors
>   serial: liteuart: relax compile-test dependencies
>
>  drivers/tty/serial/Kconfig    |  2 +-
>  drivers/tty/serial/liteuart.c | 18 +++++++++++++++---
>  2 files changed, 16 insertions(+), 4 deletions(-)
>
> --
> 2.32.0
>


-- 
With Best Regards,
Andy Shevchenko