[PATCH 0/2] sh: intc: Fix UAF and compile error problems

[PATCH 0/2] sh: intc: Fix UAF and compile error problems

[Yuan Can]

This series fix servel compile errors and an UAF problem in
drivers/sh/intc/core.c.

Yuan Can (2):
  sh: intc: Fix compile errors about casting
  sh: intc: Fix possible UAF in register_intc_controller()

 drivers/sh/intc/core.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

-- 
2.17.1

[PATCH 1/2] sh: intc: Fix compile errors about casting

[Yuan Can]

The following errors was given when compiling drivers/sh/intc/core.c

 drivers/sh/intc/core.c: In function ‘intc_redirect_irq’:
 drivers/sh/intc/core.c:70:21: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
   generic_handle_irq((unsigned int)irq_desc_get_handler_data(desc));
                      ^
 drivers/sh/intc/core.c: In function ‘intc_register_irq’:
 drivers/sh/intc/core.c:119:25: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
   irq_set_chip_data(irq, (void *)data[primary]);
                          ^
 drivers/sh/intc/core.c: In function ‘register_intc_controller’:
 drivers/sh/intc/core.c:360:9: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
          (void *)irq);
          ^
 cc1: all warnings being treated as errors

Fix by casting variables to unsigned long first.

Fixes: 2be6bb0c79c7 ("sh: intc: Split up the INTC code.")
Signed-off-by: Yuan Can <yuancan@huawei.com>
---
 drivers/sh/intc/core.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/sh/intc/core.c b/drivers/sh/intc/core.c
index ca4f4ca413f1..4a4ad10de758 100644
--- a/drivers/sh/intc/core.c
+++ b/drivers/sh/intc/core.c
@@ -67,7 +67,7 @@ void intc_set_prio_level(unsigned int irq, unsigned int level)
 
 static void intc_redirect_irq(struct irq_desc *desc)
 {
-	generic_handle_irq((unsigned int)irq_desc_get_handler_data(desc));
+	generic_handle_irq((unsigned long)irq_desc_get_handler_data(desc));
 }
 
 static void __init intc_register_irq(struct intc_desc *desc,
@@ -116,7 +116,7 @@ static void __init intc_register_irq(struct intc_desc *desc,
 	disable_irq_nosync(irq);
 	irq_set_chip_and_handler_name(irq, &d->chip, handle_level_irq,
 				      "level");
-	irq_set_chip_data(irq, (void *)data[primary]);
+	irq_set_chip_data(irq, (void *)(unsigned long)data[primary]);
 
 	/*
 	 * set priority level
@@ -357,7 +357,7 @@ int __init register_intc_controller(struct intc_desc *desc)
 			irq_set_chip(irq2, &dummy_irq_chip);
 			irq_set_chained_handler_and_data(irq2,
 							 intc_redirect_irq,
-							 (void *)irq);
+							 (void *)(unsigned long)irq);
 		}
 	}
 
-- 
2.17.1

[PATCH 2/2] sh: intc: Fix possible UAF in register_intc_controller()

[Yuan Can]

If the allocation of d->window failed in register_intc_controller(), it
will goto err1 and d will be freed, but d->list will not be removed from
intc_list, then list traversal may cause UAF, fix it.

Fixes: 2be6bb0c79c7 ("sh: intc: Split up the INTC code.")
Signed-off-by: Yuan Can <yuancan@huawei.com>
---
 drivers/sh/intc/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/sh/intc/core.c b/drivers/sh/intc/core.c
index 4a4ad10de758..98079a3ebe8a 100644
--- a/drivers/sh/intc/core.c
+++ b/drivers/sh/intc/core.c
@@ -387,6 +387,7 @@ int __init register_intc_controller(struct intc_desc *desc)
 
 	kfree(d->window);
 err1:
+	list_del(&d->list);
 	kfree(d);
 err0:
 	pr_err("unable to allocate INTC memory\n");
-- 
2.17.1