linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] serial: mxs-auart: Fix potential infinite loop
@ 2018-08-06 16:43 Anton Vasilyev
  2018-08-07 10:59 ` [PATCH v2] " Anton Vasilyev
  0 siblings, 1 reply; 3+ messages in thread
From: Anton Vasilyev @ 2018-08-06 16:43 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Anton Vasilyev, Jiri Slaby, linux-serial, linux-kernel, ldv-project

On the error path of mxs_auart_request_gpio_irq() is performed
backward iterating with index i of enum type. Underline enum type
may be unsigned char. In this case check (--i >= 0) will be always
true and error handling goes into infinite loop.

The patch changes type of index variable to int.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
---
 drivers/tty/serial/mxs-auart.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 76aa289652f7..89b34bb09cde 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1617,7 +1617,7 @@ static void mxs_auart_free_gpio_irq(struct mxs_auart_port *s)
 static int mxs_auart_request_gpio_irq(struct mxs_auart_port *s)
 {
 	int *irq = s->gpio_irq;
-	enum mctrl_gpio_idx i;
+	int i;
 	int err = 0;
 
 	for (i = 0; (i < UART_GPIO_MAX) && !err; i++) {
@@ -1634,8 +1634,9 @@ static int mxs_auart_request_gpio_irq(struct mxs_auart_port *s)
 
 	/*
 	 * If something went wrong, rollback.
+	 * Be careful: i may be unsigned.
 	 */
-	while (err && (--i >= 0))
+	while (err && (i-- > 0))
 		if (irq[i] >= 0)
 			free_irq(irq[i], s);
 
-- 
2.18.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH v2] serial: mxs-auart: Fix potential infinite loop
  2018-08-06 16:43 [PATCH] serial: mxs-auart: Fix potential infinite loop Anton Vasilyev
@ 2018-08-07 10:59 ` Anton Vasilyev
  2018-08-22  6:41   ` Uwe Kleine-König
  0 siblings, 1 reply; 3+ messages in thread
From: Anton Vasilyev @ 2018-08-07 10:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Anton Vasilyev, Jiri Slaby, linux-serial, linux-kernel, ldv-project

On the error path of mxs_auart_request_gpio_irq() is performed
backward iterating with index i of enum type. Underline enum type
may be unsigned char. In this case check (--i >= 0) will be always
true and error handling goes into infinite loop.

The patch changes the check so that it is valid for signed and unsigned
types.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
---
v2: mistype in patch as result of combination of different fixes.
Change comment and leave enum type.
---
 drivers/tty/serial/mxs-auart.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 76aa289652f7..27235a526cce 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1634,8 +1634,9 @@ static int mxs_auart_request_gpio_irq(struct mxs_auart_port *s)
 
 	/*
 	 * If something went wrong, rollback.
+	 * Be careful: i may be unsigned.
 	 */
-	while (err && (--i >= 0))
+	while (err && (i-- > 0))
 		if (irq[i] >= 0)
 			free_irq(irq[i], s);
 
-- 
2.18.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] serial: mxs-auart: Fix potential infinite loop
  2018-08-07 10:59 ` [PATCH v2] " Anton Vasilyev
@ 2018-08-22  6:41   ` Uwe Kleine-König
  0 siblings, 0 replies; 3+ messages in thread
From: Uwe Kleine-König @ 2018-08-22  6:41 UTC (permalink / raw)
  To: Anton Vasilyev
  Cc: Greg Kroah-Hartman, Jiri Slaby, linux-serial, linux-kernel, ldv-project

On Tue, Aug 07, 2018 at 01:59:05PM +0300, Anton Vasilyev wrote:
> On the error path of mxs_auart_request_gpio_irq() is performed
> backward iterating with index i of enum type. Underline enum type
> may be unsigned char. In this case check (--i >= 0) will be always
> true and error handling goes into infinite loop.
> 
> The patch changes the check so that it is valid for signed and unsigned
> types.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
> ---
> v2: mistype in patch as result of combination of different fixes.
> Change comment and leave enum type.
> ---
>  drivers/tty/serial/mxs-auart.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
> index 76aa289652f7..27235a526cce 100644
> --- a/drivers/tty/serial/mxs-auart.c
> +++ b/drivers/tty/serial/mxs-auart.c
> @@ -1634,8 +1634,9 @@ static int mxs_auart_request_gpio_irq(struct mxs_auart_port *s)
>  
>  	/*
>  	 * If something went wrong, rollback.
> +	 * Be careful: i may be unsigned.
>  	 */
> -	while (err && (--i >= 0))
> +	while (err && (i-- > 0))
>  		if (irq[i] >= 0)
>  			free_irq(irq[i], s);

I wouldn't have added the comment, but the code change is correct.

Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>

Thanks
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-08-22  6:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-06 16:43 [PATCH] serial: mxs-auart: Fix potential infinite loop Anton Vasilyev
2018-08-07 10:59 ` [PATCH v2] " Anton Vasilyev
2018-08-22  6:41   ` Uwe Kleine-König

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).