From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=vtn1=VX=vger.kernel.org=linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9C3D2C7618B
	for <linux-kernel@archiver.kernel.org>; Fri, 26 Jul 2019 13:41:16 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 719AD22CB8
	for <linux-kernel@archiver.kernel.org>; Fri, 26 Jul 2019 13:41:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1564148476;
	bh=ZYABnSn7vuYTCQJZ7dSWnP9lS/soucNvJhFcIEN0BTU=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:List-ID:From;
	b=hS31oFr4ENp1Mp8UrPgXlhHshDd+cB69iNJzJ5fyf3SDFDwtzIV+8MjH3zmtqVzAy
	 R0hPcK7++f8RnDsZ10NmUqbnOGfVsC424cGHneWdbWNeAoe5ceYsrGhRkhrllYyywm
	 97rnC52zPCn6/q18vky7tV+Hs3XWl0blK3K7q3VY=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727856AbfGZNlO (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 26 Jul 2019 09:41:14 -0400
Received: from foss.arm.com ([217.140.110.172]:43760 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727814AbfGZNlD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 Jul 2019 09:41:03 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6A92D337;
        Fri, 26 Jul 2019 06:41:03 -0700 (PDT)
Received: from big-swifty.misterjones.org (unknown [172.31.20.19])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id A54F03F694;
        Fri, 26 Jul 2019 06:41:01 -0700 (PDT)
Date:   Fri, 26 Jul 2019 14:41:00 +0100
Message-ID: <864l38oqvn.wl-maz@kernel.org>
From:   Marc Zyngier <maz@kernel.org>
To:     Wen Yang <wen.yang99@zte.com.cn>
Cc:     <linux-kernel@vger.kernel.org>, <xue.zhihong@zte.com.cn>,
        <wang.yi59@zte.com.cn>, <cheng.shengyu@zte.com.cn>,
        Thomas Gleixner <tglx@linutronix.de>,
        Jason Cooper <jason@lakedaemon.net>,
        Geert Uytterhoeven <geert+renesas@glider.be>,
        Chris Brandt <chris.brandt@renesas.com>,
        Simon Horman <horms+renesas@verge.net.au>
Subject: Re: [PATCH] irqchip: renesas-rza1: fix an use-after-free in rza1_irqc_probe()
In-Reply-To: <1562566745-7447-3-git-send-email-wen.yang99@zte.com.cn>
References: <1562566745-7447-1-git-send-email-wen.yang99@zte.com.cn>
        <1562566745-7447-3-git-send-email-wen.yang99@zte.com.cn>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 EasyPG/1.0.0 Emacs/26
 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO)
Organization: Approximate
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 08 Jul 2019 07:19:04 +0100,
Wen Yang <wen.yang99@zte.com.cn> wrote:
> 
> The gic_node is still being used in the rza1_irqc_parse_map() call
> after the of_node_put() call, which may result in use-after-free.
> 
> Fixes: a644ccb819bc ("irqchip: Add Renesas RZ/A1 Interrupt Controller driver")
> Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Jason Cooper <jason@lakedaemon.net>
> Cc: Marc Zyngier <marc.zyngier@arm.com>
> Cc: Geert Uytterhoeven <geert+renesas@glider.be>
> Cc: Chris Brandt <chris.brandt@renesas.com>
> Cc: Simon Horman <horms+renesas@verge.net.au>
> Cc: linux-kernel@vger.kernel.org
> ---
>  drivers/irqchip/irq-renesas-rza1.c | 15 ++++++++-------
>  1 file changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/irqchip/irq-renesas-rza1.c b/drivers/irqchip/irq-renesas-rza1.c
> index b1f19b21..b0d46ac 100644
> --- a/drivers/irqchip/irq-renesas-rza1.c
> +++ b/drivers/irqchip/irq-renesas-rza1.c
> @@ -208,20 +208,19 @@ static int rza1_irqc_probe(struct platform_device *pdev)
>  		return PTR_ERR(priv->base);
>  
>  	gic_node = of_irq_find_parent(np);
> -	if (gic_node) {
> +	if (gic_node)
>  		parent = irq_find_host(gic_node);
> -		of_node_put(gic_node);
> -	}
>  
>  	if (!parent) {
>  		dev_err(dev, "cannot find parent domain\n");
> -		return -ENODEV;
> +		ret = -ENODEV;
> +		goto out_put_node;
>  	}
>  
>  	ret = rza1_irqc_parse_map(priv, gic_node);
>  	if (ret) {
>  		dev_err(dev, "cannot parse %s: %d\n", "interrupt-map", ret);
> -		return ret;
> +		goto out_put_node;
>  	}
>  
>  	priv->chip.name = "rza1-irqc",
> @@ -237,10 +236,12 @@ static int rza1_irqc_probe(struct platform_device *pdev)
>  						    priv);
>  	if (!priv->irq_domain) {
>  		dev_err(dev, "cannot initialize irq domain\n");
> -		return -ENOMEM;
> +		ret = -ENOMEM;
>  	}
>  
> -	return 0;
> +out_put_node:
> +	of_node_put(gic_node);
> +	return ret;
>  }
>  
>  static int rza1_irqc_remove(struct platform_device *pdev)
> -- 
> 2.9.5
> 

Applied, thanks.

	M.

-- 
Jazz is not dead, it just smells funny.