From: Chen-Yu Tsai <wenst@chromium.org>
To: Matthias Brugger <matthias.bgg@gmail.com>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>,
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: Chen-Yu Tsai <wenst@chromium.org>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
William-tw Lin <william-tw.lin@mediatek.com>
Subject: [PATCH 1/3] soc: mediatek: mtk-socinfo: Clean up NVMEM cell read
Date: Tue, 30 Jan 2024 17:56:51 +0800 [thread overview]
Message-ID: <20240130095656.3712469-2-wenst@chromium.org> (raw)
In-Reply-To: <20240130095656.3712469-1-wenst@chromium.org>
The mtk-socinfo grabs the NVMEM device devm_nvmem_device_get(), but then
proceeds to put the device directly with nvmem_device_put() if the read
is successful. If the device fails to probe and goes through the devres
release path, the device would be put a second time, triggering a
use-after-free error from KASAN.
Fix this by dropping the devres part. Since the NVMEM cell data is read
only once, there is no need to keep the reference around.
While at it, clean up the function to directly reference the NVMEM
device node and use that to find the NVMEM device, instead of finding it
by name, which is more fragile. The cell node is always a direct child
of the NVMEM device node, courtesy of the legacy NVMEM cell layout. Thus
of_get_child_by_name() is a better way of finding the cell. Last,
correctly put the device node once its use is over.
Fixes: 423a54da3c7e ("soc: mediatek: mtk-socinfo: Add driver for getting chip information")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
---
drivers/soc/mediatek/mtk-socinfo.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/drivers/soc/mediatek/mtk-socinfo.c b/drivers/soc/mediatek/mtk-socinfo.c
index 0094f43e1e08..3909d22062ce 100644
--- a/drivers/soc/mediatek/mtk-socinfo.c
+++ b/drivers/soc/mediatek/mtk-socinfo.c
@@ -9,6 +9,7 @@
#include <linux/pm_runtime.h>
#include <linux/nvmem-consumer.h>
#include <linux/device.h>
+#include <linux/device/bus.h>
#include <linux/debugfs.h>
#include <linux/seq_file.h>
#include <linux/string.h>
@@ -82,25 +83,28 @@ static int mtk_socinfo_create_socinfo_node(struct mtk_socinfo *mtk_socinfop)
static u32 mtk_socinfo_read_cell(struct device *dev, const char *name)
{
struct nvmem_device *nvmemp;
- struct device_node *np = dev->of_node;
+ struct device_node *np, *nvmem_node = dev->parent->of_node;
u32 offset;
u32 cell_val = CELL_NOT_USED;
- nvmemp = devm_nvmem_device_get(dev, "mtk-efuse0");
+ /* should never fail since the nvmem driver registers this child */
+ nvmemp = nvmem_device_find(nvmem_node, device_match_of_node);
if (IS_ERR(nvmemp))
goto out;
- np = of_find_node_by_name(NULL, name);
+ np = of_get_child_by_name(nvmem_node, name);
if (!np)
- goto out;
+ goto put_device;
if (of_property_read_u32_index(np, "reg", 0, &offset))
- goto out;
+ goto put_node;
nvmem_device_read(nvmemp, offset, sizeof(cell_val), &cell_val);
+put_node:
+ of_node_put(np);
+put_device:
nvmem_device_put(nvmemp);
-
out:
return cell_val;
}
--
2.43.0.429.g432eaa2c6b-goog
WARNING: multiple messages have this Message-ID (diff)
From: Chen-Yu Tsai <wenst@chromium.org>
To: Matthias Brugger <matthias.bgg@gmail.com>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>,
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc: Chen-Yu Tsai <wenst@chromium.org>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
William-tw Lin <william-tw.lin@mediatek.com>
Subject: [PATCH 1/3] soc: mediatek: mtk-socinfo: Clean up NVMEM cell read
Date: Tue, 30 Jan 2024 17:56:51 +0800 [thread overview]
Message-ID: <20240130095656.3712469-2-wenst@chromium.org> (raw)
In-Reply-To: <20240130095656.3712469-1-wenst@chromium.org>
The mtk-socinfo grabs the NVMEM device devm_nvmem_device_get(), but then
proceeds to put the device directly with nvmem_device_put() if the read
is successful. If the device fails to probe and goes through the devres
release path, the device would be put a second time, triggering a
use-after-free error from KASAN.
Fix this by dropping the devres part. Since the NVMEM cell data is read
only once, there is no need to keep the reference around.
While at it, clean up the function to directly reference the NVMEM
device node and use that to find the NVMEM device, instead of finding it
by name, which is more fragile. The cell node is always a direct child
of the NVMEM device node, courtesy of the legacy NVMEM cell layout. Thus
of_get_child_by_name() is a better way of finding the cell. Last,
correctly put the device node once its use is over.
Fixes: 423a54da3c7e ("soc: mediatek: mtk-socinfo: Add driver for getting chip information")
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
---
drivers/soc/mediatek/mtk-socinfo.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/drivers/soc/mediatek/mtk-socinfo.c b/drivers/soc/mediatek/mtk-socinfo.c
index 0094f43e1e08..3909d22062ce 100644
--- a/drivers/soc/mediatek/mtk-socinfo.c
+++ b/drivers/soc/mediatek/mtk-socinfo.c
@@ -9,6 +9,7 @@
#include <linux/pm_runtime.h>
#include <linux/nvmem-consumer.h>
#include <linux/device.h>
+#include <linux/device/bus.h>
#include <linux/debugfs.h>
#include <linux/seq_file.h>
#include <linux/string.h>
@@ -82,25 +83,28 @@ static int mtk_socinfo_create_socinfo_node(struct mtk_socinfo *mtk_socinfop)
static u32 mtk_socinfo_read_cell(struct device *dev, const char *name)
{
struct nvmem_device *nvmemp;
- struct device_node *np = dev->of_node;
+ struct device_node *np, *nvmem_node = dev->parent->of_node;
u32 offset;
u32 cell_val = CELL_NOT_USED;
- nvmemp = devm_nvmem_device_get(dev, "mtk-efuse0");
+ /* should never fail since the nvmem driver registers this child */
+ nvmemp = nvmem_device_find(nvmem_node, device_match_of_node);
if (IS_ERR(nvmemp))
goto out;
- np = of_find_node_by_name(NULL, name);
+ np = of_get_child_by_name(nvmem_node, name);
if (!np)
- goto out;
+ goto put_device;
if (of_property_read_u32_index(np, "reg", 0, &offset))
- goto out;
+ goto put_node;
nvmem_device_read(nvmemp, offset, sizeof(cell_val), &cell_val);
+put_node:
+ of_node_put(np);
+put_device:
nvmem_device_put(nvmemp);
-
out:
return cell_val;
}
--
2.43.0.429.g432eaa2c6b-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-01-30 9:57 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 9:56 [PATCH 0/3] soc: mediatek: mtk-socinfo: Fixes and cleanup Chen-Yu Tsai
2024-01-30 9:56 ` Chen-Yu Tsai
2024-01-30 9:56 ` Chen-Yu Tsai [this message]
2024-01-30 9:56 ` [PATCH 1/3] soc: mediatek: mtk-socinfo: Clean up NVMEM cell read Chen-Yu Tsai
2024-01-30 11:20 ` AngeloGioacchino Del Regno
2024-01-30 11:20 ` AngeloGioacchino Del Regno
2024-01-30 9:56 ` [PATCH 2/3] soc: mediatek: mtk-socinfo: Add extra entry for MT8183 Chen-Yu Tsai
2024-01-30 9:56 ` Chen-Yu Tsai
2024-01-30 11:19 ` AngeloGioacchino Del Regno
2024-01-30 11:19 ` AngeloGioacchino Del Regno
2024-01-31 7:19 ` William-tw Lin (林鼎崴)
2024-01-30 9:56 ` [PATCH 3/3] nvmem: mtk-efuse: Drop NVMEM device name Chen-Yu Tsai
2024-01-30 9:56 ` Chen-Yu Tsai
2024-01-30 11:15 ` AngeloGioacchino Del Regno
2024-01-30 11:15 ` AngeloGioacchino Del Regno
2024-02-06 16:14 ` Nícolas F. R. A. Prado
2024-02-06 16:14 ` Nícolas F. R. A. Prado
2024-02-13 13:07 ` Srinivas Kandagatla
2024-02-13 13:07 ` Srinivas Kandagatla
2024-02-13 14:13 ` Chen-Yu Tsai
2024-02-13 14:13 ` Chen-Yu Tsai
2024-01-31 8:44 ` [PATCH 0/3] soc: mediatek: mtk-socinfo: Fixes and cleanup AngeloGioacchino Del Regno
2024-01-31 8:44 ` AngeloGioacchino Del Regno
2024-02-13 14:36 ` (subset) " Srinivas Kandagatla
2024-02-13 14:36 ` Srinivas Kandagatla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240130095656.3712469-2-wenst@chromium.org \
--to=wenst@chromium.org \
--cc=angelogioacchino.delregno@collabora.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
--cc=srinivas.kandagatla@linaro.org \
--cc=william-tw.lin@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.