Re: [PATCH] soc/fsl/qe: fix err handling of ucc_of_parse_tdm

From: Li Yang
Date: Wed Dec 05 2018 - 15:10:04 EST


On Thu, Nov 22, 2018 at 2:42 PM Yi Wang <wang.yi59@xxxxxxxxxx> wrote:
>
> From: Wen Yang <wen.yang99@xxxxxxxxxx>
>
> Currently there are 2 problems with the ucc_of_parse_tdm function:
> 1,a possible null pointer dereference in ucc_of_parse_tdm,
> detected by the semantic patch deref_null.cocci,
> with the following warning:
> drivers/soc/fsl/qe/qe_tdm.c:177:21-24: ERROR: pdev is NULL but dereferenced.
> 2,dev gets modified, so in any case that devm_iounmap() will fail even when
> the new pdev is valid, because the iomap was done with a different pdev.
> This patch fixes them.

While we are at this, I think this logic need more serious fixing. I
see there is no driver bind with the "fsl,t1040-qe-si" or
"fsl,t1040-qe-siram" device. So allocating resources using devm_*()
with these devices won't provide a cleanup path for these resources
when the caller fails. I think we should probably allocate resource
under device of caller (e.g. ucc-hdlc), so that when caller probe
fails or is removed it will trigger the cleanup.

>
> Suggested-by: Christophe LEROY <christophe.leroy@xxxxxx>
> Signed-off-by: Wen Yang <wen.yang99@xxxxxxxxxx>
> CC: Julia Lawall <julia.lawall@xxxxxxx>
> CC: Zhao Qiang <qiang.zhao@xxxxxxx>
> ---
> drivers/soc/fsl/qe/qe_tdm.c | 20 ++++++++++----------
> 1 file changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/soc/fsl/qe/qe_tdm.c b/drivers/soc/fsl/qe/qe_tdm.c
> index f78c346..9a29f0b 100644
> --- a/drivers/soc/fsl/qe/qe_tdm.c
> +++ b/drivers/soc/fsl/qe/qe_tdm.c
> @@ -47,7 +47,7 @@ int ucc_of_parse_tdm(struct device_node *np, struct ucc_tdm *utdm,
> struct resource *res;
> struct device_node *np2;
> static int siram_init_flag;
> - struct platform_device *pdev;
> + struct platform_device *pdev_si, *pdev_siram;
>
> sprop = of_get_property(np, "fsl,rx-sync-clock", NULL);
> if (sprop) {
> @@ -129,16 +129,16 @@ int ucc_of_parse_tdm(struct device_node *np, struct ucc_tdm *utdm,
> if (!np2)
> return -EINVAL;
>
> - pdev = of_find_device_by_node(np2);
> - if (!pdev) {
> + pdev_si = of_find_device_by_node(np2);
> + if (!pdev_si) {
> pr_err("%pOFn: failed to lookup pdev\n", np2);
> of_node_put(np2);
> return -EINVAL;
> }
>
> of_node_put(np2);
> - res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> - utdm->si_regs = devm_ioremap_resource(&pdev->dev, res);
> + res = platform_get_resource(pdev_si, IORESOURCE_MEM, 0);
> + utdm->si_regs = devm_ioremap_resource(&pdev_si->dev, res);
> if (IS_ERR(utdm->si_regs)) {
> ret = PTR_ERR(utdm->si_regs);
> goto err_miss_siram_property;
> @@ -150,8 +150,8 @@ int ucc_of_parse_tdm(struct device_node *np, struct ucc_tdm *utdm,
> goto err_miss_siram_property;
> }
>
> - pdev = of_find_device_by_node(np2);
> - if (!pdev) {
> + pdev_siram = of_find_device_by_node(np2);
> + if (!pdev_siram) {
> ret = -EINVAL;
> pr_err("%pOFn: failed to lookup pdev\n", np2);
> of_node_put(np2);
> @@ -159,8 +159,8 @@ int ucc_of_parse_tdm(struct device_node *np, struct ucc_tdm *utdm,
> }
>
> of_node_put(np2);
> - res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
> - utdm->siram = devm_ioremap_resource(&pdev->dev, res);
> + res = platform_get_resource(pdev_siram, IORESOURCE_MEM, 0);
> + utdm->siram = devm_ioremap_resource(&pdev_siram->dev, res);
> if (IS_ERR(utdm->siram)) {
> ret = PTR_ERR(utdm->siram);
> goto err_miss_siram_property;
> @@ -174,7 +174,7 @@ int ucc_of_parse_tdm(struct device_node *np, struct ucc_tdm *utdm,
> return ret;
>
> err_miss_siram_property:
> - devm_iounmap(&pdev->dev, utdm->si_regs);
> + devm_iounmap(&pdev_si->dev, utdm->si_regs);
> return ret;
> }
> EXPORT_SYMBOL(ucc_of_parse_tdm);
> --
> 2.9.5
>