| Message ID | 20210513050924.627625-1-yangyingliang@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [-next] vfio: platform: reset: add missing iounmap() on error in vfio_platform_amdxgbe_reset() | expand |
On Thu, 13 May 2021 13:09:24 +0800 Yang Yingliang <yangyingliang@huawei.com> wrote: > Add the missing iounmap() before return from vfio_platform_amdxgbe_reset() > in the error handling case. > > Fixes: 0990822c9866 ("VFIO: platform: reset: AMD xgbe reset module") > Reported-by: Hulk Robot <hulkci@huawei.com> > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > drivers/vfio/platform/reset/vfio_platform_amdxgbe.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c b/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c > index abdca900802d..c6d823a27bd6 100644 > --- a/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c > +++ b/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c > @@ -61,8 +61,10 @@ static int vfio_platform_amdxgbe_reset(struct vfio_platform_device *vdev) > if (!xpcs_regs->ioaddr) { > xpcs_regs->ioaddr = > ioremap(xpcs_regs->addr, xpcs_regs->size); > - if (!xpcs_regs->ioaddr) > + if (!xpcs_regs->ioaddr) { > + iounmap(xgmac_regs->ioaddr); > return -ENOMEM; > + } > } > > /* reset the PHY through MDIO*/ This actually introduces multiple bugs. vfio-platform has common code for calling iounmap when the device is released and the struct vfio_platform_region ioaddr member is re-used throughout the code. Performing an iounmap() without setting the value to NULL essentially introduces use-after-free and double free bugs. There's no bug in the original afaict, the iounmap occurs lazily on release. Thanks, Alex
diff --git a/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c b/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c index abdca900802d..c6d823a27bd6 100644 --- a/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c +++ b/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c @@ -61,8 +61,10 @@ static int vfio_platform_amdxgbe_reset(struct vfio_platform_device *vdev) if (!xpcs_regs->ioaddr) { xpcs_regs->ioaddr = ioremap(xpcs_regs->addr, xpcs_regs->size); - if (!xpcs_regs->ioaddr) + if (!xpcs_regs->ioaddr) { + iounmap(xgmac_regs->ioaddr); return -ENOMEM; + } } /* reset the PHY through MDIO*/
Add the missing iounmap() before return from vfio_platform_amdxgbe_reset() in the error handling case. Fixes: 0990822c9866 ("VFIO: platform: reset: AMD xgbe reset module") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/vfio/platform/reset/vfio_platform_amdxgbe.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)