From patchwork Fri Apr 16 14:20:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quanyang Wang X-Patchwork-Id: 12207813 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 206AAC433ED for ; Fri, 16 Apr 2021 14:25:26 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A7A3E610CD for ; Fri, 16 Apr 2021 14:25:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A7A3E610CD Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=windriver.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=K2O5GtR3pgy2sZTiMXWlDMRKJtxCZ2lPc8Oqih7SPQ0=; b=XhZNqNVicN1jQxGPN6ooOvKKn j/Zkl7Rko9SFQmaJYCD+Lj/ahXedfcU2n9nxH5gzwX1ib99s1zoQiOKRCp4+We2CK+dmHPfiRk0Os /YNzF5+JW7EJMqjxNwEVK9B+qFAFIcyZuFe9jTUc3K5DSEfPFGZdhIwzCP1l41skvT8wUTrvpRz7D gYa6n9unfKldn6DIidI3aoXqzMByRABIXRNIpzXHnkKEWw9JEPNej4i93aPLJ1i9092f8d+R3QOfV rYiIXPxV06NvqkSXF2jMUo/YpbVgRXddThSv/TA0wYv48vKIt1WG7uoRA/IOq8LZvWu1xNmIIu4hd OKtv7WZzA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lXPNO-002Nhi-Bk; Fri, 16 Apr 2021 14:23:19 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lXPMj-002Nam-Sg for linux-arm-kernel@desiato.infradead.org; Fri, 16 Apr 2021 14:22:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=MIME-Version:Content-Type: Content-Transfer-Encoding:References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:Content-ID:Content-Description; bh=zo9txHMoK5YhgrjEZmAchCVCugiRePlNVRloyfQWHPI=; b=II1AQkkAjI4a50iU8UgpJTEcAd 5poF9jADXmyfbNopqMiCC4EoexIXFoIrhbOUFZ7kPVQnaEEOPu6BwLlcfj8sP/b/iQjuBX3YCby/X F7Ds/6MklIT0QYaIEx4gf/SkMSRXpsDd9rS1wQ0OoD2yaZ8ZizopZOvwFIczYjaaOAROXYz2IwTzH dB0lblxSrAJRgawUkjI7Onc0yrtmlj+7HCzFJk93ileXhj2WoRtQ6gc/fQPotUjEgRfV2/r6aPcaH ZIikZ5IWNWNbBjTlhE9nB3zeMV6RUcc8nXkhwiipDoYah/jSc0FM5OyjXGYEK/14+jWJgZk2XluGE 1xDh5gRA==; Received: from mail-dm6nam12on2080.outbound.protection.outlook.com ([40.107.243.80] helo=NAM12-DM6-obe.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lXPMe-009RBJ-GY for linux-arm-kernel@lists.infradead.org; Fri, 16 Apr 2021 14:22:36 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aCMWyoiwqg10YWv1CzGA1Et2+76XXM7JohWrDNhHyo8R2wOka1XvDsrvIyt+giGGWBYKXsG+1YT44/J6kMeCAn2IUesmqFu0Omx2eJyRO3sbG1ySeVQssWmG1lF7rLFBQXEzWpTObjU6t+9R1G18/g16KmB71MVY7+Y8JyppiojBKhgGgZyVAG3VvRDE61DfdC+aPZMpjaauvwfcuflRe6azoRhFiMO6QTQqTpw7dhSGXf5zu6iCV992bwFVrm36Sj6WLv/jsW7xUuuZATW/EF47B/1PM7OXGzH/C/bCcBlGEZhOl8d6IwOBVbW8KrQG3KaLYc1GZJ1sBGdvB2RCkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zo9txHMoK5YhgrjEZmAchCVCugiRePlNVRloyfQWHPI=; b=e+iep/x8mEI0dKjDoHPB70xBqpOtM1B7pOZvCZqAHpfsM5TCssCkp/Q9Jwyz7BpcrLv1aJz42wi9Q4jiiB7/v93bv8AFmwJoyUJ4d4zWCyZMreBUr5GfgymWtqS8WNJXXQMTZV8JKt3tx0fvtWuml3bUdZnXTQAxjyaGrAKLLLGhYavirjiygEzEQ/icZ3/zB/11yiy5KInawGKN0AWw7xRhctWeHIQWdYKUfmIRtRx32yj6qB/IQlg3f4kDvnHfapKE5d14aUpug3nHHKkiuw2/9JfkQ04fHPi9s5zeYrWq0pCKSilTmwdDodruwuePEzc/epXPFR6jtyGn4B+J+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zo9txHMoK5YhgrjEZmAchCVCugiRePlNVRloyfQWHPI=; b=IZhSYKX3PRL3IEXSYsUPQd2Uo3jZ6n6ULEPQxVZHrSqX9ZfEQqU5dl0ZoI6F0wzO9TZfwSTaPtlhWXNg4vYtmdf21/16S7aaSYf1n3We3WRkXJvnXldy+EyZEOJqvKe7KHn3W/nc2j+aZohmC/DaUOFW9UdzFsu3LdO/wEHjFQ8= Authentication-Results: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=windriver.com; Received: from CY4PR11MB0071.namprd11.prod.outlook.com (2603:10b6:910:7a::30) by CY4PR1101MB2264.namprd11.prod.outlook.com (2603:10b6:910:24::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.21; Fri, 16 Apr 2021 14:22:23 +0000 Received: from CY4PR11MB0071.namprd11.prod.outlook.com ([fe80::f45f:e820:49f5:3725]) by CY4PR11MB0071.namprd11.prod.outlook.com ([fe80::f45f:e820:49f5:3725%6]) with mapi id 15.20.3999.037; Fri, 16 Apr 2021 14:22:23 +0000 From: quanyang.wang@windriver.com To: Mark Brown , Michal Simek , Amit Kumar Mahapatra Cc: linux-spi@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Quanyang Wang Subject: [V2][PATCH 4/5] spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op Date: Fri, 16 Apr 2021 22:20:46 +0800 Message-Id: <20210416142047.6349-5-quanyang.wang@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210416142047.6349-1-quanyang.wang@windriver.com> References: <20210416142047.6349-1-quanyang.wang@windriver.com> X-Originating-IP: [60.247.85.82] X-ClientProxiedBy: HK2PR02CA0147.apcprd02.prod.outlook.com (2603:1096:202:16::31) To CY4PR11MB0071.namprd11.prod.outlook.com (2603:10b6:910:7a::30) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from pek-qwang2-d1.wrs.com (60.247.85.82) by HK2PR02CA0147.apcprd02.prod.outlook.com (2603:1096:202:16::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16 via Frontend Transport; Fri, 16 Apr 2021 14:22:21 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b75fde8a-91aa-4546-f934-08d900e30d76 X-MS-TrafficTypeDiagnostic: CY4PR1101MB2264: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4125; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 2oYT1sa15t2KEomKpdkPlaDT+3js/A5ynYNk79+oYXT+uupE5UyeJUngw4rDf9uiQF3hVf0c+FudXo7yJHf1c2o0QmBz/TE/mu4040QoZj9rsIyZ9cUERnaiovxb9U/lIS1+3FCVdxPp/Iqj8h8ObPj+oFd2P8ita5SG3SnaFbB1VuaznxTIYOaqcVm3ijGG302LnDnYDO4WBHVu5RClgMtNACADrz1X4EB3wtnSnW3yfoXtnpO46zGHRYnNhK2r01h7OEQN2slNTqnbQBchQvotwSyfyYIUnHdyE6Dk2Y4uO06R9LcICsuO/DWemLlVr1ql5J4egbKaFzeeDhDuY+xfOSoRXU/1In467zIviTa4rl4OWhpoxUNor6F7xUndQLON5xxEjebqs9wppoVR6DVbZLqbL0u2nH3XgkT/oPrpCB2xlVN9VtcmdYe6Ys6/5A81aoCuZyynvtZau7QsVZxvuQUqXJPYh7cx8ZJk5jkiySvbq3dSComlr9yvzhAmVqYLL1PRuFdlFmWBe4Q6WAG2o4wfHZGHY3hg7Qo6ADelWztx9PVDu0kTi3bsnvfpysXZTiMLozZ6xT86WAMf/iaIlc8MN24bDEhCvdrnYC3HkN0/pmqahKJsMJdNVi4CXiBUKY7Rx1BY/abLTjPiew== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR11MB0071.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(366004)(396003)(39850400004)(346002)(86362001)(186003)(2906002)(38350700002)(38100700002)(316002)(6506007)(9686003)(6486002)(83380400001)(66946007)(8676002)(66556008)(66476007)(478600001)(16526019)(5660300002)(4326008)(26005)(6512007)(1076003)(52116002)(110136005)(956004)(6666004)(8936002)(107886003)(2616005)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: 0sOjiBr9NKM/9TCDQA7Q6oJt7uSlDoaLgre/PPY+vf+JQPgqyIolYqat+6xOsLa1/0BHnfA86SkNxXdEX49nfr9q9EKUWMthKdRWZgAYJqpyKpz1UaQqx1BY/qO1xsHd6I2xu+LLBqPw1CkQ8bemBCLqJjE/yvlx1MMnUaM126AK/nCdCQmmfxk8wgyh3HBhWW823qGAsnMq5UUOZO8b9OE2ro5W9zIlQKaoWfB4rU8GVSHprMCw5JL/UIKWx03tC/u70KDSZ8NJaZZ3NXgnth4YV2KJju9a9JTKWKFQe4p7vnpNWZ5gqq4v5nUnccKrv26o8g0maa3F4WDnkXATYz+RfimyqkYPECqzhExhpJ7WaKBmtgAG4FtBguzrVgSUQqpaO9nvnd6lRXbsU2NcEuhwiuUcC0PfiG4unSgLSYtqZ0XYU/e0dzE53/3k0glR5aKPMnfkNolbsRNC0qlm0FwPmGAcLqI861/rfJIaw6dP3ATC1bG3v0n6lvPKYDyOxTAoLR3yt2jkvaCU8U24yx9UndK0Pa0CTCBFV3xNInvYrKJX9imCfMa/6SW/3gSusv0comJDZrFcHTkrFcgaqarJ8z+AnYyVNZMCR0gsqjWflw3zDP0k+9IVXjwjXdoZCRfoQbmbvk3eZk8oCXFfSQPop/bHll3AyLFcaLGsaVMZig9WXC8MWctjrIevBb18aYdXXambnKAuC9n0+hcnsK7h36O3LCkfZcjWVnNR3yOavLx4Z6wQbLh8/mvC14AADKlDthQpMpo710Uy06nR5WfjkSMX1VG8wtZ6oX74iIm/AEdReOYHIQVgc+gHcd/qNQ2cP5RpjcmOl+uJ0a3JLLboATe0hgQAW9tOag3Vihjoq4cNB8xG/KeC4ap1OpIhqSOg7c3YUqj9NIw6wdKMFEEs6xpTiugnDLitXNVMtiemEUlXJavLux7AJNy3TOGThS9iLExugRTgNHi59qn3sblLIOh+ro5ZRKO84nKVF7SBYrOyUsyjgsRpMlBX/rj316ZQTipwpXuqC2ca/te8AreA7ENxd2lyhDeHxkxpYAnAG0YpXJWxZjGlOfeT/jf/u33T7nXyQbCFmxzhVuoQ6A+iz4YwI9KfEUudhOF0tBzIGpddlMTEk2fNwNDWN4QyK0637EGPsY4bMd9K83U0UfVpILE5mXPDyxAvkl2vlzrQ8PTNGRr2uL1JeJE7Zb7xZR/U39MGpcbLdm4AxIXkWE8QHGXBn9cqJgh54q0Pw1gdVoz/EAAsQZvRAZnYJM/mJkoLCKxOgx9QhOOYdrjtGKtE3hP6HDaz3wpmyk/pBBJo9Wghm99M12fn7oIypB4C X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: b75fde8a-91aa-4546-f934-08d900e30d76 X-MS-Exchange-CrossTenant-AuthSource: CY4PR11MB0071.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2021 14:22:23.5481 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dmHlRdvHtWFuLHxnneOULwJyBROl9Zp30qGElwRYAZVsyXvrb84njWiC0kFQaR8StR1rxb/WIaPrZzcfIIVOA4QeDla5HePS8z0+c7HdMwE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2264 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210416_072232_577124_FF60B22E X-CRM114-Status: GOOD ( 12.23 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: Quanyang Wang When handling op->addr, it is using the buffer "tmpbuf" which has been freed. This will trigger a use-after-free KASAN warning. Let's use temporary variables to store op->addr.val and op->cmd.opcode to fix this issue. Signed-off-by: Quanyang Wang --- drivers/spi/spi-zynqmp-gqspi.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/drivers/spi/spi-zynqmp-gqspi.c b/drivers/spi/spi-zynqmp-gqspi.c index 2e2607b5dee9..419bc1e6358b 100644 --- a/drivers/spi/spi-zynqmp-gqspi.c +++ b/drivers/spi/spi-zynqmp-gqspi.c @@ -928,8 +928,9 @@ static int zynqmp_qspi_exec_op(struct spi_mem *mem, struct zynqmp_qspi *xqspi = spi_controller_get_devdata (mem->spi->master); int err = 0, i; - u8 *tmpbuf; u32 genfifoentry = 0; + u16 opcode = op->cmd.opcode; + u64 opaddr; dev_dbg(xqspi->dev, "cmd:%#x mode:%d.%d.%d.%d\n", op->cmd.opcode, op->cmd.buswidth, op->addr.buswidth, @@ -942,14 +943,8 @@ static int zynqmp_qspi_exec_op(struct spi_mem *mem, genfifoentry |= xqspi->genfifobus; if (op->cmd.opcode) { - tmpbuf = kzalloc(op->cmd.nbytes, GFP_KERNEL | GFP_DMA); - if (!tmpbuf) { - mutex_unlock(&xqspi->op_lock); - return -ENOMEM; - } - tmpbuf[0] = op->cmd.opcode; reinit_completion(&xqspi->data_completion); - xqspi->txbuf = tmpbuf; + xqspi->txbuf = &opcode; xqspi->rxbuf = NULL; xqspi->bytes_to_transfer = op->cmd.nbytes; xqspi->bytes_to_receive = 0; @@ -963,13 +958,12 @@ static int zynqmp_qspi_exec_op(struct spi_mem *mem, if (!wait_for_completion_timeout (&xqspi->data_completion, msecs_to_jiffies(1000))) { err = -ETIMEDOUT; - kfree(tmpbuf); goto return_err; } - kfree(tmpbuf); } if (op->addr.nbytes) { + xqspi->txbuf = &opaddr; for (i = 0; i < op->addr.nbytes; i++) { *(((u8 *)xqspi->txbuf) + i) = op->addr.val >> (8 * (op->addr.nbytes - i - 1));