| Message ID | f1eaec48-cabb-5fc6-942b-f1ef7af9bb57@web.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | firmware: ti_sci: Fix exception handling in ti_sci_probe() | expand |
On 22:10-20230405, Markus Elfring wrote: > Date: Wed, 5 Apr 2023 22:00:18 +0200 B4 does'nt pick this patch up cleanly. And for some reason, I get mangled patch from public-inbox as well :( a clean git-send-email might help. > > The label “out” was used to jump to another pointer check despite of Please use " for quotes. > the detail in the implementation of the function “ti_sci_probe” > that it was determined already that the corresponding variable > contained an error pointer because of a failed call of > the function “mbox_request_channel_byname”. > > * Thus use more appropriate labels instead. > > * Delete two redundant checks. > How about this: Optimize out the redundant pointer check in exit path of "out" using appropriate labels to jump in the error path > Drop the extra EoL > This issue was detected by using the Coccinelle software. Curious: what rule of coccicheck caught this? > > Fixes: aa276781a64a5f15ecc21e920960c5b1f84e5fee ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol") 12 char sha please. Please read Documentation/process/submitting-patches.rst > Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> > --- > drivers/firmware/ti_sci.c | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c > index 039d92a595ec..77012d2f4160 100644 > --- a/drivers/firmware/ti_sci.c turns out as =2D-- instead of -- (might check the git format-patch output closer). > +++ b/drivers/firmware/ti_sci.c > @@ -3433,18 +3433,18 @@ static int ti_sci_probe(struct platform_device *pdev) > info->chan_rx = mbox_request_channel_byname(cl, "rx"); > if (IS_ERR(info->chan_rx)) { > ret = PTR_ERR(info->chan_rx); > - goto out; > + goto remove_debugfs; > } > > info->chan_tx = mbox_request_channel_byname(cl, "tx"); > if (IS_ERR(info->chan_tx)) { > ret = PTR_ERR(info->chan_tx); > - goto out; > + goto free_mbox_channel_rx; > } > ret = ti_sci_cmd_get_revision(info); > if (ret) { > dev_err(dev, "Unable to communicate with TISCI(%d)\n", ret); > - goto out; > + goto free_mbox_channel_tx; > } > > ti_sci_setup_ops(info); > @@ -3456,7 +3456,7 @@ static int ti_sci_probe(struct platform_device *pdev) > ret = register_restart_handler(&info->nb); > if (ret) { > dev_err(dev, "reboot registration fail(%d)\n", ret); > - goto out; > + goto free_mbox_channel_tx; > } > } > > @@ -3470,11 +3470,12 @@ static int ti_sci_probe(struct platform_device *pdev) > mutex_unlock(&ti_sci_list_mutex); > > return of_platform_populate(dev->of_node, NULL, NULL, dev); > -out: > - if (!IS_ERR(info->chan_tx)) > - mbox_free_channel(info->chan_tx); > - if (!IS_ERR(info->chan_rx)) > - mbox_free_channel(info->chan_rx); > + > +free_mbox_channel_tx: > + mbox_free_channel(info->chan_tx); > +free_mbox_channel_rx: > + mbox_free_channel(info->chan_rx); > +remove_debugfs: > debugfs_remove(info->d); > return ret; > } > -- > 2.40.0 >
>> This issue was detected by using the Coccinelle software. > > Curious: what rule of coccicheck caught this? None. (So far) See also: Reconsidering repeated checks for error pointers (with SmPL) 2023-04-04 https://lore.kernel.org/cocci/8f785de5-ebe2-edd9-2155-f440acacc643@web.de/ https://sympa.inria.fr/sympa/arc/cocci/2023-04/msg00008.html Regards, Markus
On Tue, May 16, 2023 at 10:20:43AM -0500, Nishanth Menon wrote: > On 22:10-20230405, Markus Elfring wrote: > > Date: Wed, 5 Apr 2023 22:00:18 +0200 > > B4 does'nt pick this patch up cleanly. And for some reason, I get > mangled patch from public-inbox as well :( a clean git-send-email might > help. > It's an awkward thing. B4 doesn't work because Markus was banned from LKML because he doesn't listen to feedback. > > > > The label “out” was used to jump to another pointer check despite of > > Please use " for quotes. > > > the detail in the implementation of the function “ti_sci_probe” > > that it was determined already that the corresponding variable > > contained an error pointer because of a failed call of > > the function “mbox_request_channel_byname”. > > > > > * Thus use more appropriate labels instead. > > > > * Delete two redundant checks. > > > > How about this: > > Optimize out the redundant pointer check in exit path of "out" using > appropriate labels to jump in the error path > > > Drop the extra EoL > > > This issue was detected by using the Coccinelle software. > > Curious: what rule of coccicheck caught this? > > > > > Fixes: aa276781a64a5f15ecc21e920960c5b1f84e5fee ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol") > > 12 char sha please. Please read Documentation/process/submitting-patches.rst > For example, Markus has been told to use 12 char shas several times before. > > Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> > > --- > > drivers/firmware/ti_sci.c | 19 ++++++++++--------- > > 1 file changed, 10 insertions(+), 9 deletions(-) > > > > diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c > > index 039d92a595ec..77012d2f4160 100644 > > --- a/drivers/firmware/ti_sci.c > turns out as =2D-- instead of -- (might check the git format-patch > output closer). > > > +++ b/drivers/firmware/ti_sci.c > > @@ -3433,18 +3433,18 @@ static int ti_sci_probe(struct platform_device *pdev) > > info->chan_rx = mbox_request_channel_byname(cl, "rx"); > > if (IS_ERR(info->chan_rx)) { > > ret = PTR_ERR(info->chan_rx); > > - goto out; > > + goto remove_debugfs; > > } > > > > info->chan_tx = mbox_request_channel_byname(cl, "tx"); > > if (IS_ERR(info->chan_tx)) { > > ret = PTR_ERR(info->chan_tx); > > - goto out; > > + goto free_mbox_channel_rx; > > } > > ret = ti_sci_cmd_get_revision(info); > > if (ret) { > > dev_err(dev, "Unable to communicate with TISCI(%d)\n", ret); > > - goto out; > > + goto free_mbox_channel_tx; > > } > > > > ti_sci_setup_ops(info); > > @@ -3456,7 +3456,7 @@ static int ti_sci_probe(struct platform_device *pdev) > > ret = register_restart_handler(&info->nb); > > if (ret) { > > dev_err(dev, "reboot registration fail(%d)\n", ret); > > - goto out; > > + goto free_mbox_channel_tx; > > } > > } > > > > @@ -3470,11 +3470,12 @@ static int ti_sci_probe(struct platform_device *pdev) > > mutex_unlock(&ti_sci_list_mutex); > > > > return of_platform_populate(dev->of_node, NULL, NULL, dev); There is a bug here because the resources are not freed if of_platform_populate() fails. The "info" struct is devm_ allocated but it's still on the &ti_sci_list list, so that will lead to a use after free. regards, dan carpenter > > -out: > > - if (!IS_ERR(info->chan_tx)) > > - mbox_free_channel(info->chan_tx); > > - if (!IS_ERR(info->chan_rx)) > > - mbox_free_channel(info->chan_rx); > > + > > +free_mbox_channel_tx: > > + mbox_free_channel(info->chan_tx); > > +free_mbox_channel_rx: > > + mbox_free_channel(info->chan_rx); > > +remove_debugfs: > > debugfs_remove(info->d); > > return ret; > > }
diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c index 039d92a595ec..77012d2f4160 100644 --- a/drivers/firmware/ti_sci.c +++ b/drivers/firmware/ti_sci.c @@ -3433,18 +3433,18 @@ static int ti_sci_probe(struct platform_device *pdev) info->chan_rx = mbox_request_channel_byname(cl, "rx"); if (IS_ERR(info->chan_rx)) { ret = PTR_ERR(info->chan_rx); - goto out; + goto remove_debugfs; } info->chan_tx = mbox_request_channel_byname(cl, "tx"); if (IS_ERR(info->chan_tx)) { ret = PTR_ERR(info->chan_tx); - goto out; + goto free_mbox_channel_rx; } ret = ti_sci_cmd_get_revision(info); if (ret) { dev_err(dev, "Unable to communicate with TISCI(%d)\n", ret); - goto out; + goto free_mbox_channel_tx; } ti_sci_setup_ops(info); @@ -3456,7 +3456,7 @@ static int ti_sci_probe(struct platform_device *pdev) ret = register_restart_handler(&info->nb); if (ret) { dev_err(dev, "reboot registration fail(%d)\n", ret); - goto out; + goto free_mbox_channel_tx; } } @@ -3470,11 +3470,12 @@ static int ti_sci_probe(struct platform_device *pdev) mutex_unlock(&ti_sci_list_mutex); return of_platform_populate(dev->of_node, NULL, NULL, dev); -out: - if (!IS_ERR(info->chan_tx)) - mbox_free_channel(info->chan_tx); - if (!IS_ERR(info->chan_rx)) - mbox_free_channel(info->chan_rx); + +free_mbox_channel_tx: + mbox_free_channel(info->chan_tx); +free_mbox_channel_rx: + mbox_free_channel(info->chan_rx); +remove_debugfs: debugfs_remove(info->d); return ret; }
Date: Wed, 5 Apr 2023 22:00:18 +0200 The label “out” was used to jump to another pointer check despite of the detail in the implementation of the function “ti_sci_probe” that it was determined already that the corresponding variable contained an error pointer because of a failed call of the function “mbox_request_channel_byname”. * Thus use more appropriate labels instead. * Delete two redundant checks. This issue was detected by using the Coccinelle software. Fixes: aa276781a64a5f15ecc21e920960c5b1f84e5fee ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol") Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> --- drivers/firmware/ti_sci.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) -- 2.40.0