diff options
| author | Florian Fainelli <f.fainelli@gmail.com> | 2017-10-11 17:59:22 -0400 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2017-10-12 04:26:23 -0400 |
| commit | c0368e4db4a3e8a3dce40f3f621c06e14c560d79 (patch) | |
| tree | 2670deb7c4dedb121b74a9479761d1a29f16364a | |
| parent | 2bd6bf03f4c1c59381d62c61d03f6cc3fe71f66e (diff) | |
spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path
There was an inversion in how the error path in bcm_qspi_probe() is done
which would make us trip over a KASAN use-after-free report. Turns out
that qspi->dev_ids does not get allocated until later in the probe
process. Fix this by introducing a new lable: qspi_resource_err which
takes care of cleaning up the SPI master instance.
Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
| -rw-r--r-- | drivers/spi/spi-bcm-qspi.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c index 6ef6c44f39f5..a172ab299e80 100644 --- a/drivers/spi/spi-bcm-qspi.c +++ b/drivers/spi/spi-bcm-qspi.c | |||
| @@ -1250,7 +1250,7 @@ int bcm_qspi_probe(struct platform_device *pdev, | |||
| 1250 | goto qspi_probe_err; | 1250 | goto qspi_probe_err; |
| 1251 | } | 1251 | } |
| 1252 | } else { | 1252 | } else { |
| 1253 | goto qspi_probe_err; | 1253 | goto qspi_resource_err; |
| 1254 | } | 1254 | } |
| 1255 | 1255 | ||
| 1256 | res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); | 1256 | res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); |
| @@ -1272,7 +1272,7 @@ int bcm_qspi_probe(struct platform_device *pdev, | |||
| 1272 | qspi->base[CHIP_SELECT] = devm_ioremap_resource(dev, res); | 1272 | qspi->base[CHIP_SELECT] = devm_ioremap_resource(dev, res); |
| 1273 | if (IS_ERR(qspi->base[CHIP_SELECT])) { | 1273 | if (IS_ERR(qspi->base[CHIP_SELECT])) { |
| 1274 | ret = PTR_ERR(qspi->base[CHIP_SELECT]); | 1274 | ret = PTR_ERR(qspi->base[CHIP_SELECT]); |
| 1275 | goto qspi_probe_err; | 1275 | goto qspi_resource_err; |
| 1276 | } | 1276 | } |
| 1277 | } | 1277 | } |
| 1278 | 1278 | ||
| @@ -1280,7 +1280,7 @@ int bcm_qspi_probe(struct platform_device *pdev, | |||
| 1280 | GFP_KERNEL); | 1280 | GFP_KERNEL); |
| 1281 | if (!qspi->dev_ids) { | 1281 | if (!qspi->dev_ids) { |
| 1282 | ret = -ENOMEM; | 1282 | ret = -ENOMEM; |
| 1283 | goto qspi_probe_err; | 1283 | goto qspi_resource_err; |
| 1284 | } | 1284 | } |
| 1285 | 1285 | ||
| 1286 | for (val = 0; val < num_irqs; val++) { | 1286 | for (val = 0; val < num_irqs; val++) { |
| @@ -1369,8 +1369,9 @@ qspi_reg_err: | |||
| 1369 | bcm_qspi_hw_uninit(qspi); | 1369 | bcm_qspi_hw_uninit(qspi); |
| 1370 | clk_disable_unprepare(qspi->clk); | 1370 | clk_disable_unprepare(qspi->clk); |
| 1371 | qspi_probe_err: | 1371 | qspi_probe_err: |
| 1372 | spi_master_put(master); | ||
| 1373 | kfree(qspi->dev_ids); | 1372 | kfree(qspi->dev_ids); |
| 1373 | qspi_resource_err: | ||
| 1374 | spi_master_put(master); | ||
| 1374 | return ret; | 1375 | return ret; |
| 1375 | } | 1376 | } |
| 1376 | /* probe function to be called by SoC specific platform driver probe */ | 1377 | /* probe function to be called by SoC specific platform driver probe */ |