1. Patchew
  2. linux
  3. View series

[PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()

Dan Carpenter posted 1 patch 7 months, 1 week ago 
drivers/pmdomain/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
Posted by Dan Carpenter 7 months, 1 week ago 
The error checking for of_count_phandle_with_args() does not handle
negative error codes correctly.  The problem is that "index" is a u32 so
in the condition "if (index >= num_domains)" negative error codes stored
in "num_domains" are type promoted to very high positive values and
"index" is always going to be valid.

Test for negative error codes first and then test if "index" is valid.

Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/pmdomain/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
index cd4429653093..ff5c7f2b69ce 100644
--- a/drivers/pmdomain/core.c
+++ b/drivers/pmdomain/core.c
@@ -3176,7 +3176,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev,
 	/* Verify that the index is within a valid range. */
 	num_domains = of_count_phandle_with_args(dev->of_node, "power-domains",
 						 "#power-domain-cells");
-	if (index >= num_domains)
+	if (num_domains < 0 || index >= num_domains)
 		return NULL;
 
 	/* Allocate and register device on the genpd bus. */
-- 
2.47.2
Re: [PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
Posted by Ulf Hansson 7 months, 1 week ago 
On Thu, 8 May 2025 at 08:29, Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> The error checking for of_count_phandle_with_args() does not handle
> negative error codes correctly.  The problem is that "index" is a u32 so
> in the condition "if (index >= num_domains)" negative error codes stored
> in "num_domains" are type promoted to very high positive values and
> "index" is always going to be valid.
>
> Test for negative error codes first and then test if "index" is valid.
>
> Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Thanks for the fix! It looks correct to me!

What puzzles me though, if this is a real problem I am sure we would
have been receiving bug reports, don't you think?

Kind regards
Uffe

> ---
>  drivers/pmdomain/core.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
> index cd4429653093..ff5c7f2b69ce 100644
> --- a/drivers/pmdomain/core.c
> +++ b/drivers/pmdomain/core.c
> @@ -3176,7 +3176,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev,
>         /* Verify that the index is within a valid range. */
>         num_domains = of_count_phandle_with_args(dev->of_node, "power-domains",
>                                                  "#power-domain-cells");
> -       if (index >= num_domains)
> +       if (num_domains < 0 || index >= num_domains)
>                 return NULL;
>
>         /* Allocate and register device on the genpd bus. */
> --
> 2.47.2
>
Re: [PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
Posted by Dan Carpenter 7 months, 1 week ago 
On Thu, May 08, 2025 at 12:14:41PM +0200, Ulf Hansson wrote:
> On Thu, 8 May 2025 at 08:29, Dan Carpenter <dan.carpenter@linaro.org> wrote:
> >
> > The error checking for of_count_phandle_with_args() does not handle
> > negative error codes correctly.  The problem is that "index" is a u32 so
> > in the condition "if (index >= num_domains)" negative error codes stored
> > in "num_domains" are type promoted to very high positive values and
> > "index" is always going to be valid.
> >
> > Test for negative error codes first and then test if "index" is valid.
> >
> > Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain")
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> 
> Thanks for the fix! It looks correct to me!
> 
> What puzzles me though, if this is a real problem I am sure we would
> have been receiving bug reports, don't you think?
> 

I think it would only cause an issue for invalid devicetrees?  So it's
probably not an issue people often see in real life.

regards,
dan carpenter
Re: [PATCH] pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
Posted by Ulf Hansson 7 months, 1 week ago 
On Thu, 8 May 2025 at 12:34, Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> On Thu, May 08, 2025 at 12:14:41PM +0200, Ulf Hansson wrote:
> > On Thu, 8 May 2025 at 08:29, Dan Carpenter <dan.carpenter@linaro.org> wrote:
> > >
> > > The error checking for of_count_phandle_with_args() does not handle
> > > negative error codes correctly.  The problem is that "index" is a u32 so
> > > in the condition "if (index >= num_domains)" negative error codes stored
> > > in "num_domains" are type promoted to very high positive values and
> > > "index" is always going to be valid.
> > >
> > > Test for negative error codes first and then test if "index" is valid.
> > >
> > > Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> >
> > Thanks for the fix! It looks correct to me!
> >
> > What puzzles me though, if this is a real problem I am sure we would
> > have been receiving bug reports, don't you think?
> >
>
> I think it would only cause an issue for invalid devicetrees?  So it's
> probably not an issue people often see in real life.

Yes, you are probably right.

Anyway, I have applied this for fixes and added a stable tag.

Thanks!
Uffe

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.