The current code uses some 'goto put;' to cancel the parsing operation and can lead to a return code value of 0 even on error cases.
Indeed, some goto calls are done from a loop without setting the ret value explicitly before the goto call and so the ret value can be set to 0 due to operation done in previous loop iteration. For instance match can be set to 0 in the previous loop iteration (leading to a new iteration) but ret can also be set to 0 it the of_property_read_u32() call succeed. In that case if no match are found or if an error is detected the new iteration, the return value can be wrongly 0.
Avoid those cases setting the ret value explicitly before the goto calls.
Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") Cc: stable@vger.kernel.org Signed-off-by: Herve Codina herve.codina@bootlin.com --- drivers/of/base.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/of/base.c b/drivers/of/base.c index 7dc394255a0a..809324607a5c 100644 --- a/drivers/of/base.c +++ b/drivers/of/base.c @@ -1507,8 +1507,10 @@ int of_parse_phandle_with_args_map(const struct device_node *np, map_len--;
/* Check if not found */ - if (!new) + if (!new) { + ret = -EINVAL; goto put; + }
if (!of_device_is_available(new)) match = 0; @@ -1518,17 +1520,20 @@ int of_parse_phandle_with_args_map(const struct device_node *np, goto put;
/* Check for malformed properties */ - if (WARN_ON(new_size > MAX_PHANDLE_ARGS)) - goto put; - if (map_len < new_size) + if (WARN_ON(new_size > MAX_PHANDLE_ARGS) || + map_len < new_size) { + ret = -EINVAL; goto put; + }
/* Move forward by new node's #<list>-cells amount */ map += new_size; map_len -= new_size; } - if (!match) + if (!match) { + ret = -ENOENT; goto put; + }
/* Get the <list>-map-pass-thru property (optional) */ pass = of_get_property(cur, pass_name, NULL);
On Mon, 02 Dec 2024 17:58:19 +0100, Herve Codina wrote:
The current code uses some 'goto put;' to cancel the parsing operation and can lead to a return code value of 0 even on error cases.
Indeed, some goto calls are done from a loop without setting the ret value explicitly before the goto call and so the ret value can be set to 0 due to operation done in previous loop iteration. For instance match can be set to 0 in the previous loop iteration (leading to a new iteration) but ret can also be set to 0 it the of_property_read_u32() call succeed. In that case if no match are found or if an error is detected the new iteration, the return value can be wrongly 0.
Avoid those cases setting the ret value explicitly before the goto calls.
Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") Cc: stable@vger.kernel.org Signed-off-by: Herve Codina herve.codina@bootlin.com
drivers/of/base.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
Applied, thanks!
linux-stable-mirror@lists.linaro.org