From patchwork Wed Oct  1 16:02:51 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Grant Likely <grant.likely@linaro.org>
X-Patchwork-Id: 38250
Return-Path: <patchwork-forward+bncBCJP567ORICBBU6LWCQQKGQESK6Y46I@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-wi0-f198.google.com (mail-wi0-f198.google.com
 [209.85.212.198])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 601F4202E7
 for <linaro@patches.linaro.org>; Wed,  1 Oct 2014 16:03:32 +0000 (UTC)
Received: by mail-wi0-f198.google.com with SMTP id hi2sf35725wib.9
 for <linaro@patches.linaro.org>; Wed, 01 Oct 2014 09:03:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:sender:precedence:list-id:x-original-sender
 :x-original-authentication-results:mailing-list:list-post:list-help
 :list-archive:list-unsubscribe;
 bh=DyeEujRnz9/7DZWXmmmq3gP8JyrNPkM8W54E7WsVKkQ=;
 b=R1NJXIKlbOk1gPLFVZ9dhRyEps0BL+WURugHg169oxUiRzbXEjHm40ZXyUdwRyjkIZ
 wPxp9rPpVuD60Ohgf7egXWWiLNU122TSxl/5auWELVUBJzxursGDhpPQCJQK8jW14N0v
 ssEiCMVDlEVx9+hh4rR9NznDxuFZOQIQniaMzfJF5t2DLiTxpgqdei8JsLrhDXnupChh
 7Zfq+vSSklwJfLgjxcQQkiC/bfBIVLn+KNgC2izTaXpW/Fzs+quF+Gc04k6cUzdOvkpl
 0FqiiXj5ERdLYzkwO0qou1yKqy3vFcJnhwMZ/K3ENJAt5vaArGXU+7TGhNYDTPJfjsoo
 ouVA==
X-Gm-Message-State: ALoCoQmnMpbzwxd1n2OMtYWW0NwsuPMyVQMn8NKkVyZYHnBi6lQu0hTux94A+r50AaapalWKT0qm
X-Received: by 10.112.199.169 with SMTP id jl9mr15086lbc.24.1412179411446;
 Wed, 01 Oct 2014 09:03:31 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.203.136 with SMTP id kq8ls175611lac.94.gmail; Wed, 01 Oct
 2014 09:03:31 -0700 (PDT)
X-Received: by 10.152.4.165 with SMTP id l5mr57477106lal.49.1412179411305;
 Wed, 01 Oct 2014 09:03:31 -0700 (PDT)
Received: from mail-lb0-f180.google.com (mail-lb0-f180.google.com
 [209.85.217.180]) by mx.google.com with ESMTPS id
 am7si2398040lac.74.2014.10.01.09.03.31
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Wed, 01 Oct 2014 09:03:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.180 as permitted sender) client-ip=209.85.217.180; 
Received: by mail-lb0-f180.google.com with SMTP id f15so615297lbj.25
 for <patchwork-forward@linaro.org>;
 Wed, 01 Oct 2014 09:03:31 -0700 (PDT)
X-Received: by 10.152.7.73 with SMTP id h9mr24517013laa.27.1412179411153;
 Wed, 01 Oct 2014 09:03:31 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.130.169 with SMTP id of9csp561241lbb;
 Wed, 1 Oct 2014 09:03:30 -0700 (PDT)
X-Received: by 10.68.193.194 with SMTP id hq2mr3494738pbc.169.1412179409512; 
 Wed, 01 Oct 2014 09:03:29 -0700 (PDT)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id ki1si1375945pbd.5.2014.10.01.09.03.28
 for <multiple recipients>; Wed, 01 Oct 2014 09:03:29 -0700 (PDT)
Received-SPF: none (google.com: devicetree-owner@vger.kernel.org does not
 designate permitted sender hosts) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1751461AbaJAQD2 (ORCPT <rfc822;patch@linaro.org> + 5 others);
 Wed, 1 Oct 2014 12:03:28 -0400
Received: from mail-wi0-f174.google.com ([209.85.212.174]:46748 "EHLO
 mail-wi0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1751398AbaJAQD1 (ORCPT
 <rfc822; devicetree@vger.kernel.org>); Wed, 1 Oct 2014 12:03:27 -0400
Received: by mail-wi0-f174.google.com with SMTP id cc10so1100828wib.13
 for <devicetree@vger.kernel.org>;
 Wed, 01 Oct 2014 09:03:26 -0700 (PDT)
X-Received: by 10.180.218.99 with SMTP id pf3mr15690899wic.19.1412179406119; 
 Wed, 01 Oct 2014 09:03:26 -0700 (PDT)
Received: from trevor.secretlab.ca
 (host86-166-87-213.range86-166.btcentralplus.com. [86.166.87.213])
 by mx.google.com with ESMTPSA id
 mx19sm2328631wic.3.2014.10.01.09.03.24 for <multiple recipients>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 01 Oct 2014 09:03:25 -0700 (PDT)
Received: by trevor.secretlab.ca (Postfix, from userid 1000)
 id 29BEDC40A78; Wed,  1 Oct 2014 09:03:02 -0700 (PDT)
From: Grant Likely <grant.likely@linaro.org>
To: linux-kernel@vger.kernel.org, devicetree@vger.kernel.org
Cc: Grant Likely <grant.likely@linaro.org>,
 Gaurav Minocha <gaurav.minocha.os@gmail.com>
Subject: [PATCH] of: Fix NULL dereference in selftest removal code
Date: Wed,  1 Oct 2014 17:02:51 +0100
Message-Id: <1412179371-4053-1-git-send-email-grant.likely@linaro.org>
X-Mailer: git-send-email 1.9.1
Sender: devicetree-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: devicetree@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: grant.likely@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.180 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

The selftest code removes its testcase data from the live tree when
exiting, but if the testcases data tree contains an empty child of the
root, then it causes an oops due to a NULL dereference. The reason is
that the code tries to directly dereference the child pointer without
checking first if a child is actually there.

The solution is to pass the parent node into detach_node_and_children()
instead of trying to pass the child. This required removing the code
that attempts to remove all of the sibling nodes in
detach_node_and_children(), which was never sensible in the first place.

At the same time add a check to make sure the bounds of the nodes list
are not exceeded by the testdata tree. If they are then abort.

Signed-off-by: Grant Likely <grant.likely@linaro.org>
Cc: Gaurav Minocha <gaurav.minocha.os@gmail.com>
---
 drivers/of/selftest.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/of/selftest.c b/drivers/of/selftest.c
index a737cb5974de..883e60b04eb5 100644
--- a/drivers/of/selftest.c
+++ b/drivers/of/selftest.c
@@ -637,6 +637,8 @@ static int attach_node_and_children(struct device_node *np)
 	dup = np;
 
 	while (dup) {
+		if (WARN_ON(last_node_index >= NO_OF_NODES))
+			return -EINVAL;
 		nodes[last_node_index++] = dup;
 		dup = dup->sibling;
 	}
@@ -717,10 +719,6 @@ static void detach_node_and_children(struct device_node *np)
 {
 	while (np->child)
 		detach_node_and_children(np->child);
-
-	while (np->sibling)
-		detach_node_and_children(np->sibling);
-
 	of_detach_node(np);
 }
 
@@ -749,8 +747,7 @@ static void selftest_data_remove(void)
 		if (nodes[last_node_index]) {
 			np = of_find_node_by_path(nodes[last_node_index]->full_name);
 			if (strcmp(np->full_name, "/aliases") != 0) {
-				detach_node_and_children(np->child);
-				of_detach_node(np);
+				detach_node_and_children(np);
 			} else {
 				for_each_property_of_node(np, prop) {
 					if (strcmp(prop->name, "testcase-alias") == 0)