Re: [PATCH -next] vfio: platform: reset: add missing iounmap() on error in vfio_platform_amdxgbe_reset()

Alex Williamson <alex.williamson@xxxxxxxxxx> · Tue, 18 May 2021 15:46:47 -0600

On Thu, 13 May 2021 13:09:24 +0800
Yang Yingliang <yangyingliang@xxxxxxxxxx> wrote:

> Add the missing iounmap() before return from vfio_platform_amdxgbe_reset()
> in the error handling case.
> 
> Fixes: 0990822c9866 ("VFIO: platform: reset: AMD xgbe reset module")
> Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
> Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
> ---
>  drivers/vfio/platform/reset/vfio_platform_amdxgbe.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c b/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c
> index abdca900802d..c6d823a27bd6 100644
> --- a/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c
> +++ b/drivers/vfio/platform/reset/vfio_platform_amdxgbe.c
> @@ -61,8 +61,10 @@ static int vfio_platform_amdxgbe_reset(struct vfio_platform_device *vdev)
>  	if (!xpcs_regs->ioaddr) {
>  		xpcs_regs->ioaddr =
>  			ioremap(xpcs_regs->addr, xpcs_regs->size);
> -		if (!xpcs_regs->ioaddr)
> +		if (!xpcs_regs->ioaddr) {
> +			iounmap(xgmac_regs->ioaddr);
>  			return -ENOMEM;
> +		}
>  	}
>  
>  	/* reset the PHY through MDIO*/

This actually introduces multiple bugs.  vfio-platform has common code
for calling iounmap when the device is released and the struct
vfio_platform_region ioaddr member is re-used throughout the code.
Performing an iounmap() without setting the value to NULL essentially
introduces use-after-free and double free bugs.  There's no bug in the
original afaict, the iounmap occurs lazily on release.  Thanks,

Alex