summaryrefslogtreecommitdiff
path: root/arch
diff options
context:
space:
mode:
authorChristophe Jaillet <christophe.jaillet@wanadoo.fr>2015-10-17 00:38:45 +0300
committerMichael Ellerman <mpe@ellerman.id.au>2015-10-21 07:31:25 +0300
commit1856f50c66dff0afb4a6a3e22497ae153aec9411 (patch)
tree3fbe657a84011f1ae98bf9f8dda8a61162ff7ffb /arch
parentbed08b7e1fa41eac214acb17b7aa20a0e5c4b4e6 (diff)
downloadlinux-1856f50c66dff0afb4a6a3e22497ae153aec9411.tar.xz
powerpc/prom: Avoid reference to potentially freed memory
of_get_property() is used inside the loop, but then the reference to the node is dropped before dereferencing the prop pointer, which could by then point to junk if the node has been freed. Instead use of_property_read_u32() to actually read the property value before dropping the reference. of_property_read_u32() requires at least one cell (u32) to be present, which is stricter than the old logic which would happily dereference a property of any size. However we believe all device trees in the wild have at least one cell. Skiboot may produce memory nodes with more than one cell, but that is OK, of_property_read_u32() will return the first one. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> [mpe: Expand change log with device tree details] Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Diffstat (limited to 'arch')
-rw-r--r--arch/powerpc/kernel/prom.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c
index bef76c5033e4..0b0a4166d69d 100644
--- a/arch/powerpc/kernel/prom.c
+++ b/arch/powerpc/kernel/prom.c
@@ -783,14 +783,17 @@ void __init early_get_first_memblock_info(void *params, phys_addr_t *size)
int of_get_ibm_chip_id(struct device_node *np)
{
of_node_get(np);
- while(np) {
+ while (np) {
struct device_node *old = np;
- const __be32 *prop;
+ u32 chip_id;
- prop = of_get_property(np, "ibm,chip-id", NULL);
- if (prop) {
+ /*
+ * Skiboot may produce memory nodes that contain more than one
+ * cell in chip-id, we only read the first one here.
+ */
+ if (!of_property_read_u32(np, "ibm,chip-id", &chip_id)) {
of_node_put(np);
- return be32_to_cpup(prop);
+ return chip_id;
}
np = of_get_parent(np);
of_node_put(old);