| Message ID | 20180827082153.22537-1-johan@kernel.org |
|---|---|
| Headers | show |
| Series | of: fix compatible-child-node lookups | expand |
Hi Johan On Mon, 27 Aug 2018 10:21:49 +0200 Johan Hovold <johan@kernel.org> wrote: > Use the new of_get_compatible_child() helper to lookup the nfc child > node instead of using of_find_compatible_node(), which searches the > entire tree from a given start node and thus can return an unrelated > (i.e. non-child) node. > > This also addresses a potential use-after-free (e.g. after probe > deferral) as the tree-wide helper drops a reference to its first > argument (i.e. the node of the device being probed). > > While at it, also fix a related nfc-node reference leak. > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > Cc: stable <stable@vger.kernel.org> # 4.11 > Cc: Nicolas Ferre <nicolas.ferre@microchip.com> > Cc: Josh Wu <rainyfeeling@outlook.com> > Cc: Boris Brezillon <boris.brezillon@bootlin.com> > Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Boris Brezillon <boris.brezillon@bootlin.com> I'll let Miquel queue this patch to the nand/next branch, unless you want it to be merged in 4.19, in which case I'll queue it to the mtd/fixes branch. Thanks, Boris > --- > drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c > index a068b214ebaa..d3dfe63956ac 100644 > --- a/drivers/mtd/nand/raw/atmel/nand-controller.c > +++ b/drivers/mtd/nand/raw/atmel/nand-controller.c > @@ -2061,8 +2061,7 @@ atmel_hsmc_nand_controller_legacy_init(struct atmel_hsmc_nand_controller *nc) > int ret; > > nand_np = dev->of_node; > - nfc_np = of_find_compatible_node(dev->of_node, NULL, > - "atmel,sama5d3-nfc"); > + nfc_np = of_get_compatible_child(dev->of_node, "atmel,sama5d3-nfc"); > > nc->clk = of_clk_get(nfc_np, 0); > if (IS_ERR(nc->clk)) { > @@ -2472,15 +2471,19 @@ static int atmel_nand_controller_probe(struct platform_device *pdev) > } > > if (caps->legacy_of_bindings) { > + struct device_node *nfc_node; > u32 ale_offs = 21; > > /* > * If we are parsing legacy DT props and the DT contains a > * valid NFC node, forward the request to the sama5 logic. > */ > - if (of_find_compatible_node(pdev->dev.of_node, NULL, > - "atmel,sama5d3-nfc")) > + nfc_node = of_get_compatible_child(pdev->dev.of_node, > + "atmel,sama5d3-nfc"); > + if (nfc_node) { > caps = &atmel_sama5_nand_caps; > + of_node_put(nfc_node); > + } > > /* > * Even if the compatible says we are dealing with an
On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote: > Hi Johan > > On Mon, 27 Aug 2018 10:21:49 +0200 > Johan Hovold <johan@kernel.org> wrote: > > > Use the new of_get_compatible_child() helper to lookup the nfc child > > node instead of using of_find_compatible_node(), which searches the > > entire tree from a given start node and thus can return an unrelated > > (i.e. non-child) node. > > > > This also addresses a potential use-after-free (e.g. after probe > > deferral) as the tree-wide helper drops a reference to its first > > argument (i.e. the node of the device being probed). > > > > While at it, also fix a related nfc-node reference leak. > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > > Cc: stable <stable@vger.kernel.org> # 4.11 > > Cc: Nicolas Ferre <nicolas.ferre@microchip.com> > > Cc: Josh Wu <rainyfeeling@outlook.com> > > Cc: Boris Brezillon <boris.brezillon@bootlin.com> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > Acked-by: Boris Brezillon <boris.brezillon@bootlin.com> Thanks for the ack. > I'll let Miquel queue this patch to the nand/next branch, unless you > want it to be merged in 4.19, in which case I'll queue it to the > mtd/fixes branch. Note that there's a dependency on the first patch of the series which adds the new helper. Rob can pick up the entire series if the various maintainers agree, otherwise I'll try to get at the least the helper into -rc2. I'd prefer getting the use-after-frees fixed in 4.19, but queuing for 4.20 should be fine too. Thanks, Johan
On Mon, 27 Aug 2018 10:44:14 +0200 Johan Hovold <johan@kernel.org> wrote: > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote: > > Hi Johan > > > > On Mon, 27 Aug 2018 10:21:49 +0200 > > Johan Hovold <johan@kernel.org> wrote: > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child > > > node instead of using of_find_compatible_node(), which searches the > > > entire tree from a given start node and thus can return an unrelated > > > (i.e. non-child) node. > > > > > > This also addresses a potential use-after-free (e.g. after probe > > > deferral) as the tree-wide helper drops a reference to its first > > > argument (i.e. the node of the device being probed). > > > > > > While at it, also fix a related nfc-node reference leak. > > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > > > Cc: stable <stable@vger.kernel.org> # 4.11 > > > Cc: Nicolas Ferre <nicolas.ferre@microchip.com> > > > Cc: Josh Wu <rainyfeeling@outlook.com> > > > Cc: Boris Brezillon <boris.brezillon@bootlin.com> > > > Signed-off-by: Johan Hovold <johan@kernel.org> > > > > Acked-by: Boris Brezillon <boris.brezillon@bootlin.com> > > Thanks for the ack. > > > I'll let Miquel queue this patch to the nand/next branch, unless you > > want it to be merged in 4.19, in which case I'll queue it to the > > mtd/fixes branch. > > Note that there's a dependency on the first patch of the series which > adds the new helper. I was not Cc-ed on this patch :P. > Rob can pick up the entire series if the various > maintainers agree, otherwise I'll try to get at the least the helper > into -rc2. If everything goes in 4.19-rc2 through Rob's tree that's fine, but if it's queued for 4.20 we might need an immutable tag just in case we queue conflicting changes to the NAND tree. Thanks, Boris
On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote: > On Mon, 27 Aug 2018 10:44:14 +0200 > Johan Hovold <johan@kernel.org> wrote: > > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote: > > > Hi Johan > > > > > > On Mon, 27 Aug 2018 10:21:49 +0200 > > > Johan Hovold <johan@kernel.org> wrote: > > > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child > > > > node instead of using of_find_compatible_node(), which searches the > > > > entire tree from a given start node and thus can return an unrelated > > > > (i.e. non-child) node. > > > > > > > > This also addresses a potential use-after-free (e.g. after probe > > > > deferral) as the tree-wide helper drops a reference to its first > > > > argument (i.e. the node of the device being probed). > > > > > > > > While at it, also fix a related nfc-node reference leak. > > > > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > > > > Cc: stable <stable@vger.kernel.org> # 4.11 > > > > Cc: Nicolas Ferre <nicolas.ferre@microchip.com> > > > > Cc: Josh Wu <rainyfeeling@outlook.com> > > > > Cc: Boris Brezillon <boris.brezillon@bootlin.com> > > > > Signed-off-by: Johan Hovold <johan@kernel.org> > > > > > > Acked-by: Boris Brezillon <boris.brezillon@bootlin.com> > > > > Thanks for the ack. > > > > > I'll let Miquel queue this patch to the nand/next branch, unless you > > > want it to be merged in 4.19, in which case I'll queue it to the > > > mtd/fixes branch. > > > > Note that there's a dependency on the first patch of the series which > > adds the new helper. > > I was not Cc-ed on this patch :P. Yeah, sorry about that. I made sure everyone was CCed on the cover letter, but guess I could have reused that list for the helper as well. > > Rob can pick up the entire series if the various > > maintainers agree, otherwise I'll try to get at the least the helper > > into -rc2. > > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if > it's queued for 4.20 we might need an immutable tag just in case we > queue conflicting changes to the NAND tree. Ok, thanks. Johan
On 27 August 2018 at 10:21, Johan Hovold <johan@kernel.org> wrote: > Use the new of_get_compatible_child() helper to lookup the slot child > node instead of using of_find_compatible_node(), which searches the > entire tree from a given start node and thus can return an unrelated > (i.e. non-child) node. > > This also addresses a potential use-after-free (e.g. after probe > deferral) as the tree-wide helper drops a reference to its first > argument (i.e. the node of the device being probed). > > While at it, also fix up the related slot-node reference leak. > > Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs") > Cc: stable <stable@vger.kernel.org> # 4.15 > Cc: Carlo Caione <carlo@endlessm.com> > Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com> > Cc: Ulf Hansson <ulf.hansson@linaro.org> > Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> > Signed-off-by: Johan Hovold <johan@kernel.org> Acked-by: Ulf Hansson <ulf.hansson@linaro.org> Kind regards Uffe > --- > drivers/mmc/host/meson-mx-sdio.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c > index 09cb89645d06..2cfec33178c1 100644 > --- a/drivers/mmc/host/meson-mx-sdio.c > +++ b/drivers/mmc/host/meson-mx-sdio.c > @@ -517,19 +517,23 @@ static struct mmc_host_ops meson_mx_mmc_ops = { > static struct platform_device *meson_mx_mmc_slot_pdev(struct device *parent) > { > struct device_node *slot_node; > + struct platform_device *pdev; > > /* > * TODO: the MMC core framework currently does not support > * controllers with multiple slots properly. So we only register > * the first slot for now > */ > - slot_node = of_find_compatible_node(parent->of_node, NULL, "mmc-slot"); > + slot_node = of_get_compatible_child(parent->of_node, "mmc-slot"); > if (!slot_node) { > dev_warn(parent, "no 'mmc-slot' sub-node found\n"); > return ERR_PTR(-ENOENT); > } > > - return of_platform_device_create(slot_node, NULL, parent); > + pdev = of_platform_device_create(slot_node, NULL, parent); > + of_node_put(slot_node); > + > + return pdev; > } > > static int meson_mx_mmc_add_host(struct meson_mx_mmc_host *host) > -- > 2.18.0 >
On Mon, Aug 27, 2018 at 10:21:51AM +0200, Johan Hovold wrote: > Use the new of_get_compatible_child() helper to lookup the mdio-internal > child node instead of using of_find_compatible_node(), which searches > the entire tree from a given start node and thus can return an unrelated > (i.e. non-child) node. > > This also addresses a potential use-after-free (e.g. after probe > deferral) as the tree-wide helper drops a reference to its first > argument (i.e. the mdio-mux node). Fortunately, this was inadvertently > balanced by a failure to drop the mdio-mux reference after lookup. > > While at it, also fix the related mdio-internal- and phy-node reference > leaks. > > Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs") > Cc: Corentin Labbe <clabbe.montjoie@gmail.com> > Cc: Andrew Lunn <andrew@lunn.ch> > Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com> > Cc: Alexandre Torgue <alexandre.torgue@st.com> > Cc: Jose Abreu <joabreu@synopsys.com> > Cc: David S. Miller <davem@davemloft.net> > Signed-off-by: Johan Hovold <johan@kernel.org> You should have CCed sunxi maintainers Maxime Ripard <maxime.ripard@bootlin.com> (maintainer:ARM/Allwinner sunXi SoC support) Chen-Yu Tsai <wens@csie.org> (maintainer:ARM/Allwinner sunXi SoC support) Since I am just back from holidays, I will test this patch this week. Regards
On Tue, Aug 28, 2018 at 10:06:24AM +0200, Corentin Labbe wrote: > On Mon, Aug 27, 2018 at 10:21:51AM +0200, Johan Hovold wrote: > > Use the new of_get_compatible_child() helper to lookup the mdio-internal > > child node instead of using of_find_compatible_node(), which searches > > the entire tree from a given start node and thus can return an unrelated > > (i.e. non-child) node. > > > > This also addresses a potential use-after-free (e.g. after probe > > deferral) as the tree-wide helper drops a reference to its first > > argument (i.e. the mdio-mux node). Fortunately, this was inadvertently > > balanced by a failure to drop the mdio-mux reference after lookup. > > > > While at it, also fix the related mdio-internal- and phy-node reference > > leaks. > > > > Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs") > > Cc: Corentin Labbe <clabbe.montjoie@gmail.com> > > Cc: Andrew Lunn <andrew@lunn.ch> > > Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com> > > Cc: Alexandre Torgue <alexandre.torgue@st.com> > > Cc: Jose Abreu <joabreu@synopsys.com> > > Cc: David S. Miller <davem@davemloft.net> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > You should have CCed sunxi maintainers > Maxime Ripard <maxime.ripard@bootlin.com> (maintainer:ARM/Allwinner sunXi SoC support) > Chen-Yu Tsai <wens@csie.org> (maintainer:ARM/Allwinner sunXi SoC support) Yeah, I cut down the CC list somewhat (I think because they didn't seem to be actively involved in the stmmac patch handling). Thanks for adding them back. > Since I am just back from holidays, I will test this patch this week. Thanks, that would be great. Johan
On 08/27/2018 01:21 AM, Johan Hovold wrote: > Use the new of_get_compatible_child() helper to lookup the mdio child > node instead of using of_find_compatible_node(), which searches the > entire tree from a given start node and thus can return an unrelated > (i.e. non-child) node. > > This also addresses a potential use-after-free (e.g. after probe > deferral) as the tree-wide helper drops a reference to its first > argument (i.e. the node of the device being probed). > > Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") > Cc: stable <stable@vger.kernel.org> # 3.15 > Cc: Florian Fainelli <f.fainelli@gmail.com> > Cc: David S. Miller <davem@davemloft.net> > Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
On Mon, Aug 27, 2018 at 04:44:44PM +0200, Ulf Hansson wrote: > On 27 August 2018 at 10:21, Johan Hovold <johan@kernel.org> wrote: > > Use the new of_get_compatible_child() helper to lookup the slot child > > node instead of using of_find_compatible_node(), which searches the > > entire tree from a given start node and thus can return an unrelated > > (i.e. non-child) node. > > > > This also addresses a potential use-after-free (e.g. after probe > > deferral) as the tree-wide helper drops a reference to its first > > argument (i.e. the node of the device being probed). > > > > While at it, also fix up the related slot-node reference leak. > > > > Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs") > > Cc: stable <stable@vger.kernel.org> # 4.15 > > Cc: Carlo Caione <carlo@endlessm.com> > > Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com> > > Cc: Ulf Hansson <ulf.hansson@linaro.org> > > Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > Acked-by: Ulf Hansson <ulf.hansson@linaro.org> Thanks for the ack. Rob's gotten the helper into -rc2, so feel free to pick this one up directly to whichever mmc branch you prefer. I've been able to trigger crashes after probe deferrals due to the use-after-free, but this seems unlikely to be exploitable. Thanks, Johan
On Thu, Aug 30, 2018 at 05:47:33PM -0700, Florian Fainelli wrote: > On 08/27/2018 01:21 AM, Johan Hovold wrote: > > Use the new of_get_compatible_child() helper to lookup the mdio child > > node instead of using of_find_compatible_node(), which searches the > > entire tree from a given start node and thus can return an unrelated > > (i.e. non-child) node. > > > > This also addresses a potential use-after-free (e.g. after probe > > deferral) as the tree-wide helper drops a reference to its first > > argument (i.e. the node of the device being probed). > > > > Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") > > Cc: stable <stable@vger.kernel.org> # 3.15 > > Cc: Florian Fainelli <f.fainelli@gmail.com> > > Cc: David S. Miller <davem@davemloft.net> > > Signed-off-by: Johan Hovold <johan@kernel.org> > > Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> Thanks for reviewing. Rob's gotten the helper into -rc2: 36156f9241cb of: add helper to lookup compatible child node so feel free to pick this one up directly to whichever net tree you prefer. I've been able to trigger crashes after probe deferrals due to the use-after-free, but this seems unlikely to be exploitable. Thanks, Johan
Hi all, On Mon, Aug 27, 2018 at 10:21:44AM +0200, Johan Hovold wrote: > Several drivers currently use of_find_compatible_node() to lookup child > nodes while failing to notice that the of_find_ functions search the > entire tree depth-first (from a given start node) and therefore can > match unrelated nodes. > > The fact that these functions also drop a reference to the node they > start searching from (e.g. the parent node) is typically also > overlooked, something which can lead to use-after-free bugs (e.g. after > probe deferrals). > > This series adds a new helper, similar to of_get_child_by_name(), > that can be used to lookup compatible child nodes, and uses the new > helper to fix child-node lookups throughout the tree. > > This is related to the fixes I posted about a year ago, which addressed > a similar anti-pattern when looking up child nodes by name. Since it > took me more than a year to get all those fixes into Linus' tree (one > fix is still pending), and as these fixes depend on the new helper, I'm > suggesting that these all go in through Rob's or Greg's trees. > > Alternatively, the helper could go into to -rc2, and I'll be pinging > submaintainers for the coming year as well. ;) Rob has gotten the helper into -rc2 now: 36156f9241cb of: add helper to lookup compatible child node so feel free to pick these fixes up directly for 4.19-rc or -next, whichever you prefer. I've been able to trigger crashes after probe deferrals due to the use-after-free, but this seems unlikely to be exploitable. I think Rob will be picking up any patches that remain by the end of the release cycle for 4.20. Thanks, Johan > Johan Hovold (9): > of: add helper to lookup compatible child node > drm/mediatek: fix OF sibling-node lookup > drm/msm: fix OF child-node lookup > mmc: meson-mx-sdio: fix OF child-node lookup > mtd: nand: atmel: fix OF child-node lookup > net: bcmgenet: fix OF child-node lookup > net: stmmac: dwmac-sun8i: fix OF child-node lookup > NFC: nfcmrvl_uart: fix OF child-node lookup > power: supply: twl4030-charger: fix OF sibling-node lookup > > drivers/gpu/drm/mediatek/mtk_hdmi.c | 5 ++-- > drivers/gpu/drm/msm/adreno/adreno_gpu.c | 5 ++-- > drivers/mmc/host/meson-mx-sdio.c | 8 ++++-- > drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++--- > drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +- > .../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 +++++++-- > drivers/nfc/nfcmrvl/uart.c | 5 ++-- > drivers/of/base.c | 25 +++++++++++++++++++ > drivers/power/supply/twl4030_charger.c | 5 ++-- > include/linux/of.h | 8 ++++++ > 10 files changed, 68 insertions(+), 18 deletions(-)
On 4 September 2018 at 14:54, Johan Hovold <johan@kernel.org> wrote: > On Mon, Aug 27, 2018 at 04:44:44PM +0200, Ulf Hansson wrote: >> On 27 August 2018 at 10:21, Johan Hovold <johan@kernel.org> wrote: >> > Use the new of_get_compatible_child() helper to lookup the slot child >> > node instead of using of_find_compatible_node(), which searches the >> > entire tree from a given start node and thus can return an unrelated >> > (i.e. non-child) node. >> > >> > This also addresses a potential use-after-free (e.g. after probe >> > deferral) as the tree-wide helper drops a reference to its first >> > argument (i.e. the node of the device being probed). >> > >> > While at it, also fix up the related slot-node reference leak. >> > >> > Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs") >> > Cc: stable <stable@vger.kernel.org> # 4.15 >> > Cc: Carlo Caione <carlo@endlessm.com> >> > Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com> >> > Cc: Ulf Hansson <ulf.hansson@linaro.org> >> > Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> >> > Signed-off-by: Johan Hovold <johan@kernel.org> >> >> Acked-by: Ulf Hansson <ulf.hansson@linaro.org> > > Thanks for the ack. Rob's gotten the helper into -rc2, so feel free to > pick this one up directly to whichever mmc branch you prefer. I've been > able to trigger crashes after probe deferrals due to the use-after-free, > but this seems unlikely to be exploitable. Applied for fixes, thanks! Kind regards Uffe
On Mon, Aug 27, 2018 at 10:21:51AM +0200, Johan Hovold wrote: > Use the new of_get_compatible_child() helper to lookup the mdio-internal > child node instead of using of_find_compatible_node(), which searches > the entire tree from a given start node and thus can return an unrelated > (i.e. non-child) node. > > This also addresses a potential use-after-free (e.g. after probe > deferral) as the tree-wide helper drops a reference to its first > argument (i.e. the mdio-mux node). Fortunately, this was inadvertently > balanced by a failure to drop the mdio-mux reference after lookup. > > While at it, also fix the related mdio-internal- and phy-node reference > leaks. > > Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs") > Cc: Corentin Labbe <clabbe.montjoie@gmail.com> > Cc: Andrew Lunn <andrew@lunn.ch> > Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com> > Cc: Alexandre Torgue <alexandre.torgue@st.com> > Cc: Jose Abreu <joabreu@synopsys.com> > Cc: David S. Miller <davem@davemloft.net> > Signed-off-by: Johan Hovold <johan@kernel.org> > --- > drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c > index f9a61f90cfbc..0f660af01a4b 100644 > --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c > +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c > @@ -714,8 +714,9 @@ static int get_ephy_nodes(struct stmmac_priv *priv) > return -ENODEV; > } > > - mdio_internal = of_find_compatible_node(mdio_mux, NULL, > + mdio_internal = of_get_compatible_child(mdio_mux, > "allwinner,sun8i-h3-mdio-internal"); > + of_node_put(mdio_mux); > if (!mdio_internal) { > dev_err(priv->device, "Cannot get internal_mdio node\n"); > return -ENODEV; > @@ -729,13 +730,20 @@ static int get_ephy_nodes(struct stmmac_priv *priv) > gmac->rst_ephy = of_reset_control_get_exclusive(iphynode, NULL); > if (IS_ERR(gmac->rst_ephy)) { > ret = PTR_ERR(gmac->rst_ephy); > - if (ret == -EPROBE_DEFER) > + if (ret == -EPROBE_DEFER) { > + of_node_put(iphynode); > + of_node_put(mdio_internal); > return ret; > + } > continue; > } > dev_info(priv->device, "Found internal PHY node\n"); > + of_node_put(iphynode); > + of_node_put(mdio_internal); > return 0; > } > + > + of_node_put(mdio_internal); > return -ENODEV; > } > > -- > 2.18.0 > Sorry for the delay Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
On Thu, Sep 06, 2018 at 10:03:37PM +0200, Corentin Labbe wrote: > On Mon, Aug 27, 2018 at 10:21:51AM +0200, Johan Hovold wrote: > > Use the new of_get_compatible_child() helper to lookup the mdio-internal > > child node instead of using of_find_compatible_node(), which searches > > the entire tree from a given start node and thus can return an unrelated > > (i.e. non-child) node. > > > > This also addresses a potential use-after-free (e.g. after probe > > deferral) as the tree-wide helper drops a reference to its first > > argument (i.e. the mdio-mux node). Fortunately, this was inadvertently > > balanced by a failure to drop the mdio-mux reference after lookup. > > > > While at it, also fix the related mdio-internal- and phy-node reference > > leaks. > > > > Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs") > > Cc: Corentin Labbe <clabbe.montjoie@gmail.com> > > Cc: Andrew Lunn <andrew@lunn.ch> > > Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com> > > Cc: Alexandre Torgue <alexandre.torgue@st.com> > > Cc: Jose Abreu <joabreu@synopsys.com> > > Cc: David S. Miller <davem@davemloft.net> > > Signed-off-by: Johan Hovold <johan@kernel.org> > Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com> Thanks for testing. Johan
Hi Rob, On Tue, Sep 04, 2018 at 03:05:57PM +0200, Johan Hovold wrote: > Hi all, > > On Mon, Aug 27, 2018 at 10:21:44AM +0200, Johan Hovold wrote: > > Several drivers currently use of_find_compatible_node() to lookup child > > nodes while failing to notice that the of_find_ functions search the > > entire tree depth-first (from a given start node) and therefore can > > match unrelated nodes. > > > > The fact that these functions also drop a reference to the node they > > start searching from (e.g. the parent node) is typically also > > overlooked, something which can lead to use-after-free bugs (e.g. after > > probe deferrals). > > > > This series adds a new helper, similar to of_get_child_by_name(), > > that can be used to lookup compatible child nodes, and uses the new > > helper to fix child-node lookups throughout the tree. > > > > This is related to the fixes I posted about a year ago, which addressed > > a similar anti-pattern when looking up child nodes by name. Since it > > took me more than a year to get all those fixes into Linus' tree (one > > fix is still pending), and as these fixes depend on the new helper, I'm > > suggesting that these all go in through Rob's or Greg's trees. > > > > Alternatively, the helper could go into to -rc2, and I'll be pinging > > submaintainers for the coming year as well. ;) > > Rob has gotten the helper into -rc2 now: > > 36156f9241cb of: add helper to lookup compatible child node > > so feel free to pick these fixes up directly for 4.19-rc or -next, > whichever you prefer. I've been able to trigger crashes after probe > deferrals due to the use-after-free, but this seems unlikely to be > exploitable. > > I think Rob will be picking up any patches that remain by the end of the > release cycle for 4.20. So far only Ulf has picked up the mmc patch below directly, so if you could take the rest through your tree for -rc1 that would be great. Thanks, Johan > > Johan Hovold (9): > > of: add helper to lookup compatible child node > > drm/mediatek: fix OF sibling-node lookup > > drm/msm: fix OF child-node lookup > > mmc: meson-mx-sdio: fix OF child-node lookup > > mtd: nand: atmel: fix OF child-node lookup > > net: bcmgenet: fix OF child-node lookup > > net: stmmac: dwmac-sun8i: fix OF child-node lookup > > NFC: nfcmrvl_uart: fix OF child-node lookup > > power: supply: twl4030-charger: fix OF sibling-node lookup > > > > drivers/gpu/drm/mediatek/mtk_hdmi.c | 5 ++-- > > drivers/gpu/drm/msm/adreno/adreno_gpu.c | 5 ++-- > > drivers/mmc/host/meson-mx-sdio.c | 8 ++++-- > > drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++--- > > drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +- > > .../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 +++++++-- > > drivers/nfc/nfcmrvl/uart.c | 5 ++-- > > drivers/of/base.c | 25 +++++++++++++++++++ > > drivers/power/supply/twl4030_charger.c | 5 ++-- > > include/linux/of.h | 8 ++++++ > > 10 files changed, 68 insertions(+), 18 deletions(-)
On Mon, Aug 27, 2018 at 4:44 AM Johan Hovold <johan@kernel.org> wrote: > > On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote: > > On Mon, 27 Aug 2018 10:44:14 +0200 > > Johan Hovold <johan@kernel.org> wrote: > > > > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote: > > > > Hi Johan > > > > > > > > On Mon, 27 Aug 2018 10:21:49 +0200 > > > > Johan Hovold <johan@kernel.org> wrote: > > > > > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child > > > > > node instead of using of_find_compatible_node(), which searches the > > > > > entire tree from a given start node and thus can return an unrelated > > > > > (i.e. non-child) node. > > > > > > > > > > This also addresses a potential use-after-free (e.g. after probe > > > > > deferral) as the tree-wide helper drops a reference to its first > > > > > argument (i.e. the node of the device being probed). > > > > > > > > > > While at it, also fix a related nfc-node reference leak. > > > > > > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > > > > > Cc: stable <stable@vger.kernel.org> # 4.11 > > > > > Cc: Nicolas Ferre <nicolas.ferre@microchip.com> > > > > > Cc: Josh Wu <rainyfeeling@outlook.com> > > > > > Cc: Boris Brezillon <boris.brezillon@bootlin.com> > > > > > Signed-off-by: Johan Hovold <johan@kernel.org> > > > > > > > > Acked-by: Boris Brezillon <boris.brezillon@bootlin.com> > > > > > > Thanks for the ack. > > > > > > > I'll let Miquel queue this patch to the nand/next branch, unless you > > > > want it to be merged in 4.19, in which case I'll queue it to the > > > > mtd/fixes branch. > > > > > > Note that there's a dependency on the first patch of the series which > > > adds the new helper. > > > > I was not Cc-ed on this patch :P. > > Yeah, sorry about that. I made sure everyone was CCed on the > cover letter, but guess I could have reused that list for the helper as > well. > > > > Rob can pick up the entire series if the various > > > maintainers agree, otherwise I'll try to get at the least the helper > > > into -rc2. > > > > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if > > it's queued for 4.20 we might need an immutable tag just in case we > > queue conflicting changes to the NAND tree. > > Ok, thanks. Hi Boris, can you pick this one up. It conflicts with "mtd: rawnand: atmel: Fix potential NULL pointer dereference" Rob
On Tue, Oct 23, 2018 at 4:21 AM Johan Hovold <johan@kernel.org> wrote: > > Hi Rob, > > On Tue, Sep 04, 2018 at 03:05:57PM +0200, Johan Hovold wrote: > > Hi all, > > > > On Mon, Aug 27, 2018 at 10:21:44AM +0200, Johan Hovold wrote: > > > Several drivers currently use of_find_compatible_node() to lookup child > > > nodes while failing to notice that the of_find_ functions search the > > > entire tree depth-first (from a given start node) and therefore can > > > match unrelated nodes. > > > > > > The fact that these functions also drop a reference to the node they > > > start searching from (e.g. the parent node) is typically also > > > overlooked, something which can lead to use-after-free bugs (e.g. after > > > probe deferrals). > > > > > > This series adds a new helper, similar to of_get_child_by_name(), > > > that can be used to lookup compatible child nodes, and uses the new > > > helper to fix child-node lookups throughout the tree. > > > > > > This is related to the fixes I posted about a year ago, which addressed > > > a similar anti-pattern when looking up child nodes by name. Since it > > > took me more than a year to get all those fixes into Linus' tree (one > > > fix is still pending), and as these fixes depend on the new helper, I'm > > > suggesting that these all go in through Rob's or Greg's trees. > > > > > > Alternatively, the helper could go into to -rc2, and I'll be pinging > > > submaintainers for the coming year as well. ;) > > > > Rob has gotten the helper into -rc2 now: > > > > 36156f9241cb of: add helper to lookup compatible child node > > > > so feel free to pick these fixes up directly for 4.19-rc or -next, > > whichever you prefer. I've been able to trigger crashes after probe > > deferrals due to the use-after-free, but this seems unlikely to be > > exploitable. > > > > I think Rob will be picking up any patches that remain by the end of the > > release cycle for 4.20. > > So far only Ulf has picked up the mmc patch below directly, so if you > could take the rest through your tree for -rc1 that would be great. Thanks for the reminder, though before the merge window opened would have been better. I've applied all but the mtd patch. Rob
On Tue, 23 Oct 2018 13:28:09 -0500 Rob Herring <robh+dt@kernel.org> wrote: > On Mon, Aug 27, 2018 at 4:44 AM Johan Hovold <johan@kernel.org> wrote: > > > > On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote: > > > On Mon, 27 Aug 2018 10:44:14 +0200 > > > Johan Hovold <johan@kernel.org> wrote: > > > > > > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote: > > > > > Hi Johan > > > > > > > > > > On Mon, 27 Aug 2018 10:21:49 +0200 > > > > > Johan Hovold <johan@kernel.org> wrote: > > > > > > > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child > > > > > > node instead of using of_find_compatible_node(), which searches the > > > > > > entire tree from a given start node and thus can return an unrelated > > > > > > (i.e. non-child) node. > > > > > > > > > > > > This also addresses a potential use-after-free (e.g. after probe > > > > > > deferral) as the tree-wide helper drops a reference to its first > > > > > > argument (i.e. the node of the device being probed). > > > > > > > > > > > > While at it, also fix a related nfc-node reference leak. > > > > > > > > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > > > > > > Cc: stable <stable@vger.kernel.org> # 4.11 > > > > > > Cc: Nicolas Ferre <nicolas.ferre@microchip.com> > > > > > > Cc: Josh Wu <rainyfeeling@outlook.com> > > > > > > Cc: Boris Brezillon <boris.brezillon@bootlin.com> > > > > > > Signed-off-by: Johan Hovold <johan@kernel.org> > > > > > > > > > > Acked-by: Boris Brezillon <boris.brezillon@bootlin.com> > > > > > > > > Thanks for the ack. > > > > > > > > > I'll let Miquel queue this patch to the nand/next branch, unless you > > > > > want it to be merged in 4.19, in which case I'll queue it to the > > > > > mtd/fixes branch. > > > > > > > > Note that there's a dependency on the first patch of the series which > > > > adds the new helper. > > > > > > I was not Cc-ed on this patch :P. > > > > Yeah, sorry about that. I made sure everyone was CCed on the > > cover letter, but guess I could have reused that list for the helper as > > well. > > > > > > Rob can pick up the entire series if the various > > > > maintainers agree, otherwise I'll try to get at the least the helper > > > > into -rc2. > > > > > > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if > > > it's queued for 4.20 we might need an immutable tag just in case we > > > queue conflicting changes to the NAND tree. > > > > Ok, thanks. > > Hi Boris, can you pick this one up. It conflicts with "mtd: rawnand: > atmel: Fix potential NULL pointer dereference" Sure, I'll queue it for -rc2.
On Tue, Oct 23, 2018 at 01:32:56PM -0500, Rob Herring wrote: > On Tue, Oct 23, 2018 at 4:21 AM Johan Hovold <johan@kernel.org> wrote: > > > > Hi Rob, > > > > On Tue, Sep 04, 2018 at 03:05:57PM +0200, Johan Hovold wrote: > > > I think Rob will be picking up any patches that remain by the end of the > > > release cycle for 4.20. > > > > So far only Ulf has picked up the mmc patch below directly, so if you > > could take the rest through your tree for -rc1 that would be great. > > Thanks for the reminder, though before the merge window opened would > have been better. I've applied all but the mtd patch. Yeah, sorry about that, this slipped my mind. Thanks for picking them up. Johan
On Tue, Oct 23, 2018 at 08:51:17PM +0200, Boris Brezillon wrote: > On Tue, 23 Oct 2018 13:28:09 -0500 > Rob Herring <robh+dt@kernel.org> wrote: > > > On Mon, Aug 27, 2018 at 4:44 AM Johan Hovold <johan@kernel.org> wrote: > > > > > > On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote: > > > > On Mon, 27 Aug 2018 10:44:14 +0200 > > > > Johan Hovold <johan@kernel.org> wrote: > > > > > > > > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote: > > > > > > Hi Johan > > > > > > > > > > > > On Mon, 27 Aug 2018 10:21:49 +0200 > > > > > > Johan Hovold <johan@kernel.org> wrote: > > > > > > > > > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child > > > > > > > node instead of using of_find_compatible_node(), which searches the > > > > > > > entire tree from a given start node and thus can return an unrelated > > > > > > > (i.e. non-child) node. > > > > > > > > > > > > > > This also addresses a potential use-after-free (e.g. after probe > > > > > > > deferral) as the tree-wide helper drops a reference to its first > > > > > > > argument (i.e. the node of the device being probed). > > > > > > > > > > > > > > While at it, also fix a related nfc-node reference leak. > > > > > > > > > > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > > > > > > > Cc: stable <stable@vger.kernel.org> # 4.11 > > > > > > > Cc: Nicolas Ferre <nicolas.ferre@microchip.com> > > > > > > > Cc: Josh Wu <rainyfeeling@outlook.com> > > > > > > > Cc: Boris Brezillon <boris.brezillon@bootlin.com> > > > > > > > Signed-off-by: Johan Hovold <johan@kernel.org> > > > > > > > > > > > > Acked-by: Boris Brezillon <boris.brezillon@bootlin.com> > > > > > > > > > > Thanks for the ack. > > > > > > > > > > > I'll let Miquel queue this patch to the nand/next branch, unless you > > > > > > want it to be merged in 4.19, in which case I'll queue it to the > > > > > > mtd/fixes branch. > > > > > > > > > > Note that there's a dependency on the first patch of the series which > > > > > adds the new helper. > > > > > > > > I was not Cc-ed on this patch :P. > > > > > > Yeah, sorry about that. I made sure everyone was CCed on the > > > cover letter, but guess I could have reused that list for the helper as > > > well. > > > > > > > > Rob can pick up the entire series if the various > > > > > maintainers agree, otherwise I'll try to get at the least the helper > > > > > into -rc2. > > > > > > > > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if > > > > it's queued for 4.20 we might need an immutable tag just in case we > > > > queue conflicting changes to the NAND tree. > > > > > > Ok, thanks. > > > > Hi Boris, can you pick this one up. It conflicts with "mtd: rawnand: > > atmel: Fix potential NULL pointer dereference" > > Sure, I'll queue it for -rc2. This one hasn't showed up in -next yet, so sending a reminder. Johan
On Thu, 15 Nov 2018 15:26:48 +0100 Johan Hovold <johan@kernel.org> wrote: > On Tue, Oct 23, 2018 at 08:51:17PM +0200, Boris Brezillon wrote: > > On Tue, 23 Oct 2018 13:28:09 -0500 > > Rob Herring <robh+dt@kernel.org> wrote: > > > > > On Mon, Aug 27, 2018 at 4:44 AM Johan Hovold <johan@kernel.org> wrote: > > > > > > > > On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote: > > > > > On Mon, 27 Aug 2018 10:44:14 +0200 > > > > > Johan Hovold <johan@kernel.org> wrote: > > > > > > > > > > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote: > > > > > > > Hi Johan > > > > > > > > > > > > > > On Mon, 27 Aug 2018 10:21:49 +0200 > > > > > > > Johan Hovold <johan@kernel.org> wrote: > > > > > > > > > > > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child > > > > > > > > node instead of using of_find_compatible_node(), which searches the > > > > > > > > entire tree from a given start node and thus can return an unrelated > > > > > > > > (i.e. non-child) node. > > > > > > > > > > > > > > > > This also addresses a potential use-after-free (e.g. after probe > > > > > > > > deferral) as the tree-wide helper drops a reference to its first > > > > > > > > argument (i.e. the node of the device being probed). > > > > > > > > > > > > > > > > While at it, also fix a related nfc-node reference leak. > > > > > > > > > > > > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") > > > > > > > > Cc: stable <stable@vger.kernel.org> # 4.11 > > > > > > > > Cc: Nicolas Ferre <nicolas.ferre@microchip.com> > > > > > > > > Cc: Josh Wu <rainyfeeling@outlook.com> > > > > > > > > Cc: Boris Brezillon <boris.brezillon@bootlin.com> > > > > > > > > Signed-off-by: Johan Hovold <johan@kernel.org> > > > > > > > > > > > > > > Acked-by: Boris Brezillon <boris.brezillon@bootlin.com> > > > > > > > > > > > > Thanks for the ack. > > > > > > > > > > > > > I'll let Miquel queue this patch to the nand/next branch, unless you > > > > > > > want it to be merged in 4.19, in which case I'll queue it to the > > > > > > > mtd/fixes branch. > > > > > > > > > > > > Note that there's a dependency on the first patch of the series which > > > > > > adds the new helper. > > > > > > > > > > I was not Cc-ed on this patch :P. > > > > > > > > Yeah, sorry about that. I made sure everyone was CCed on the > > > > cover letter, but guess I could have reused that list for the helper as > > > > well. > > > > > > > > > > Rob can pick up the entire series if the various > > > > > > maintainers agree, otherwise I'll try to get at the least the helper > > > > > > into -rc2. > > > > > > > > > > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if > > > > > it's queued for 4.20 we might need an immutable tag just in case we > > > > > queue conflicting changes to the NAND tree. > > > > > > > > Ok, thanks. > > > > > > Hi Boris, can you pick this one up. It conflicts with "mtd: rawnand: > > > atmel: Fix potential NULL pointer dereference" > > > > Sure, I'll queue it for -rc2. > > This one hasn't showed up in -next yet, so sending a reminder. Applied (thanks for the reminder, I had forgotten :-)). It should show up in -rc4. Thanks, Boris