From patchwork Thu Jan 4 08:14:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Miquel Raynal X-Patchwork-Id: 1882353 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=sqUqc/TU; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=bootlin.com header.i=@bootlin.com header.a=rsa-sha256 header.s=gm1 header.b=LMISAYgX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T5KCD73tDz1ydb for ; Thu, 4 Jan 2024 19:15:20 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=oVMyaDlhrFN86AKRr/8otog0DrHcqIHqo4SN5/hhY88=; b=sqUqc/TUEg3o0V KU6Gz1yQlEYNRA7eraRzR+C+cvgMEVlW5jOWrZGVIa3i1Yzuz+PXP8NoOexkly8PIKN38tPHlDGtx DaD7NPc1p6LHTNjGbGnbgDp0tA00bNKUp7mXsZ4uuCMNBEC3m5HzM2k165o3SZ8BJQcpEVRuMeuQM 7DmQDm/1Q+ZsroeFcdnh8BOBnKqEA+LBRbkh/MKTUQn7NPuCEg8DPvi8pNyaRgso4rrNASdP0VeAm DfHxzHdGV5pizf+yM+hxMOOJzOcAzkkHSM2xDdN+6ODscASx3SaFTNJSLu1EKkAYX0ljPY0WfbOSM rZIsbsiJc7uHQQsGUFFg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rLIsP-00DAkp-1q; Thu, 04 Jan 2024 08:14:53 +0000 Received: from relay9-d.mail.gandi.net ([217.70.183.199]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rLIsM-00DAiU-0B for linux-mtd@lists.infradead.org; Thu, 04 Jan 2024 08:14:51 +0000 Received: by mail.gandi.net (Postfix) with ESMTPSA id 7C032FF818; Thu, 4 Jan 2024 08:14:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1704356087; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=F/Itr6Y/VIwCF+uZO027AZv42yQsW1Sdpj3r4D/Vu+M=; b=LMISAYgXVsK3KCT8te9O3kimiTINNXnCQdvi1FX16td9zwQ8hqQRrzEXEX5az2Lpfer1Te o0oc10KQP0AQvUq5EXPtjzhGepeT3/VTV5QGFuabKk1bHjTO0ijIHicZCd8imrjdUnkM/e 0WcWqS2zImChWytbe/HececJG15BbiPBsRQuBh6AdLI3TN5wFrFqrDc3BUJqaZF8oKlBxT VzV1VwIOl2qdPw2I8119DZmXo3m2zr4BlVwNxG9ciAoZV1TKO6r3mQPNt2tZp0IYDz4i1J cmnkTrsuGIrtNQ5cDjZbWEvr0L4Nb6AJgaN871eG8RAZrVjBpW7FT6Qc9gmnqA== From: Miquel Raynal To: Richard Weinberger , Vignesh Raghavendra , Tudor Ambarus , Pratyush Yadav , Michael Walle , Cc: Miquel Raynal , kernel test robot , Julia Lawall , Christian Marangi , =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= Subject: [PATCH v2] mtd: Fix possible refcounting issue when going through partition nodes Date: Thu, 4 Jan 2024 09:14:46 +0100 Message-Id: <20240104081446.126540-1-miquel.raynal@bootlin.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-GND-Sasl: miquel.raynal@bootlin.com X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240104_001450_227612_0CC7179B X-CRM114-Status: GOOD ( 11.78 ) X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Under normal conditions, the loop goes over all child partitions, and 'breaks' when the relevant partition is found. In this case we get a reference to the partition node without ever releasing it. In [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.183.199 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [217.70.183.199 listed in wl.mailspike.net] 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Under normal conditions, the loop goes over all child partitions, and 'breaks' when the relevant partition is found. In this case we get a reference to the partition node without ever releasing it. Indeed, right after the mtd_check_of_node() function returns, we call of_node_get() again over this very same node. It is probably safer to keep the counters even in this helper and call of_node_put() before break-ing. Reported-by: kernel test robot Reported-by: Julia Lawall Closes: https://lore.kernel.org/r/202312250546.ISzglvM2-lkp@intel.com/ Cc: Christian Marangi Cc: Rafał Miłecki Signed-off-by: Miquel Raynal --- This is compile-tested only. v2: Don't move the of_node_put(partitions) but add an of_node_put(mtd_dn) instead, which looks more legitimate in this case. Indeed, the 'partitions' node is acquired before the loop and released after, which seems safe. However when we break the loop we apparently leak a reference over mtd_dn instead. --- drivers/mtd/mtdcore.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c index bb0759ca12f1..ff6d03f57924 100644 --- a/drivers/mtd/mtdcore.c +++ b/drivers/mtd/mtdcore.c @@ -620,6 +620,7 @@ static void mtd_check_of_node(struct mtd_info *mtd) if (plen == mtd_name_len && !strncmp(mtd->name, pname + offset, plen)) { mtd_set_of_node(mtd, mtd_dn); + of_node_put(mtd_dn); break; } }