lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1423168988.5723.38.camel@gmail.com>
Date:	Thu, 05 Feb 2015 21:43:08 +0100
From:	Alban Browaeys <alban.browaeys@...il.com>
To:	Stephen Boyd <sboyd@...eaurora.org>
Cc:	Tomeu Vizoso <tomeu.vizoso@...labora.com>,
	Mike Turquette <mturquette@...aro.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] clk: Fix __clk_get access to already freed owner
 field.

Le jeudi 05 février 2015 à 11:30 -0800, Stephen Boyd a écrit :

> > Signed-off-by: Alban Browaeys <prahal@...oo.com>
> > ---
> >  drivers/clk/clk.c | 17 +++++++++--------
> >  1 file changed, 9 insertions(+), 8 deletions(-)
> >
> > diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
> > index df94668..8f33722 100644
> > --- a/drivers/clk/clk.c
> > +++ b/drivers/clk/clk.c
> > @@ -2485,15 +2485,18 @@ EXPORT_SYMBOL_GPL(clk_register);
> >   */
> >  static void __clk_release(struct kref *ref)
> >  {
> > -	struct clk_core *clk = container_of(ref, struct clk_core, ref);
> > -	int i = clk->num_parents;
> > +	struct clk_core *core = container_of(ref, struct clk_core, ref);
> > +	struct clk *clk = container_of(&core, struct clk, core);
> 
> How does this work? struct clk_core doesn't have a struct clk inside it.
> 

Seems I am confused. The aim is  to get the clk struct from its core
field. If I cannot do that from within __clk_release , this fix is
doomed.

> > +	int i = core->num_parents;
> >  
> > -	kfree(clk->parents);
> > +	kfree(core->parents);
> >  	while (--i >= 0)
> > -		kfree_const(clk->parent_names[i]);
> > +		kfree_const(core->parent_names[i]);
> 
> We don't have kfree_const() in the clk-next tree so please resend based
> on clk-next, not linux-next.
> 

I will do after we confirmed there is a way to get to clk from clk_core.
Otherwise the fix makes no sense. 

> I'm still confused. Care to send the actual backtrace and describe which
> hardware you're running on (perhaps some dts file to look at)?
> 

This is the initial oops before any change (based on linux-next
20150204). 

[    7.264186] Unable to handle kernel paging request at virtual address 6b6b6b77
[    7.270206] pgd = eb0b4000
[    7.272809] [6b6b6b77] *pgd=00000000
[    7.276466] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[    7.281667] Modules linked in: exynosdrm(+) drm_kms_helper phy_exynos_usb2 fuse
[    7.288950] CPU: 1 PID: 98 Comm: systemd-modules Not tainted 3.19.0-rc7-next-20150204-00052-g1059e6a #91
[    7.298424] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[    7.304488] task: ebae3c00 ti: eb0bc000 task.ti: eb0bc000
[    7.309888] PC is at __clk_get+0x30/0xa0
[    7.313781] LR is at of_clk_get_by_clkspec+0x38/0x54
[    7.318722] pc : [<c0556098>]    lr : [<c055231c>]    psr: 200d0053
[    7.318722] sp : eb0bdbb0  ip : eb0bdbc8  fp : eb0bdbc4
[    7.330187] r10: 00000006  r9 : 00000001  r8 : 00000000
[    7.335398] r7 : eb0bdbf8  r6 : 00000000  r5 : ee5c7d80  r4 : 6b6b6b6b
[    7.341913] r3 : 00000001  r2 : 00000011  r1 : ee0b7004  r0 : ee0ff600
[    7.341923] Flags: nzCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment user
[    7.341927] Control: 10c5387d  Table: 6b0b404a  DAC: 00000015
[    7.341931] Process systemd-modules (pid: 98, stack limit = 0xeb0bc218)
[    7.341934] Stack: (0xeb0bdbb0 to 0xeb0be000)
[    7.341939] dba0:                                     00000001 ee0ff600 eb0bdbdc eb0bdbc8
[    7.341945] dbc0: c055231c c0556074 00000001 ed834850 eb0bdc6c eb0bdbe0 c0558528 c05522f0
[    7.341950] dbe0: eb0bdbf8 c01cc560 eb3e4710 ee2b4200 eb0bdc14 c01ced00 ee5e0d3c 00000001
[    7.341956] dc00: 00000011 ee2b4200 eb0bdc34 eb3e4900 00000000 c08c5790 ee2b4200 eb3e4700
[    7.341962] dc20: 00000001 00000006 eb0bdc5c eb0bdc38 c01ced00 c01cb2d0 ed834850 00000000
[    7.341968] dc40: ed834858 ed834850 ed834850 bf06c0b4 c0aa82b8 00000000 bf06c0b4 00000006
[    7.341974] dc60: eb0bdc8c eb0bdc70 c044213c c0558474 ed834850 c0b61248 c0b61254 c0aa82b8
[    7.341979] dc80: eb0bdcc4 eb0bdc90 c043ff34 c0442120 00000000 bf0631f0 e9c3b700 ed834850
[    7.341985] dca0: bf06c0b4 ed834884 00000000 bf0631f0 e9c3b700 c0a4f40c eb0bdce4 eb0bdcc8
[    7.341991] dcc0: c044020c c043fdc8 00000000 00000000 bf06c0b4 c0440194 eb0bdd0c eb0bdce8
[    7.341997] dce0: c043ded8 c04401a0 ee284e38 ed830900 c06f5728 bf06c0b4 eb1477c0 c0a87448
[    7.342003] dd00: eb0bdd1c eb0bdd10 c043fa14 c043de88 eb0bdd44 eb0bdd20 c043f460 c043f9f4
[    7.342009] dd20: bf069280 eb0bdd30 bf06c0b4 00000000 bf0631e8 bf06c388 eb0bdd5c eb0bdd48
[    7.342014] dd40: c0440bfc c043f370 00000001 00000000 eb0bdd6c eb0bdd60 c0442094 c0440b50
[    7.342020] dd60: eb0bddbc eb0bdd70 bf04ca08 c044203c 00000000 bf065090 ffffffff 00000000
[    7.342026] dd80: 00000000 00000000 00000000 00000000 00000000 00000000 c0a53b20 bf06c208
[    7.342031] dda0: c0a53b20 bf04c950 00000000 c0a53b20 eb0bde4c eb0bddc0 c0008b28 bf04c95c
[    7.342037] ddc0: 0010000f 00000000 eb0bddec eb0bddd8 c00504f4 c006dde0 eb0bc000 00000000
[    7.342043] dde0: ee002140 000000d0 c06ed170 0000000c c0a50600 00000000 eb0bde4c eb0bde08
[    7.342049] de00: c01541d8 c0153934 eb0bc008 eb0bde08 00000000 eb0bc008 ee002140 dc8cb100
[    7.342055] de20: 00000001 bf06c208 00000001 e9c3b600 e9c3bb00 00000001 163c451c e9c3bb08
[    7.342060] de40: eb0bde74 eb0bde50 c06ed1ac c00089ec eb0bde74 eb0bde60 c014496c eb0bdf48
[    7.342066] de60: 00000001 bf06c208 eb0bdf3c eb0bde78 c00af61c c06ed148 bf06c214 00007fff
[    7.342072] de80: c00ac6a8 eb0bdf48 eb0bdeb4 f0473db8 00000780 00000777 f0473e84 bf06c214
[    7.342078] dea0: bf06c378 b6e609f8 bf06c250 c0a4f40c c00ad024 c0169924 00000000 00000000
[    7.342084] dec0: bf063194 00000009 00000000 00000000 6e72656b 00006c65 00000000 00000000
[    7.342089] dee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[    7.342095] df00: 00000000 00000000 00000000 dc8cb100 eb0bdf2c 00000000 00000006 b6e609f8
[    7.342100] df20: 0000017b c000fb64 eb0bc000 00000000 eb0bdfa4 eb0bdf40 c00afdec c00ada4c
[    7.342106] df40: c0180738 00000000 f0454000 002bb414 f070ec6c f066643f f066dd80 00020390
[    7.342112] df60: 00026450 bf06c1f0 00000001 00000000 0000002f 00000030 0000001a 00000000
[    7.342118] df80: 00000008 00000000 00000000 b6e617d4 00028948 39980800 00000000 eb0bdfa8
[    7.342124] dfa0: c000f9c0 c00afd54 b6e617d4 00028948 00000006 b6e609f8 00000000 b6e6131c
[    7.342129] dfc0: b6e617d4 00028948 39980800 0000017b 00020000 00015964 00015f34 0002e640
[    7.342135] dfe0: beb38268 beb38258 b6e5ac4b b6f03d42 600d0070 00000006 5a5a5a5a 5a5a5a5a
[    7.342150] [<c0556098>] (__clk_get) from [<c055231c>] (of_clk_get_by_clkspec+0x38/0x54)
[    7.342162] [<c055231c>] (of_clk_get_by_clkspec) from [<c0558528>] (of_clk_set_defaults+0xc0/0x2ec)
[    7.342171] [<c0558528>] (of_clk_set_defaults) from [<c044213c>] (platform_drv_probe+0x28/0xb0)
[    7.342185] [<c044213c>] (platform_drv_probe) from [<c043ff34>] (driver_probe_device+0x178/0x384)
[    7.342193] [<c043ff34>] (driver_probe_device) from [<c044020c>] (__driver_attach+0x78/0x9c)
[    7.342201] [<c044020c>] (__driver_attach) from [<c043ded8>] (bus_for_each_dev+0x5c/0xb4)
[    7.342208] [<c043ded8>] (bus_for_each_dev) from [<c043fa14>] (driver_attach+0x2c/0x30)
[    7.342215] [<c043fa14>] (driver_attach) from [<c043f460>] (bus_add_driver+0xfc/0x228)
[    7.342222] [<c043f460>] (bus_add_driver) from [<c0440bfc>] (driver_register+0xb8/0xf8)
[    7.342231] [<c0440bfc>] (driver_register) from [<c0442094>] (__platform_driver_register+0x64/0x6c)
[    7.342326] [<c0442094>] (__platform_driver_register) from [<bf04ca08>] (exynos_drm_init+0xb8/0x1d0 [exynosdrm])
[    7.342363] [<bf04ca08>] (exynos_drm_init [exynosdrm]) from [<c0008b28>] (do_one_initcall+0x148/0x224)
[    7.342376] [<c0008b28>] (do_one_initcall) from [<c06ed1ac>] (do_init_module+0x70/0x1bc)
[    7.342390] [<c06ed1ac>] (do_init_module) from [<c00af61c>] (load_module+0x1bdc/0x21f0)
[    7.342399] [<c00af61c>] (load_module) from [<c00afdec>] (SyS_finit_module+0xa4/0xb4)
[    7.342409] [<c00afdec>] (SyS_finit_module) from [<c000f9c0>] (ret_fast_syscall+0x0/0x34)
[    7.342415] Code: e89da818 e5904000 e3540000 0afffffa (e594000c) 
[    7.342464] ---[ end trace d90d42eb4fbac408 ]---



dts with the offending fimc nodes arch/arm/boot/dts/exynos4412-odroid-common.dtsi in linus master and linux-next.



another version of the oops with added pr_warn before calls to of_clk_get_by_clkspec :
- __set_clk_parents: Assigned clk parents clk: try to get parent clock
this before the assigned-clock-parents is sent to of_clk_get_by_clkspec in __set_clk_parents
- __set_clk_parents: Assigned clocks clk: try to get parent clock
this before the assigned-clocks is sent to of_clk_get_by_clkspec in __set_clk_parents

- __set_clk_rates Assigned clocks clk: couldn't clock
this before the assigned-clocks is sent to of_clk_get_by_clkspec in __set_clk_rates



[    7.212207] s5p-g2d 10800000.g2d: The exynos g2d(ver 4.1) successfully probed
[    7.215130] __set_clk_parents: Assigned clk parents clk: try to get parent clock 0 for /camera/fimc@...00000
[    7.224297] __set_clk_parents: Assigned clocks clk: try to get parent clock 0 for /camera/fimc@...00000
[    7.233505] __set_clk_rates Assigned clocks clk: couldn't get clock 1 for /camera/fimc@...00000
[    7.241902] cam-power-domain: Power-on latency exceeded, new value 369958 ns
[    7.249084] __set_clk_parents: Assigned clk parents clk: try to get parent clock 0 for /camera/fimc@...10000
[    7.258246] Unable to handle kernel paging request at virtual address 6b6b6b77
[    7.265425] pgd = eb114000
[    7.268067] [6b6b6b77] *pgd=00000000
[    7.271625] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[    7.276922] Modules linked in: exynosdrm(+) drm_kms_helper phy_exynos_usb2 fuse
[    7.284209] CPU: 1 PID: 100 Comm: systemd-modules Not tainted 3.19.0-rc7-next-20150204-00056-g37e6c6e-dirty #106
[    7.294382] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[    7.300447] task: ebad4b00 ti: eb094000 task.ti: eb094000
[    7.300462] PC is at __clk_get+0x30/0xa0
[    7.300467] LR is at of_clk_get_by_clkspec+0x38/0x54
[    7.300471] pc : [<c0556088>]    lr : [<c055230c>]    psr: 200e0053
[    7.300471] sp : eb095bb0  ip : eb095bc8  fp : eb095bc4
[    7.300474] r10: 00000007  r9 : bf06c0a8  r8 : 00000000
[    7.300477] r7 : 00000001  r6 : 00000000  r5 : ed850850  r4 : 6b6b6b6b
[    7.300480] r3 : 00000000  r2 : 00000011  r1 : ee0b7004  r0 : ee0ff600
[    7.300484] Flags: nzCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment user
[    7.300487] Control: 10c5387d  Table: 6b11404a  DAC: 00000015
[    7.300491] Process systemd-modules (pid: 100, stack limit = 0xeb094218)
[    7.300494] Stack: (0xeb095bb0 to 0xeb096000)
[    7.300499] 5ba0:                                     00000000 ee0ff600 eb095bdc eb095bc8
[    7.300505] 5bc0: c055230c c0556064 00000000 ee5c7d80 eb095c6c eb095be0 c055852c c05522e0
[    7.300511] 5be0: eb095bf8 c01cc560 eb2a4310 ed847200 eb095c14 c01ced00 ee5e0d3c 00000001
[    7.300516] 5c00: 00000011 ed847200 eb095c34 eb2a4100 00000000 c08c6798 ed847200 eb2a4300
[    7.300522] 5c20: 00000001 00000007 eb095c5c eb095c38 c01ced00 c01cb2d0 ed850850 00000000
[    7.300527] 5c40: ed850858 ed850850 ed850850 bf06c0a8 c0aa82b8 00000000 bf06c0a8 00000007
[    7.300533] 5c60: eb095c8c eb095c70 c044212c c0558464 ed850850 c0b61248 c0b61254 c0aa82b8
[    7.300539] 5c80: eb095cc4 eb095c90 c043ff24 c0442110 00000000 bf0631e4 eb389700 ed850850
[    7.300545] 5ca0: bf06c0a8 ed850884 00000000 bf0631e4 eb389700 c0a4f40c eb095ce4 eb095cc8
[    7.300550] 5cc0: c04401fc c043fdb8 00000000 00000000 bf06c0a8 c0440184 eb095d0c eb095ce8
[    7.300556] 5ce0: c043dec8 c0440190 ee284e38 ed84e900 c06f5750 bf06c0a8 eb08dcc0 c0a87448
[    7.300562] 5d00: eb095d1c eb095d10 c043fa04 c043de78 eb095d44 eb095d20 c043f450 c043f9e4
[    7.300568] 5d20: bf069274 eb095d30 bf06c0a8 00000000 bf0631dc bf06c378 eb095d5c eb095d48
[    7.300574] 5d40: c0440bec c043f360 00000001 00000000 eb095d6c eb095d60 c0442084 c0440b40
[    7.300580] 5d60: eb095dbc eb095d70 bf04ca08 c044202c 00000000 bf065084 ffffffff 00000000
[    7.300585] 5d80: 00000000 00000000 00000000 00000000 00000000 00000000 c0a53b20 bf06c1f8
[    7.300591] 5da0: c0a53b20 bf04c950 00000000 c0a53b20 eb095e4c eb095dc0 c0008b28 bf04c95c
[    7.300597] 5dc0: 0010000f 00000000 eb095dec eb095dd8 c00504f4 c006dde0 eb094000 00000000
[    7.300602] 5de0: ee002140 000000d0 c06ed198 0000000c c0a50600 00000002 eb095e4c eb095e08
[    7.300608] 5e00: c01541d8 c0153934 eb094008 eb095e08 00000002 eb094008 ee002140 dc8cb100
[    7.300614] 5e20: 00000001 bf06c1f8 00000001 ebb3cf00 eb389300 00000001 14c76d1c eb389308
[    7.300620] 5e40: eb095e74 eb095e50 c06ed1d4 c00089ec eb095e74 eb095e60 c014496c eb095f48
[    7.300626] 5e60: 00000001 bf06c1f8 eb095f3c eb095e78 c00af61c c06ed170 bf06c204 00007fff
[    7.300632] 5e80: c00ac6a8 eb095f48 eb095eb4 f0473db8 00000780 00000777 f0473e84 bf06c204
[    7.300637] 5ea0: bf06c368 b6df59f8 bf06c240 c0a4f40c c00ad024 c0169924 00000000 00000000
[    7.300643] 5ec0: bf063188 00000009 00000000 00000000 6e72656b 00006c65 00000000 00000000
[    7.300648] 5ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[    7.300654] 5f00: 00000000 00000000 00000000 dc8cb100 eb095f2c 00000000 00000006 b6df59f8
[    7.300660] 5f20: 0000017b c000fb64 eb094000 00000000 eb095fa4 eb095f40 c00afdec c00ada4c
[    7.300666] 5f40: c0180738 00000000 f0454000 002bb374 f070ebcc f06663c5 f066dd08 00020380
[    7.300672] 5f60: 00026440 bf06c1e0 00000001 00000000 0000002f 00000030 0000001a 00000000
[    7.300677] 5f80: 00000008 00000000 00000000 b6df67d4 00028948 1747b100 00000000 eb095fa8
[    7.300683] 5fa0: c000f9c0 c00afd54 b6df67d4 00028948 00000006 b6df59f8 00000000 b6df631c
[    7.300689] 5fc0: b6df67d4 00028948 1747b100 0000017b 00020000 00015964 00015f34 0002e640
[    7.300695] 5fe0: bebf0268 bebf0258 b6defc4b b6e98d42 600d0070 00000006 5a5a5a5a 5a5a5a5a
[    7.300706] [<c0556088>] (__clk_get) from [<c055230c>] (of_clk_get_by_clkspec+0x38/0x54)
[    7.300717] [<c055230c>] (of_clk_get_by_clkspec) from [<c055852c>] (of_clk_set_defaults+0xd4/0x324)
[    7.300726] [<c055852c>] (of_clk_set_defaults) from [<c044212c>] (platform_drv_probe+0x28/0xb0)
[    7.300739] [<c044212c>] (platform_drv_probe) from [<c043ff24>] (driver_probe_device+0x178/0x384)
[    7.300747] [<c043ff24>] (driver_probe_device) from [<c04401fc>] (__driver_attach+0x78/0x9c)
[    7.300755] [<c04401fc>] (__driver_attach) from [<c043dec8>] (bus_for_each_dev+0x5c/0xb4)
[    7.300762] [<c043dec8>] (bus_for_each_dev) from [<c043fa04>] (driver_attach+0x2c/0x30)
[    7.300769] [<c043fa04>] (driver_attach) from [<c043f450>] (bus_add_driver+0xfc/0x228)
[    7.300776] [<c043f450>] (bus_add_driver) from [<c0440bec>] (driver_register+0xb8/0xf8)
[    7.300785] [<c0440bec>] (driver_register) from [<c0442084>] (__platform_driver_register+0x64/0x6c)
[    7.300872] [<c0442084>] (__platform_driver_register) from [<bf04ca08>] (exynos_drm_init+0xb8/0x1d0 [exynosdrm])
[    7.300905] [<bf04ca08>] (exynos_drm_init [exynosdrm]) from [<c0008b28>] (do_one_initcall+0x148/0x224)
[    7.300918] [<c0008b28>] (do_one_initcall) from [<c06ed1d4>] (do_init_module+0x70/0x1bc)
[    7.300931] [<c06ed1d4>] (do_init_module) from [<c00af61c>] (load_module+0x1bdc/0x21f0)
[    7.300939] [<c00af61c>] (load_module) from [<c00afdec>] (SyS_finit_module+0xa4/0xb4)
[    7.300950] [<c00afdec>] (SyS_finit_module) from [<c000f9c0>] (ret_fast_syscall+0x0/0x34)
[    7.300956] Code: e89da818 e5904000 e3540000 0afffffa (e594000�


Best regards,
Alban

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ