lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <5D801691-4A1F-47E0-86D9-33AFC5BAB73A@goldelico.com>
Date:   Tue, 25 Oct 2016 16:32:36 +0200
From:   "H. Nikolaus Schaller" <hns@...delico.com>
To:     Laurent Pinchart <laurent.pinchart@...asonboard.com>
Cc:     Mauro Carvalho Chehab <mchehab@...nel.org>,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        Javier Martinez Canillas <javier@....samsung.com>,
        arnd@...db.de, hans.verkuil@...co.com, tony@...mide.com,
        letux-kernel@...nphoenux.org
Subject: Re: [PATCH] [media] omap3isp: don't call of_node_put

Hi,
has it been merged somewhere? I can't find it in linux-next yet.
BR and thanks,
Nikolaus

> Am 30.09.2016 um 10:52 schrieb Laurent Pinchart <laurent.pinchart@...asonboard.com>:
> 
> Hello Nikolaus,
> 
> On Friday 30 Sep 2016 10:28:40 H. Nikolaus Schaller wrote:
>>> Am 29.09.2016 um 10:54 schrieb Laurent Pinchart:
>>> On Thursday 08 Sep 2016 17:48:33 H. Nikolaus Schaller wrote:
>>>> of_node_put() has already been called inside
>>>> of_graph_get_next_endpoint().
>>>> 
>>>> Otherwise we may get warnings like
>>>> 
>>>> [   10.118286] omap3isp 480bc000.isp: parsing endpoint
>>>> /ocp/isp@...bc000/ports/port@...ndpoint, interface 0 [   10.118499]
>>>> ERROR:
>>>> Bad of_node_put() on /ocp/isp@...bc000/ports/port@...ndpoint [  
>>>> 10.118499]
>>>> CPU: 0 PID: 968 Comm: udevd Not tainted 4.7.0-rc4-letux+ #376 [
>>>> 10.118530] Hardware name: Generic OMAP36xx (Flattened Device Tree) [
>>>> 10.118560] [<c010f0e0>] (unwind_backtrace) from [<c010b6d8>]
>>>> (show_stack+0x10/0x14) [   10.118591] [<c010b6d8>] (show_stack) from
>>>> [<c03ecc50>] (dump_stack+0x98/0xd0) [   10.118591] [<c03ecc50>]
>>>> (dump_stack) from [<c03eecac>] (kobject_release+0x60/0x74) [   10.118621]
>>>> [<c03eecac>] (kobject_release) from [<c05ab128>]
>>>> (__of_get_next_child+0x40/0x48) [   10.118652] [<c05ab128>]
>>>> (__of_get_next_child) from [<c05ab158>] (of_get_next_child+0x28/0x44) [
>>>> 10.118652] [<c05ab158>] (of_get_next_child) from [<c05ab350>]
>>>> (of_graph_get_next_endpoint+0xe4/0x124) [   10.118804] [<c05ab350>]
>>>> (of_graph_get_next_endpoint) from [<bf1c88a4>] (isp_probe+0xdc/0xd80
>>>> [omap3_isp]) [   10.118896] [<bf1c88a4>] (isp_probe [omap3_isp]) from
>>>> [<c0482008>] (platform_drv_probe+0x50/0xa0) [   10.118927] [<c0482008>]
>>>> (platform_drv_probe) from [<c04800e8>] (driver_probe_device+0x134/0x29c)
>>>> [
>>>> 10.118957] [<c04800e8>] (driver_probe_device) from [<c04802d8>]
>>>> (__driver_attach+0x88/0xac) [   10.118957] [<c04802d8>] (__driver_attach)
>>>> from [<c047e7b8>] (bus_for_each_dev+0x6c/0x90) [   10.118957]
>>>> [<c047e7b8>]
>>>> (bus_for_each_dev) from [<c047f798>] (bus_add_driver+0xcc/0x1e8) [
>>>> 10.118988] [<c047f798>] (bus_add_driver) from [<c0481228>]
>>>> (driver_register+0xac/0xf4) [   10.118988] [<c0481228>] (driver_register)
>>>> from [<c010192c>] (do_one_initcall+0xac/0x154) [   10.119018]
>>>> [<c010192c>]
>>>> (do_one_initcall) from [<c02015bc>] (do_init_module+0x58/0x39c) [
>>>> 10.119049] [<c02015bc>] (do_init_module) from [<c01bd314>]
>>>> (load_module+0xe5c/0x1004) [   10.119049] [<c01bd314>] (load_module) from
>>>> [<c01bd68c>] (SyS_finit_module+0x88/0x90) [   10.119079] [<c01bd68c>]
>>>> (SyS_finit_module) from [<c0107040>] (ret_fast_syscall+0x0/0x1c)
>>>> 
>>>> Signed-off-by: H. Nikolaus Schaller <hns@...delico.com>
>>>> ---
>>>> drivers/media/platform/omap3isp/isp.c | 3 +--
>>>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>>> 
>>>> diff --git a/drivers/media/platform/omap3isp/isp.c
>>>> b/drivers/media/platform/omap3isp/isp.c index 5d54e2c..6e2624e 100644
>>>> --- a/drivers/media/platform/omap3isp/isp.c
>>>> +++ b/drivers/media/platform/omap3isp/isp.c
>>>> @@ -2114,7 +2114,6 @@ static int isp_of_parse_nodes(struct device *dev,
>>>> 
>>>> 		isd = devm_kzalloc(dev, sizeof(*isd), GFP_KERNEL);
>>>> 		if (!isd) {
>>>> -			of_node_put(node);
>>> 
>>> I don't think this one is correct. Looking at the context
>>> 
>>>       while (notifier->num_subdevs < ISP_MAX_SUBDEVS &&
>>>              (node = of_graph_get_next_endpoint(dev->of_node, node))) {
>>>               struct isp_async_subdev *isd;
>>> 
>>>               isd = devm_kzalloc(dev, sizeof(*isd), GFP_KERNEL);
>>>               if (!isd) {
>>>                       of_node_put(node);
>>>                       return -ENOMEM;
>>>               }
>>> 
>>>               notifier->subdevs[notifier->num_subdevs] = &isd->asd;
>>> 
>>>               if (isp_of_parse_node(dev, node, isd)) {
>>>                       of_node_put(node);
>>>                       return -EINVAL;
>>>               }
>>> 		
>>> 		isd->asd.match.of.node =
>>> 			of_graph_get_remote_port_parent(node);
>>>               of_node_put(node);
>>> 
>>>               if (!isd->asd.match.of.node) {
>>>                       dev_warn(dev, "bad remote port parent\n");
>>>                       return -EINVAL;
>>>               }
>>> 
>>>               isd->asd.match_type = V4L2_ASYNC_MATCH_OF;
>>>               notifier->num_subdevs++;
>>>       }
>>> 
>>> of_graph_get_next_endpoint() increases the reference count of the node it
>>> returns, which needs a corresponding of_node_put() in the error paths. It
>>> thus look like to me that the function isn't correct in that the
>>> devm_kzalloc() and !isd->asd.match.of.node error paths.
>> 
>> Ah ok, the of_node_put() is not always wrong.
>> 
>>>> 			return -ENOMEM;
>>>> 		}
>>>> 
>>>> @@ -2126,7 +2125,7 @@ static int isp_of_parse_nodes(struct device *dev,
>>>> 		}
>>>> 		
>>>> 		isd->asd.match.of.node =
>>>> of_graph_get_remote_port_parent(node);
>>>> -		of_node_put(node);
>>>> +
>>> 
>>> This change is correct not because of_graph_get_next_endpoint() has called
>>> of_node_put() but because it *will* call it on the next iteration.
>>> 
>>> How about the following patch instead ?
>>> 
>>> commit 4ed9893bf52c90181c8d5b1ae29a37556b89f1da
>>> Author: Laurent Pinchart <laurent.pinchart@...asonboard.com>
>>> Date:   Thu Sep 29 11:41:24 2016 +0300
>>> 
>>>   omap3isp: Fix OF node double put when parsing OF graph
>>> 
>>>   When parsing the graph the driver loops over all endpoints using
>>>   of_graph_get_next_endpoint(). The function handles reference counting
>>>   of the passed and returned nodes, so the returned node's reference
>>>   count must not be decreased manually in the normal path.
>>> 
>>>   Move the offending of_node_put() call to the error path that requires
>>>   manual reference count handling.
>>> 
>>>   Reported-by: H. Nikolaus Schaller <hns@...delico.com>
>>>   Signed-off-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>
>>> 
>>> diff --git a/drivers/media/platform/omap3isp/isp.c
>>> b/drivers/media/platform/omap3isp/isp.c index 5e212668f726..f8b437cc8943
>>> 100644
>>> --- a/drivers/media/platform/omap3isp/isp.c
>>> +++ b/drivers/media/platform/omap3isp/isp.c
>>> @@ -2131,23 +2131,18 @@ static int isp_of_parse_nodes(struct device *dev,
>>> 		struct isp_async_subdev *isd;
>>> 		
>>> 		isd = devm_kzalloc(dev, sizeof(*isd), GFP_KERNEL);
>>> -		if (!isd) {
>>> -			of_node_put(node);
>>> -			return -ENOMEM;
>>> -		}
>>> +		if (!isd)
>>> +			goto error;
>>> 
>>> 		notifier->subdevs[notifier->num_subdevs] = &isd->asd;
>>> 
>>> -		if (isp_of_parse_node(dev, node, isd)) {
>>> -			of_node_put(node);
>>> -			return -EINVAL;
>>> -		}
>>> +		if (isp_of_parse_node(dev, node, isd))
>>> +			goto error;
>>> 
>>> 		isd->asd.match.of.node =
>>> of_graph_get_remote_port_parent(node);
>>> -		of_node_put(node);
>>> 		if (!isd->asd.match.of.node) {
>>> 			dev_warn(dev, "bad remote port parent\n");
>>> -			return -EINVAL;
>>> +			goto error;
>>> 		}
>>> 		
>>> 		isd->asd.match_type = V4L2_ASYNC_MATCH_OF;
>>> @@ -2155,6 +2150,10 @@ static int isp_of_parse_nodes(struct device *dev,
>>> 	}
>>> 	
>>> 	return notifier->num_subdevs;
>>> +
>>> +error:
>>> +	of_node_put(node);
>>> +	return -EINVAL;
>>> }
>>> 
>>> static int isp_subdev_notifier_bound(struct v4l2_async_notifier *async,
>> 
>> Seems to fix the reported warning, but obviously I can't test the error
>> paths.
> 
> Can I add
> 
> Tested-by: H. Nikolaus Schaller <hns@...delico.com>
> 
> to the patch ?
> 
>> So let's go this way (until someone shows a bug in the error path).
> 
> -- 
> Regards,
> 
> Laurent Pinchart
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ