lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b420a4e6-8038-6c1e-7c97-75ef3bea3c21@arm.com>
Date:   Mon, 12 Jul 2021 22:31:52 +0100
From:   Steven Price <steven.price@....com>
To:     Laurent Pinchart <laurent.pinchart@...asonboard.com>
Cc:     Daniel Vetter <daniel@...ll.ch>, David Airlie <airlied@...ux.ie>,
        Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
        Maxime Ripard <mripard@...nel.org>,
        Thomas Zimmermann <tzimmermann@...e.de>,
        dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
        Biju Das <biju.das.jz@...renesas.com>
Subject: Re: [PATCH] drm/of: free the iterator object on failure

On 12/07/2021 17:50, Laurent Pinchart wrote:
> Hi Steven,
> 
> Thank you for the patch.
> 
> On Mon, Jul 12, 2021 at 04:57:58PM +0100, Steven Price wrote:
>> When bailing out due to the sanity check the iterator value needs to be
>> freed because the early return prevents for_each_child_of_node() from
>> doing the dereference itself.
>>
>> Fixes: 4ee48cc5586b ("drm: of: Fix double-free bug")
> 
> I don't think the Fixes tag is correct, the issue was already present
> before 4ee48cc5586b. The fix looks right though.

I'm not sure quite what you mean by "already present". As I understand
it the timeline was:

1. 6529007522de drm: of: Add drm_of_lvds_get_dual_link_pixel_order
   The function was originally added. This made the mistake twice of
   calling of_node_put() on the wrong variable (remote_port rather than
   endpoint).

2. 4ee48cc5586b drm: of: Fix double-free bug
   One of the of_node_put() calls was removed as it was a double-free.
   This left the first incorrect of_node_put() in place, and the second
   is now a straight leak.

3. b557a5f8da57 drm/of: free the right object
   This (correctly) fixes the first of_node_put() to free endpoint. And
   the post from Daniel was what caused me to look.

4. This patch
   Reintroduces the of_node_put() removed in (2) but putting endpoint
   rather than remote_port.

I've put (2) in the Fixes line as this patch is fixing the leak
introduced by that patch, but that in itself was of course 'fixing' the
double free of the original patch.

Steve

>> Signed-off-by: Steven Price <steven.price@....com>
>> ---
>>  drivers/gpu/drm/drm_of.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> Daniel's email[1] made me take a look at this function and it appears
>> that for_each_child_of_node()'s interface had caused a bad bug fix due
>> to the hidden reference counting in the iterator.
>>
>> [1] https://lore.kernel.org/r/YOxQ5TbkNrqCGBDJ%40phenom.ffwll.local
>>
>> diff --git a/drivers/gpu/drm/drm_of.c b/drivers/gpu/drm/drm_of.c
>> index 197c57477344..997b8827fed2 100644
>> --- a/drivers/gpu/drm/drm_of.c
>> +++ b/drivers/gpu/drm/drm_of.c
>> @@ -331,8 +331,10 @@ static int drm_of_lvds_get_remote_pixels_type(
>>  		 * configurations by passing the endpoints explicitly to
>>  		 * drm_of_lvds_get_dual_link_pixel_order().
>>  		 */
>> -		if (!current_pt || pixels_type != current_pt)
>> +		if (!current_pt || pixels_type != current_pt) {
>> +			of_node_put(endpoint);
>>  			return -EINVAL;
>> +		}
>>  	}
>>  
>>  	return pixels_type;
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ