| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Jul 2021 22:31:52 +0100
From: Steven Price <steven.price@....com>
To: Laurent Pinchart <laurent.pinchart@...asonboard.com>
Cc: Daniel Vetter <daniel@...ll.ch>, David Airlie <airlied@...ux.ie>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
Biju Das <biju.das.jz@...renesas.com>
Subject: Re: [PATCH] drm/of: free the iterator object on failure
On 12/07/2021 17:50, Laurent Pinchart wrote:
> Hi Steven,
>
> Thank you for the patch.
>
> On Mon, Jul 12, 2021 at 04:57:58PM +0100, Steven Price wrote:
>> When bailing out due to the sanity check the iterator value needs to be
>> freed because the early return prevents for_each_child_of_node() from
>> doing the dereference itself.
>>
>> Fixes: 4ee48cc5586b ("drm: of: Fix double-free bug")
>
> I don't think the Fixes tag is correct, the issue was already present
> before 4ee48cc5586b. The fix looks right though.
I'm not sure quite what you mean by "already present". As I understand
it the timeline was:
1. 6529007522de drm: of: Add drm_of_lvds_get_dual_link_pixel_order
The function was originally added. This made the mistake twice of
calling of_node_put() on the wrong variable (remote_port rather than
endpoint).
2. 4ee48cc5586b drm: of: Fix double-free bug
One of the of_node_put() calls was removed as it was a double-free.
This left the first incorrect of_node_put() in place, and the second
is now a straight leak.
3. b557a5f8da57 drm/of: free the right object
This (correctly) fixes the first of_node_put() to free endpoint. And
the post from Daniel was what caused me to look.
4. This patch
Reintroduces the of_node_put() removed in (2) but putting endpoint
rather than remote_port.
I've put (2) in the Fixes line as this patch is fixing the leak
introduced by that patch, but that in itself was of course 'fixing' the
double free of the original patch.
Steve
>> Signed-off-by: Steven Price <steven.price@....com>
>> ---
>> drivers/gpu/drm/drm_of.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> Daniel's email[1] made me take a look at this function and it appears
>> that for_each_child_of_node()'s interface had caused a bad bug fix due
>> to the hidden reference counting in the iterator.
>>
>> [1] https://lore.kernel.org/r/YOxQ5TbkNrqCGBDJ%40phenom.ffwll.local
>>
>> diff --git a/drivers/gpu/drm/drm_of.c b/drivers/gpu/drm/drm_of.c
>> index 197c57477344..997b8827fed2 100644
>> --- a/drivers/gpu/drm/drm_of.c
>> +++ b/drivers/gpu/drm/drm_of.c
>> @@ -331,8 +331,10 @@ static int drm_of_lvds_get_remote_pixels_type(
>> * configurations by passing the endpoints explicitly to
>> * drm_of_lvds_get_dual_link_pixel_order().
>> */
>> - if (!current_pt || pixels_type != current_pt)
>> + if (!current_pt || pixels_type != current_pt) {
>> + of_node_put(endpoint);
>> return -EINVAL;
>> + }
>> }
>>
>> return pixels_type;
>
Powered by blists - more mailing lists