lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3e4f387b-53fb-b031-223c-88adac7d4dae@canonical.com>
Date:   Thu, 24 Feb 2022 08:46:49 +0100
From:   Krzysztof Kozlowski <krzysztof.kozlowski@...onical.com>
To:     "Michael S. Tsirkin" <mst@...hat.com>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "Rafael J. Wysocki" <rafael@...nel.org>,
        Stuart Yoder <stuyoder@...il.com>,
        Laurentiu Tudor <laurentiu.tudor@....com>,
        Abel Vesa <abel.vesa@....com>, Shawn Guo <shawnguo@...nel.org>,
        Sascha Hauer <s.hauer@...gutronix.de>,
        Fabio Estevam <festevam@...il.com>,
        "K. Y. Srinivasan" <kys@...rosoft.com>,
        Haiyang Zhang <haiyangz@...rosoft.com>,
        Stephen Hemminger <sthemmin@...rosoft.com>,
        Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>,
        Bjorn Helgaas <bhelgaas@...gle.com>,
        Bjorn Andersson <bjorn.andersson@...aro.org>,
        Mathieu Poirier <mathieu.poirier@...aro.org>,
        Vineeth Vijayan <vneethv@...ux.ibm.com>,
        Peter Oberparleiter <oberpar@...ux.ibm.com>,
        Heiko Carstens <hca@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>,
        Andy Gross <agross@...nel.org>,
        Srinivas Kandagatla <srinivas.kandagatla@...aro.org>,
        Mark Brown <broonie@...nel.org>,
        Jason Wang <jasowang@...hat.com>, linux-kernel@...r.kernel.org,
        linux-clk@...r.kernel.org, NXP Linux Team <linux-imx@....com>,
        linux-arm-kernel@...ts.infradead.org, linux-hyperv@...r.kernel.org,
        linux-pci@...r.kernel.org, linux-remoteproc@...r.kernel.org,
        linux-s390@...r.kernel.org, linux-arm-msm@...r.kernel.org,
        alsa-devel@...a-project.org, linux-spi@...r.kernel.org,
        virtualization@...ts.linux-foundation.org,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Rasmus Villemoes <linux@...musvillemoes.dk>
Subject: Re: [PATCH v2 01/11] driver: platform: add and use helper for safer
 setting of driver_override

On 23/02/2022 22:33, Michael S. Tsirkin wrote:
> On Wed, Feb 23, 2022 at 08:13:00PM +0100, Krzysztof Kozlowski wrote:
>> Several core drivers and buses expect that driver_override is a
>> dynamically allocated memory thus later they can kfree() it.
>>
>> However such assumption is not documented, there were in the past and
>> there are already users setting it to a string literal. This leads to
>> kfree() of static memory during device release (e.g. in error paths or
>> during unbind):
>>
>>     kernel BUG at ../mm/slub.c:3960!
>>     Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
>>     ...
>>     (kfree) from [<c058da50>] (platform_device_release+0x88/0xb4)
>>     (platform_device_release) from [<c0585be0>] (device_release+0x2c/0x90)
>>     (device_release) from [<c0a69050>] (kobject_put+0xec/0x20c)
>>     (kobject_put) from [<c0f2f120>] (exynos5_clk_probe+0x154/0x18c)
>>     (exynos5_clk_probe) from [<c058de70>] (platform_drv_probe+0x6c/0xa4)
>>     (platform_drv_probe) from [<c058b7ac>] (really_probe+0x280/0x414)
>>     (really_probe) from [<c058baf4>] (driver_probe_device+0x78/0x1c4)
>>     (driver_probe_device) from [<c0589854>] (bus_for_each_drv+0x74/0xb8)
>>     (bus_for_each_drv) from [<c058b48c>] (__device_attach+0xd4/0x16c)
>>     (__device_attach) from [<c058a638>] (bus_probe_device+0x88/0x90)
>>     (bus_probe_device) from [<c05871fc>] (device_add+0x3dc/0x62c)
>>     (device_add) from [<c075ff10>] (of_platform_device_create_pdata+0x94/0xbc)
>>     (of_platform_device_create_pdata) from [<c07600ec>] (of_platform_bus_create+0x1a8/0x4fc)
>>     (of_platform_bus_create) from [<c0760150>] (of_platform_bus_create+0x20c/0x4fc)
>>     (of_platform_bus_create) from [<c07605f0>] (of_platform_populate+0x84/0x118)
>>     (of_platform_populate) from [<c0f3c964>] (of_platform_default_populate_init+0xa0/0xb8)
>>     (of_platform_default_populate_init) from [<c01031f8>] (do_one_initcall+0x8c/0x404)
>>     (do_one_initcall) from [<c0f012c0>] (kernel_init_freeable+0x3d0/0x4d8)
>>     (kernel_init_freeable) from [<c0a7def0>] (kernel_init+0x8/0x114)
>>     (kernel_init) from [<c01010b4>] (ret_from_fork+0x14/0x20)
>>
>> Provide a helper which clearly documents the usage of driver_override.
>> This will allow later to reuse the helper and reduce amount of
>> duplicated code.
>>
>> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@...onical.com>
>> ---
>>  drivers/base/driver.c           | 44 +++++++++++++++++++++++++++++++++
>>  drivers/base/platform.c         | 24 +++---------------
>>  include/linux/device/driver.h   |  1 +
>>  include/linux/platform_device.h |  6 ++++-
>>  4 files changed, 54 insertions(+), 21 deletions(-)
>>
>> diff --git a/drivers/base/driver.c b/drivers/base/driver.c
>> index 8c0d33e182fd..79efe51bb4c0 100644
>> --- a/drivers/base/driver.c
>> +++ b/drivers/base/driver.c
>> @@ -30,6 +30,50 @@ static struct device *next_device(struct klist_iter *i)
>>  	return dev;
>>  }
>>  
>> +/*
>> + * set_driver_override() - Helper to set or clear driver override.
>> + * @dev: Device to change
>> + * @override: Address of string to change (e.g. &device->driver_override);
>> + *            The contents will be freed and hold newly allocated override.
>> + * @s: NULL terminated string, new driver name to force a match, pass empty
> 
> Don't you mean NUL terminated?

Yeah, NUL.

> Do all callers really validate that it's NUL terminated?

Good point, the callers use it in device attributes (sysfs) only, so it
might come non-NUL. Previously this was solved by kstrndup() which is
always terminating the string.


> 
>> + *     string to clear it
>> + *
>> + * Helper to setr or clear driver override in a device, intended for the cases
> 
> set?
D'oh!

> 
>> + * when the driver_override field is allocated by driver/bus code.
>> + *
>> + * Returns: 0 on success or a negative error code on failure.
>> + */
>> +int driver_set_override(struct device *dev, char **override, const char *s)
>> +{
>> +	char *new, *old, *cp;
>> +
>> +	if (!dev || !override || !s)
>> +		return -EINVAL;
>> +
>> +	new = kstrndup(s, strlen(s), GFP_KERNEL);
> 
> 
> what's the point of this kstrndup then? why not just kstrdup?

Thanks, it's a copy-paste. Useless now, but I'll pass the count directly
from the callers and then this will be NULL-terminating it.

> 
>> +	if (!new)
>> +		return -ENOMEM;
>> +
>> +	cp = strchr(new, '\n');
>> +	if (cp)
>> +		*cp = '\0';
>> +
>> +	device_lock(dev);
>> +	old = *override;
>> +	if (strlen(new)) {
> 
> We are re-reading the string like 3 times here.

Yep, the same in old code. I guess we could compare just pointers -
whether 'cp' is not NULL and different than 's'.

> 
>> +		*override = new;
>> +	} else {
>> +		kfree(new);
>> +		*override = NULL;
>> +	}
>> +	device_unlock(dev);
>> +
>> +	kfree(old);
>> +
>> +	return 0;
>> +}
>> +EXPORT_SYMBOL_GPL(driver_set_override);
>> +
>>  /**
>>   * driver_for_each_device - Iterator for devices bound to a driver.
>>   * @drv: Driver we're iterating.
>> diff --git a/drivers/base/platform.c b/drivers/base/platform.c
>> index 6cb04ac48bf0..d8853b32ea10 100644
>> --- a/drivers/base/platform.c
>> +++ b/drivers/base/platform.c
>> @@ -1275,31 +1275,15 @@ static ssize_t driver_override_store(struct device *dev,
>>  				     const char *buf, size_t count)
>>  {
>>  	struct platform_device *pdev = to_platform_device(dev);
>> -	char *driver_override, *old, *cp;
>> +	int ret;
>>  
>>  	/* We need to keep extra room for a newline */
>>  	if (count >= (PAGE_SIZE - 1))
>>  		return -EINVAL;
> 
> Given everyone seems to repeat this check, how about passing
> in count and doing the validation in the helper?

Good idea.

> We will then also avoid the need to do strlen and strchr.

The strlen() could be removed, but the strchr() should stay. What
solution do you have in mind to remove strchr()?

Thanks for review.


Best regards,
Krzysztof

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ