lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8d95757c-fd05-4a48-ae9d-24d78d04d663@samsung.com>
Date: Wed, 29 May 2024 12:12:44 +0200
From: Marek Szyprowski <m.szyprowski@...sung.com>
To: Shresth Prasad <shresthprasad7@...il.com>, robh@...nel.org,
	saravanak@...gle.com, DRI mailing list <dri-devel@...ts.freedesktop.org>
Cc: devicetree@...r.kernel.org, linux-kernel@...r.kernel.org,
	skhan@...uxfoundation.org, javier.carrasco.cruz@...il.com,
	julia.lawall@...ia.fr
Subject: Re: [PATCH][next] of: property: Remove calls to of_node_put

On 15.05.2024 22:29, Shresth Prasad wrote:
> Add __free cleanup handler to some variable initialisations, which
> ensures that the resource is freed as soon as the variable goes out of
> scope. Thus removing the need to manually free up the resource using
> of_node_put.
>
> Suggested-by: Julia Lawall <julia.lawall@...ia.fr>
> Signed-off-by: Shresth Prasad <shresthprasad7@...il.com>
> ---

This patch landed in today's linux-next as commit b94d24c08ee1 ("of: 
property: Remove calls to of_node_put"). I found that it triggers the 
following warning while booting of the Samsung Exynos5800 based Pi 
Chromebook (arch/arm/boot/dts/samsung/exynos5800-peach-pi.dts):

OF: ERROR: of_node_release() detected bad of_node_put() on /panel
CPU: 2 PID: 68 Comm: kworker/u36:1 Not tainted 
6.10.0-rc1-00001-gb94d24c08ee1 #8619
Hardware name: Samsung Exynos (Flattened Device Tree)
Workqueue: events_unbound deferred_probe_work_func
tps65090 20-0048: No cache defaults, reading back from HW
Call trace:
  unwind_backtrace from show_stack+0x10/0x14
  show_stack from dump_stack_lvl+0x50/0x64
  dump_stack_lvl from of_node_release+0x110/0x138
  of_node_release from kobject_put+0x98/0x108
  kobject_put from drm_of_find_panel_or_bridge+0x94/0xd8
  drm_of_find_panel_or_bridge from exynos_dp_probe+0xf0/0x158 [exynosdrm]
  exynos_dp_probe [exynosdrm] from platform_probe+0x80/0xc0
  platform_probe from really_probe+0xc8/0x288
  really_probe from __driver_probe_device+0x8c/0x190
  __driver_probe_device from driver_probe_device+0x30/0xd0
  driver_probe_device from __device_attach_driver+0x8c/0xbc
  __device_attach_driver from bus_for_each_drv+0x74/0xc0
  bus_for_each_drv from __device_attach+0xe8/0x184
  __device_attach from bus_probe_device+0x88/0x8c
  bus_probe_device from deferred_probe_work_func+0x7c/0xa8
  deferred_probe_work_func from process_scheduled_works+0xe8/0x41c
  process_scheduled_works from worker_thread+0x14c/0x35c
  worker_thread from kthread+0xd0/0x104
  kthread from ret_from_fork+0x14/0x28
Exception stack(0xf0a81fb0 to 0xf0a81ff8)

OF: ERROR: next of_node_put() on this node will result in a kobject 
warning 'refcount_t: underflow; use-after-free.'
------------[ cut here ]------------
WARNING: CPU: 3 PID: 68 at lib/refcount.c:25 kobject_get+0xa0/0xa4
refcount_t: addition on 0; use-after-free.
Modules linked in: i2c_cros_ec_tunnel(+) cros_ec_keyb cros_ec_dev 
cros_ec_spi cros_ec snd_soc_i2s snd_soc_idma snd_soc_max98090 
snd_soc_snow snd_soc_s3c_dma snd_soc_core tpm_i2c_infineon ac97_bus 
snd_pcm_dmaengine tpm exynosdrm libsha256 libaescfb snd_pcm analogix_dp 
ecdh_generic samsung_dsim ecc snd_timer atmel_mxt_ts snd libaes 
soundcore exynos_gsc s5p_jpeg s5p_mfc v4l2_mem2mem spi_s3c64xx 
videobuf2_dma_contig exynos_adc pwm_samsung videobuf2_memops 
videobuf2_v4l2 videodev phy_exynos_usb2 videobuf2_common ohci_exynos 
ehci_exynos mc exynos_ppmu rtc_s3c exynos_rng s3c2410_wdt s5p_sss 
phy_exynos_mipi_video phy_exynos_dp_video
CPU: 3 PID: 68 Comm: kworker/u36:1 Not tainted 
6.10.0-rc1-00001-gb94d24c08ee1 #8619
Hardware name: Samsung Exynos (Flattened Device Tree)
Workqueue: events_unbound deferred_probe_work_func
Call trace:
  unwind_backtrace from show_stack+0x10/0x14
  show_stack from dump_stack_lvl+0x50/0x64
  dump_stack_lvl from __warn+0x108/0x12c
  __warn from warn_slowpath_fmt+0x118/0x17c
  warn_slowpath_fmt from kobject_get+0xa0/0xa4
  kobject_get from of_node_get+0x14/0x1c
  of_node_get from of_get_next_parent+0x24/0x50
  of_get_next_parent from of_graph_get_port_parent.part.1+0x58/0xa4
  of_graph_get_port_parent.part.1 from 
of_graph_get_remote_port_parent+0x1c/0x38
  of_graph_get_remote_port_parent from of_graph_get_remote_node+0x10/0x6c
  of_graph_get_remote_node from drm_of_find_panel_or_bridge+0x50/0xd8
  drm_of_find_panel_or_bridge from exynos_dp_probe+0xf0/0x158 [exynosdrm]
  exynos_dp_probe [exynosdrm] from platform_probe+0x80/0xc0
  platform_probe from really_probe+0xc8/0x288
  really_probe from __driver_probe_device+0x8c/0x190
  __driver_probe_device from driver_probe_device+0x30/0xd0
  driver_probe_device from __device_attach_driver+0x8c/0xbc
  __device_attach_driver from bus_for_each_drv+0x74/0xc0
  bus_for_each_drv from __device_attach+0xe8/0x184
  __device_attach from bus_probe_device+0x88/0x8c
  bus_probe_device from deferred_probe_work_func+0x7c/0xa8
  deferred_probe_work_func from process_scheduled_works+0xe8/0x41c
  process_scheduled_works from worker_thread+0x14c/0x35c
  worker_thread from kthread+0xd0/0x104
  kthread from ret_from_fork+0x14/0x28
Exception stack(0xf0a81fb0 to 0xf0a81ff8)

---[ end trace 0000000000000000 ]---
------------[ cut here ]------------

If I got this right, this points to the drm_of_find_panel_or_bridge() 
function. I briefly scanned it, but I don't see any obvious 
of_node_put() related issue there.


> I had submitted a similar patch a couple weeks ago addressing the same
> issue, but as it turns out I wasn't thorough enough and had left a couple
> instances.
>
> I hope this isn't too big an issue.
> ---
>   drivers/of/property.c | 27 +++++++++++----------------
>   1 file changed, 11 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/of/property.c b/drivers/of/property.c
> index 17b294e16c56..96a74f6a8d64 100644
> --- a/drivers/of/property.c
> +++ b/drivers/of/property.c
> @@ -773,15 +773,14 @@ EXPORT_SYMBOL(of_graph_get_port_parent);
>   struct device_node *of_graph_get_remote_port_parent(
>   			       const struct device_node *node)
>   {
> -	struct device_node *np, *pp;
> +	struct device_node *pp;
>   
>   	/* Get remote endpoint node. */
> -	np = of_graph_get_remote_endpoint(node);
> +	struct device_node *np __free(device_node) =
> +			    of_graph_get_remote_endpoint(node);
>   
>   	pp = of_graph_get_port_parent(np);
>   
> -	of_node_put(np);
> -
>   	return pp;
>   }
>   EXPORT_SYMBOL(of_graph_get_remote_port_parent);
> @@ -835,17 +834,18 @@ EXPORT_SYMBOL(of_graph_get_endpoint_count);
>   struct device_node *of_graph_get_remote_node(const struct device_node *node,
>   					     u32 port, u32 endpoint)
>   {
> -	struct device_node *endpoint_node, *remote;
> +	struct device_node *endpoint_node __free(device_node) =
> +			    of_graph_get_endpoint_by_regs(node, port, endpoint);
> +
> +	struct device_node *remote __free(device_node) =
> +			    of_graph_get_remote_port_parent(endpoint_node);
>   
> -	endpoint_node = of_graph_get_endpoint_by_regs(node, port, endpoint);
>   	if (!endpoint_node) {
>   		pr_debug("no valid endpoint (%d, %d) for node %pOF\n",
>   			 port, endpoint, node);
>   		return NULL;
>   	}
>   
> -	remote = of_graph_get_remote_port_parent(endpoint_node);
> -	of_node_put(endpoint_node);
>   	if (!remote) {
>   		pr_debug("no valid remote node\n");
>   		return NULL;
> @@ -853,7 +853,6 @@ struct device_node *of_graph_get_remote_node(const struct device_node *node,
>   
>   	if (!of_device_is_available(remote)) {
>   		pr_debug("not available for remote node\n");
> -		of_node_put(remote);
>   		return NULL;
>   	}
>   
> @@ -1064,19 +1063,15 @@ static void of_link_to_phandle(struct device_node *con_np,
>   			      struct device_node *sup_np,
>   			      u8 flags)
>   {
> -	struct device_node *tmp_np = of_node_get(sup_np);
> +	struct device_node *tmp_np __free(device_node) = of_node_get(sup_np);
>   
>   	/* Check that sup_np and its ancestors are available. */
>   	while (tmp_np) {
> -		if (of_fwnode_handle(tmp_np)->dev) {
> -			of_node_put(tmp_np);
> +		if (of_fwnode_handle(tmp_np)->dev)
>   			break;
> -		}
>   
> -		if (!of_device_is_available(tmp_np)) {
> -			of_node_put(tmp_np);
> +		if (!of_device_is_available(tmp_np))
>   			return;
> -		}
>   
>   		tmp_np = of_get_next_parent(tmp_np);
>   	}

Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ