lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 29 May 2024 16:20:41 +0530 (GMT+05:30)
From: Shresth Prasad <shresthprasad7@...il.com>
To: Marek Szyprowski <m.szyprowski@...sung.com>
Cc: robh@...nel.org, saravanak@...gle.com,
	DRI mailing list <dri-devel@...ts.freedesktop.org>,
	devicetree@...r.kernel.org, linux-kernel@...r.kernel.org,
	skhan@...uxfoundation.org, javier.carrasco.cruz@...il.com,
	julia.lawall@...ia.fr
Subject: Re: [PATCH][next] of: property: Remove calls to of_node_put

29 May 2024 3:42:48 pm Marek Szyprowski <m.szyprowski@...sung.com>:

> On 15.05.2024 22:29, Shresth Prasad wrote:
>> Add __free cleanup handler to some variable initialisations, which
>> ensures that the resource is freed as soon as the variable goes out of
>> scope. Thus removing the need to manually free up the resource using
>> of_node_put.
>> 
>> Suggested-by: Julia Lawall <julia.lawall@...ia.fr>
>> Signed-off-by: Shresth Prasad <shresthprasad7@...il.com>
>> ---
> 
> This patch landed in today's linux-next as commit b94d24c08ee1 ("of:
> property: Remove calls to of_node_put"). I found that it triggers the
> following warning while booting of the Samsung Exynos5800 based Pi
> Chromebook (arch/arm/boot/dts/samsung/exynos5800-peach-pi.dts):
> 
> OF: ERROR: of_node_release() detected bad of_node_put() on /panel
> CPU: 2 PID: 68 Comm: kworker/u36:1 Not tainted
> 6.10.0-rc1-00001-gb94d24c08ee1 #8619
> Hardware name: Samsung Exynos (Flattened Device Tree)
> Workqueue: events_unbound deferred_probe_work_func
> tps65090 20-0048: No cache defaults, reading back from HW
> Call trace:
>  unwind_backtrace from show_stack+0x10/0x14
>  show_stack from dump_stack_lvl+0x50/0x64
>  dump_stack_lvl from of_node_release+0x110/0x138
>  of_node_release from kobject_put+0x98/0x108
>  kobject_put from drm_of_find_panel_or_bridge+0x94/0xd8
>  drm_of_find_panel_or_bridge from exynos_dp_probe+0xf0/0x158 [exynosdrm]
>  exynos_dp_probe [exynosdrm] from platform_probe+0x80/0xc0
>  platform_probe from really_probe+0xc8/0x288
>  really_probe from __driver_probe_device+0x8c/0x190
>  __driver_probe_device from driver_probe_device+0x30/0xd0
>  driver_probe_device from __device_attach_driver+0x8c/0xbc
>  __device_attach_driver from bus_for_each_drv+0x74/0xc0
>  bus_for_each_drv from __device_attach+0xe8/0x184
>  __device_attach from bus_probe_device+0x88/0x8c
>  bus_probe_device from deferred_probe_work_func+0x7c/0xa8
>  deferred_probe_work_func from process_scheduled_works+0xe8/0x41c
>  process_scheduled_works from worker_thread+0x14c/0x35c
>  worker_thread from kthread+0xd0/0x104
>  kthread from ret_from_fork+0x14/0x28
> Exception stack(0xf0a81fb0 to 0xf0a81ff8)
> 
> OF: ERROR: next of_node_put() on this node will result in a kobject
> warning 'refcount_t: underflow; use-after-free.'
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 68 at lib/refcount.c:25 kobject_get+0xa0/0xa4
> refcount_t: addition on 0; use-after-free.
> Modules linked in: i2c_cros_ec_tunnel(+) cros_ec_keyb cros_ec_dev
> cros_ec_spi cros_ec snd_soc_i2s snd_soc_idma snd_soc_max98090
> snd_soc_snow snd_soc_s3c_dma snd_soc_core tpm_i2c_infineon ac97_bus
> snd_pcm_dmaengine tpm exynosdrm libsha256 libaescfb snd_pcm analogix_dp
> ecdh_generic samsung_dsim ecc snd_timer atmel_mxt_ts snd libaes
> soundcore exynos_gsc s5p_jpeg s5p_mfc v4l2_mem2mem spi_s3c64xx
> videobuf2_dma_contig exynos_adc pwm_samsung videobuf2_memops
> videobuf2_v4l2 videodev phy_exynos_usb2 videobuf2_common ohci_exynos
> ehci_exynos mc exynos_ppmu rtc_s3c exynos_rng s3c2410_wdt s5p_sss
> phy_exynos_mipi_video phy_exynos_dp_video
> CPU: 3 PID: 68 Comm: kworker/u36:1 Not tainted
> 6.10.0-rc1-00001-gb94d24c08ee1 #8619
> Hardware name: Samsung Exynos (Flattened Device Tree)
> Workqueue: events_unbound deferred_probe_work_func
> Call trace:
>  unwind_backtrace from show_stack+0x10/0x14
>  show_stack from dump_stack_lvl+0x50/0x64
>  dump_stack_lvl from __warn+0x108/0x12c
>  __warn from warn_slowpath_fmt+0x118/0x17c
>  warn_slowpath_fmt from kobject_get+0xa0/0xa4
>  kobject_get from of_node_get+0x14/0x1c
>  of_node_get from of_get_next_parent+0x24/0x50
>  of_get_next_parent from of_graph_get_port_parent.part.1+0x58/0xa4
>  of_graph_get_port_parent.part.1 from
> of_graph_get_remote_port_parent+0x1c/0x38
>  of_graph_get_remote_port_parent from of_graph_get_remote_node+0x10/0x6c
>  of_graph_get_remote_node from drm_of_find_panel_or_bridge+0x50/0xd8
>  drm_of_find_panel_or_bridge from exynos_dp_probe+0xf0/0x158 [exynosdrm]
>  exynos_dp_probe [exynosdrm] from platform_probe+0x80/0xc0
>  platform_probe from really_probe+0xc8/0x288
>  really_probe from __driver_probe_device+0x8c/0x190
>  __driver_probe_device from driver_probe_device+0x30/0xd0
>  driver_probe_device from __device_attach_driver+0x8c/0xbc
>  __device_attach_driver from bus_for_each_drv+0x74/0xc0
>  bus_for_each_drv from __device_attach+0xe8/0x184
>  __device_attach from bus_probe_device+0x88/0x8c
>  bus_probe_device from deferred_probe_work_func+0x7c/0xa8
>  deferred_probe_work_func from process_scheduled_works+0xe8/0x41c
>  process_scheduled_works from worker_thread+0x14c/0x35c
>  worker_thread from kthread+0xd0/0x104
>  kthread from ret_from_fork+0x14/0x28
> Exception stack(0xf0a81fb0 to 0xf0a81ff8)
> 
> ---[ end trace 0000000000000000 ]---
> ------------[ cut here ]------------
> 
> If I got this right, this points to the drm_of_find_panel_or_bridge()
> function. I briefly scanned it, but I don't see any obvious
> of_node_put() related issue there.
> 
> 
>> I had submitted a similar patch a couple weeks ago addressing the same
>> issue, but as it turns out I wasn't thorough enough and had left a couple
>> instances.
>> 
>> I hope this isn't too big an issue.
>> ---
>>   drivers/of/property.c | 27 +++++++++++----------------
>>   1 file changed, 11 insertions(+), 16 deletions(-)
>> 
>> diff --git a/drivers/of/property.c b/drivers/of/property.c
>> index 17b294e16c56..96a74f6a8d64 100644
>> --- a/drivers/of/property.c
>> +++ b/drivers/of/property.c
>> @@ -773,15 +773,14 @@ EXPORT_SYMBOL(of_graph_get_port_parent);
>>   struct device_node *of_graph_get_remote_port_parent(
>>                    const struct device_node *node)
>>   {
>> -   struct device_node *np, *pp;
>> +   struct device_node *pp;
>>  
>>     /* Get remote endpoint node. */
>> -   np = of_graph_get_remote_endpoint(node);
>> +   struct device_node *np __free(device_node) =
>> +               of_graph_get_remote_endpoint(node);
>>  
>>     pp = of_graph_get_port_parent(np);
>>  
>> -   of_node_put(np);
>> -
>>     return pp;
>>   }
>>   EXPORT_SYMBOL(of_graph_get_remote_port_parent);
>> @@ -835,17 +834,18 @@ EXPORT_SYMBOL(of_graph_get_endpoint_count);
>>   struct device_node *of_graph_get_remote_node(const struct device_node *node,
>>                          u32 port, u32 endpoint)
>>   {
>> -   struct device_node *endpoint_node, *remote;
>> +   struct device_node *endpoint_node __free(device_node) =
>> +               of_graph_get_endpoint_by_regs(node, port, endpoint);
>> +
>> +   struct device_node *remote __free(device_node) =
>> +               of_graph_get_remote_port_parent(endpoint_node);
>>  
>> -   endpoint_node = of_graph_get_endpoint_by_regs(node, port, endpoint);
>>     if (!endpoint_node) {
>>         pr_debug("no valid endpoint (%d, %d) for node %pOF\n",
>>              port, endpoint, node);
>>         return NULL;
>>     }
>>  
>> -   remote = of_graph_get_remote_port_parent(endpoint_node);
>> -   of_node_put(endpoint_node);
>>     if (!remote) {
>>         pr_debug("no valid remote node\n");
>>         return NULL;
>> @@ -853,7 +853,6 @@ struct device_node *of_graph_get_remote_node(const struct device_node *node,
>>  
>>     if (!of_device_is_available(remote)) {
>>         pr_debug("not available for remote node\n");
>> -       of_node_put(remote);
>>         return NULL;
>>     }
>>  
>> @@ -1064,19 +1063,15 @@ static void of_link_to_phandle(struct device_node *con_np,
>>                   struct device_node *sup_np,
>>                   u8 flags)
>>   {
>> -   struct device_node *tmp_np = of_node_get(sup_np);
>> +   struct device_node *tmp_np __free(device_node) = of_node_get(sup_np);
>>  
>>     /* Check that sup_np and its ancestors are available. */
>>     while (tmp_np) {
>> -       if (of_fwnode_handle(tmp_np)->dev) {
>> -           of_node_put(tmp_np);
>> +       if (of_fwnode_handle(tmp_np)->dev)
>>             break;
>> -       }
>>  
>> -       if (!of_device_is_available(tmp_np)) {
>> -           of_node_put(tmp_np);
>> +       if (!of_device_is_available(tmp_np))
>>             return;
>> -       }
>>  
>>         tmp_np = of_get_next_parent(tmp_np);
>>     }
> 
> Best regards
> -- 
> Marek Szyprowski, PhD
> Samsung R&D Institute Poland

Thanks for letting me know.

It seems this has already been fixed by Alexander Stein here:
https://lore.kernel.org/all/20240529073246.537459-1-alexander.stein@ew.tq-group.com/

Regards,
Shresth

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ