lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251219113803.GC9788@e132581.arm.com>
Date: Fri, 19 Dec 2025 11:38:03 +0000
From: Leo Yan <leo.yan@....com>
To: Suzuki K Poulose <suzuki.poulose@....com>
Cc: Ma Ke <make24@...as.ac.cn>, jie.gan@....qualcomm.com,
	james.clark@...aro.org, akpm@...ux-foundation.org,
	alexander.shishkin@...ux.intel.com, coresight@...ts.linaro.org,
	linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
	mathieu.poirier@...aro.org, mike.leach@...aro.org,
	stable@...r.kernel.org
Subject: Re: [PATCH v2 RESEND] coresight: etm-perf: Fix reference count leak
 in etm_setup_aux

On Fri, Dec 19, 2025 at 09:59:54AM +0000, Suzuki K Poulose wrote:

[...]

> > diff --git a/drivers/hwtracing/coresight/coresight-platform.c b/drivers/hwtracing/coresight/coresight-platform.c
> > index 0db64c5f4995..2b34f818ba88 100644
> > --- a/drivers/hwtracing/coresight/coresight-platform.c
> > +++ b/drivers/hwtracing/coresight/coresight-platform.c
> > @@ -107,14 +107,16 @@ coresight_find_device_by_fwnode(struct fwnode_handle *fwnode)
> >   	 * platform bus.
> >   	 */
> >   	dev = bus_find_device_by_fwnode(&platform_bus_type, fwnode);
> > -	if (dev)
> > -		return dev;
> >   	/*
> >   	 * We have a configurable component - circle through the AMBA bus
> >   	 * looking for the device that matches the endpoint node.
> >   	 */
> > -	return bus_find_device_by_fwnode(&amba_bustype, fwnode);
> > +	if (!dev)
> > +		dev = bus_find_device_by_fwnode(&amba_bustype, fwnode);
> > +
> > +	put_device(dev);
> 
> ^^ NAK, see below.
> 
> > +	return dev;
> >   }
> >   /*
> > @@ -274,7 +276,6 @@ static int of_coresight_parse_endpoint(struct device *dev,
> >   	of_node_put(rparent);
> >   	of_node_put(rep);
> > -	put_device(rdev);
> 
> This doesn't look good. We can't use the "dev" reliably without the
> reference count. We are opening up use-after-free.

My understanding is we don't grab a device from
coresight_find_device_by_fwnode().  The callers only check whether the
device is present on the bus; if it isn't, the driver defers probe.

This is similiar to coresight_find_csdev_by_fwnode(), which calls
put_device(dev) to release refcnt immediately.  This is why I
suggested the change, so the two functions behave consistently.

Thanks,
Leo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ