lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Dec 2020 14:50:37 +0100 From: Patrick Havelange <patrick.havelange@...ensium.com> To: Madalin Bucur <madalin.bucur@....com>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Cc: Patrick Havelange <patrick.havelange@...ensium.com> Subject: [PATCH net 2/4] net: freescale/fman-port: remove direct use of __devm_request_region This driver was directly calling __devm_request_region with a specific resource on the stack as parameter. This is invalid as __devm_request_region expects the given resource passed as parameter to live longer than the call itself, as the pointer to the resource will be stored inside the internal struct used by the devres management. In addition to this issue, a related bug has been found by kmemleak with this trace : unreferenced object 0xc0000001efc01880 (size 64): comm "swapper/0", pid 1, jiffies 4294669078 (age 3620.536s) hex dump (first 32 bytes): 00 00 00 0f fe 4a c0 00 00 00 00 0f fe 4a cf ff .....J.......J.. c0 00 00 00 00 ee 9d 98 00 00 00 00 80 00 02 00 ................ backtrace: [<c000000000078874>] .alloc_resource+0xb8/0xe0 [<c000000000079b50>] .__request_region+0x70/0x1c4 [<c00000000007a010>] .__devm_request_region+0x8c/0x138 [<c0000000006e0dc8>] .fman_port_probe+0x170/0x420 [<c0000000005cecb8>] .platform_drv_probe+0x84/0x108 [<c0000000005cc620>] .driver_probe_device+0x2c4/0x394 [<c0000000005cc814>] .__driver_attach+0x124/0x128 [<c0000000005c9ad4>] .bus_for_each_dev+0xb4/0x110 [<c0000000005cca1c>] .driver_attach+0x34/0x4c [<c0000000005ca9b0>] .bus_add_driver+0x264/0x2a4 [<c0000000005cd9e0>] .driver_register+0x94/0x160 [<c0000000005cfea4>] .__platform_driver_register+0x60/0x7c [<c000000000f86a00>] .fman_port_load+0x28/0x64 [<c000000000f4106c>] .do_one_initcall+0xd4/0x1a8 [<c000000000f412fc>] .kernel_init_freeable+0x1bc/0x2a4 [<c00000000000180c>] .kernel_init+0x24/0x138 Indeed, the new resource (created in __request_region) will be linked to the given resource living on the stack, which will end its lifetime after the function calling __devm_request_region has finished. Meaning the new resource allocated is no longer reachable. Now that the main fman driver is no longer reserving the region used by fman-port, this previous hack is no longer needed and we can use the regular call to devm_request_mem_region instead, solving those bugs at the same time. Signed-off-by: Patrick Havelange <patrick.havelange@...ensium.com> --- drivers/net/ethernet/freescale/fman/fman_port.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/freescale/fman/fman_port.c b/drivers/net/ethernet/freescale/fman/fman_port.c index d9baac0dbc7d..354974939d9d 100644 --- a/drivers/net/ethernet/freescale/fman/fman_port.c +++ b/drivers/net/ethernet/freescale/fman/fman_port.c @@ -1878,10 +1878,10 @@ static int fman_port_probe(struct platform_device *of_dev) of_node_put(port_node); - dev_res = __devm_request_region(port->dev, &res, res.start, - resource_size(&res), "fman-port"); + dev_res = devm_request_mem_region(port->dev, res.start, + resource_size(&res), "fman-port"); if (!dev_res) { - dev_err(port->dev, "%s: __devm_request_region() failed\n", + dev_err(port->dev, "%s: devm_request_mem_region() failed\n", __func__); err = -EINVAL; goto free_port; -- 2.17.1
Powered by blists - more mailing lists