From: Liang He <[email protected]>
[ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
of_find_matching_node(), of_find_compatible_node() and
of_find_node_by_path() will return node pointers with refcout
incremented. We should call of_node_put() when they are not
used anymore.
Signed-off-by: Liang He <[email protected]>
Signed-off-by: Thomas Bogendoerfer <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/mips/pic32/pic32mzda/init.c | 7 ++++++-
arch/mips/pic32/pic32mzda/time.c | 3 +++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/mips/pic32/pic32mzda/init.c b/arch/mips/pic32/pic32mzda/init.c
index 406c6c5cec29..f8985d4573e6 100644
--- a/arch/mips/pic32/pic32mzda/init.c
+++ b/arch/mips/pic32/pic32mzda/init.c
@@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
np = of_find_compatible_node(NULL, NULL, lookup->compatible);
if (np) {
lookup->name = (char *)np->name;
- if (lookup->phys_addr)
+ if (lookup->phys_addr) {
+ of_node_put(np);
continue;
+ }
if (!of_address_to_resource(np, 0, &res))
lookup->phys_addr = res.start;
+ of_node_put(np);
}
}
+ of_node_put(root);
+
return 0;
}
diff --git a/arch/mips/pic32/pic32mzda/time.c b/arch/mips/pic32/pic32mzda/time.c
index 62a0a78b6c64..bfafe241c1b5 100644
--- a/arch/mips/pic32/pic32mzda/time.c
+++ b/arch/mips/pic32/pic32mzda/time.c
@@ -40,6 +40,9 @@ static unsigned int pic32_xlate_core_timer_irq(void)
goto default_map;
irq = irq_of_parse_and_map(node, 0);
+
+ of_node_put(node);
+
if (!irq)
goto default_map;
--
2.35.1
Hi!
> From: Liang He <[email protected]>
>
> [ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
>
> of_find_matching_node(), of_find_compatible_node() and
> of_find_node_by_path() will return node pointers with refcout
> incremented. We should call of_node_put() when they are not
> used anymore.
It looks like this may introduces an use-after-free bug:
> +++ b/arch/mips/pic32/pic32mzda/init.c
> @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
> np = of_find_compatible_node(NULL, NULL, lookup->compatible);
> if (np) {
> lookup->name = (char *)np->name;
> - if (lookup->phys_addr)
> + if (lookup->phys_addr) {
> + of_node_put(np);
> continue;
> + }
> if (!of_address_to_resource(np, 0, &res))
> lookup->phys_addr = res.start;
> + of_node_put(np);
> }
> }
lookup->name now contains pointer taken from np->name, but we did
put() on the np. What guarantees np->name is not freed?
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
At 2022-06-29 21:06:17, "Pavel Machek" <[email protected]> wrote:
>Hi!
>
>> From: Liang He <[email protected]>
>>
>> [ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
>>
>> of_find_matching_node(), of_find_compatible_node() and
>> of_find_node_by_path() will return node pointers with refcout
>> incremented. We should call of_node_put() when they are not
>> used anymore.
>
>It looks like this may introduces an use-after-free bug:
>
>> +++ b/arch/mips/pic32/pic32mzda/init.c
>> @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
>> np = of_find_compatible_node(NULL, NULL, lookup->compatible);
>> if (np) {
>> lookup->name = (char *)np->name;
>> - if (lookup->phys_addr)
>> + if (lookup->phys_addr) {
>> + of_node_put(np);
>> continue;
>> + }
>> if (!of_address_to_resource(np, 0, &res))
>> lookup->phys_addr = res.start;
>> + of_node_put(np);
>> }
>> }
>
>lookup->name now contains pointer taken from np->name, but we did
>put() on the np. What guarantees np->name is not freed?
>
>Best regards,
> Pavel
Hi, Pavel.
Thanks for you to review this patched code.
In fact, the |PUT| on 'np' will not lead to the |FREE|.
First, before calling of_find_compatible_node(), the target object's refcount must be >= 1, as the object is alive.
Then, after calling of_find_compatible_node(), its refcount must be >=2.
So, after calling of_node_put(np), its refcount must be still >=1.
In fact, these |PUT|s are just used to keep refcount balance for the |GET| in of_find_compatible_node().
If there is anything wrong, please correct me.
Thans very much to review my patch code.
Liang
>--
>DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
>HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany