2018-08-27 08:24:16

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 0/9] of: fix compatible-child-node lookups

Several drivers currently use of_find_compatible_node() to lookup child
nodes while failing to notice that the of_find_ functions search the
entire tree depth-first (from a given start node) and therefore can
match unrelated nodes.

The fact that these functions also drop a reference to the node they
start searching from (e.g. the parent node) is typically also
overlooked, something which can lead to use-after-free bugs (e.g. after
probe deferrals).

This series adds a new helper, similar to of_get_child_by_name(),
that can be used to lookup compatible child nodes, and uses the new
helper to fix child-node lookups throughout the tree.

This is related to the fixes I posted about a year ago, which addressed
a similar anti-pattern when looking up child nodes by name. Since it
took me more than a year to get all those fixes into Linus' tree (one
fix is still pending), and as these fixes depend on the new helper, I'm
suggesting that these all go in through Rob's or Greg's trees.

Alternatively, the helper could go into to -rc2, and I'll be pinging
submaintainers for the coming year as well. ;)

Johan


Changes in v2
- fix !CONFIG_OF build by adding missing inline keyword
- amend commit messages and explicitly mention that the of_find
functions search the entire tree from a given start node
- add Sebastian's and Martin's Reviewed-by and Acked-by to patches 4/9
and 9/9 respectively
- drop or fix a couple of CC addresses that bounced


Johan Hovold (9):
of: add helper to lookup compatible child node
drm/mediatek: fix OF sibling-node lookup
drm/msm: fix OF child-node lookup
mmc: meson-mx-sdio: fix OF child-node lookup
mtd: nand: atmel: fix OF child-node lookup
net: bcmgenet: fix OF child-node lookup
net: stmmac: dwmac-sun8i: fix OF child-node lookup
NFC: nfcmrvl_uart: fix OF child-node lookup
power: supply: twl4030-charger: fix OF sibling-node lookup

drivers/gpu/drm/mediatek/mtk_hdmi.c | 5 ++--
drivers/gpu/drm/msm/adreno/adreno_gpu.c | 5 ++--
drivers/mmc/host/meson-mx-sdio.c | 8 ++++--
drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++---
drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +-
.../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 +++++++--
drivers/nfc/nfcmrvl/uart.c | 5 ++--
drivers/of/base.c | 25 +++++++++++++++++++
drivers/power/supply/twl4030_charger.c | 5 ++--
include/linux/of.h | 8 ++++++
10 files changed, 68 insertions(+), 18 deletions(-)

--
2.18.0



2018-08-27 08:24:12

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 4/9] mmc: meson-mx-sdio: fix OF child-node lookup

Use the new of_get_compatible_child() helper to lookup the slot child
node instead of using of_find_compatible_node(), which searches the
entire tree from a given start node and thus can return an unrelated
(i.e. non-child) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the node of the device being probed).

While at it, also fix up the related slot-node reference leak.

Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs")
Cc: stable <[email protected]> # 4.15
Cc: Carlo Caione <[email protected]>
Cc: Martin Blumenstingl <[email protected]>
Cc: Ulf Hansson <[email protected]>
Acked-by: Martin Blumenstingl <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/mmc/host/meson-mx-sdio.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c
index 09cb89645d06..2cfec33178c1 100644
--- a/drivers/mmc/host/meson-mx-sdio.c
+++ b/drivers/mmc/host/meson-mx-sdio.c
@@ -517,19 +517,23 @@ static struct mmc_host_ops meson_mx_mmc_ops = {
static struct platform_device *meson_mx_mmc_slot_pdev(struct device *parent)
{
struct device_node *slot_node;
+ struct platform_device *pdev;

/*
* TODO: the MMC core framework currently does not support
* controllers with multiple slots properly. So we only register
* the first slot for now
*/
- slot_node = of_find_compatible_node(parent->of_node, NULL, "mmc-slot");
+ slot_node = of_get_compatible_child(parent->of_node, "mmc-slot");
if (!slot_node) {
dev_warn(parent, "no 'mmc-slot' sub-node found\n");
return ERR_PTR(-ENOENT);
}

- return of_platform_device_create(slot_node, NULL, parent);
+ pdev = of_platform_device_create(slot_node, NULL, parent);
+ of_node_put(slot_node);
+
+ return pdev;
}

static int meson_mx_mmc_add_host(struct meson_mx_mmc_host *host)
--
2.18.0


2018-08-27 08:24:25

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 9/9] power: supply: twl4030-charger: fix OF sibling-node lookup

Use the new of_get_compatible_child() helper to lookup the usb sibling
node instead of using of_find_compatible_node(), which searches the
entire tree from a given start node and thus can return an unrelated
(non-sibling) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the parent device node).

While at it, also fix the related phy-node reference leak.

Fixes: f5e4edb8c888 ("power: twl4030_charger: find associated phy by more reliable means.")
Cc: stable <[email protected]> # 4.2
Cc: NeilBrown <[email protected]>
Cc: Felipe Balbi <[email protected]>
Cc: Sebastian Reichel <[email protected]>
Reviewed-by: Sebastian Reichel <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/power/supply/twl4030_charger.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/power/supply/twl4030_charger.c b/drivers/power/supply/twl4030_charger.c
index bbcaee56db9d..b6a7d9f74cf3 100644
--- a/drivers/power/supply/twl4030_charger.c
+++ b/drivers/power/supply/twl4030_charger.c
@@ -996,12 +996,13 @@ static int twl4030_bci_probe(struct platform_device *pdev)
if (bci->dev->of_node) {
struct device_node *phynode;

- phynode = of_find_compatible_node(bci->dev->of_node->parent,
- NULL, "ti,twl4030-usb");
+ phynode = of_get_compatible_child(bci->dev->of_node->parent,
+ "ti,twl4030-usb");
if (phynode) {
bci->usb_nb.notifier_call = twl4030_bci_usb_ncb;
bci->transceiver = devm_usb_get_phy_by_node(
bci->dev, phynode, &bci->usb_nb);
+ of_node_put(phynode);
if (IS_ERR(bci->transceiver)) {
ret = PTR_ERR(bci->transceiver);
if (ret == -EPROBE_DEFER)
--
2.18.0


2018-08-27 08:24:33

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 2/9] drm/mediatek: fix OF sibling-node lookup

Use the new of_get_compatible_child() helper to lookup the sibling
instead of using of_find_compatible_node(), which searches the entire
tree from a given start node and thus can return an unrelated (i.e.
non-sibling) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the parent device node).

While at it, also fix the related cec-node reference leak.

Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
Cc: stable <[email protected]> # 4.8
Cc: Junzhi Zhao <[email protected]>
Cc: Philipp Zabel <[email protected]>
Cc: CK Hu <[email protected]>
Cc: David Airlie <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/gpu/drm/mediatek/mtk_hdmi.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
index 2d45d1dd9554..643f5edd68fe 100644
--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
+++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
@@ -1446,8 +1446,7 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi,
}

/* The CEC module handles HDMI hotplug detection */
- cec_np = of_find_compatible_node(np->parent, NULL,
- "mediatek,mt8173-cec");
+ cec_np = of_get_compatible_child(np->parent, "mediatek,mt8173-cec");
if (!cec_np) {
dev_err(dev, "Failed to find CEC node\n");
return -EINVAL;
@@ -1457,8 +1456,10 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi,
if (!cec_pdev) {
dev_err(hdmi->dev, "Waiting for CEC device %pOF\n",
cec_np);
+ of_node_put(cec_np);
return -EPROBE_DEFER;
}
+ of_node_put(cec_np);
hdmi->cec_dev = &cec_pdev->dev;

/*
--
2.18.0


2018-08-27 08:24:39

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 1/9] of: add helper to lookup compatible child node

Add of_get_compatible_child() helper that can be used to lookup
compatible child nodes.

Several drivers currently use of_find_compatible_node() to lookup child
nodes while failing to notice that the of_find_ functions search the
entire tree depth-first (from a given start node) and therefore can
match unrelated nodes. The fact that these functions also drop a
reference to the node they start searching from (e.g. the parent node)
is typically also overlooked, something which can lead to use-after-free
bugs.

Signed-off-by: Johan Hovold <[email protected]>
---
drivers/of/base.c | 25 +++++++++++++++++++++++++
include/linux/of.h | 8 ++++++++
2 files changed, 33 insertions(+)

diff --git a/drivers/of/base.c b/drivers/of/base.c
index 466e3c8582f0..bc420d2aa5f5 100644
--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -719,6 +719,31 @@ struct device_node *of_get_next_available_child(const struct device_node *node,
}
EXPORT_SYMBOL(of_get_next_available_child);

+/**
+ * of_get_compatible_child - Find compatible child node
+ * @parent: parent node
+ * @compatible: compatible string
+ *
+ * Lookup child node whose compatible property contains the given compatible
+ * string.
+ *
+ * Returns a node pointer with refcount incremented, use of_node_put() on it
+ * when done; or NULL if not found.
+ */
+struct device_node *of_get_compatible_child(const struct device_node *parent,
+ const char *compatible)
+{
+ struct device_node *child;
+
+ for_each_child_of_node(parent, child) {
+ if (of_device_is_compatible(child, compatible))
+ break;
+ }
+
+ return child;
+}
+EXPORT_SYMBOL(of_get_compatible_child);
+
/**
* of_get_child_by_name - Find the child node by name for a given parent
* @node: parent node
diff --git a/include/linux/of.h b/include/linux/of.h
index 4d25e4f952d9..b99a1a8c2952 100644
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -290,6 +290,8 @@ extern struct device_node *of_get_next_child(const struct device_node *node,
extern struct device_node *of_get_next_available_child(
const struct device_node *node, struct device_node *prev);

+extern struct device_node *of_get_compatible_child(const struct device_node *parent,
+ const char *compatible);
extern struct device_node *of_get_child_by_name(const struct device_node *node,
const char *name);

@@ -632,6 +634,12 @@ static inline bool of_have_populated_dt(void)
return false;
}

+static inline struct device_node *of_get_compatible_child(const struct device_node *parent,
+ const char *compatible)
+{
+ return NULL;
+}
+
static inline struct device_node *of_get_child_by_name(
const struct device_node *node,
const char *name)
--
2.18.0


2018-08-27 08:24:43

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

Use the new of_get_compatible_child() helper to lookup the nfc child
node instead of using of_find_compatible_node(), which searches the
entire tree from a given start node and thus can return an unrelated
(i.e. non-child) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the node of the device being probed).

While at it, also fix a related nfc-node reference leak.

Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
Cc: stable <[email protected]> # 4.11
Cc: Nicolas Ferre <[email protected]>
Cc: Josh Wu <[email protected]>
Cc: Boris Brezillon <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c
index a068b214ebaa..d3dfe63956ac 100644
--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
+++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
@@ -2061,8 +2061,7 @@ atmel_hsmc_nand_controller_legacy_init(struct atmel_hsmc_nand_controller *nc)
int ret;

nand_np = dev->of_node;
- nfc_np = of_find_compatible_node(dev->of_node, NULL,
- "atmel,sama5d3-nfc");
+ nfc_np = of_get_compatible_child(dev->of_node, "atmel,sama5d3-nfc");

nc->clk = of_clk_get(nfc_np, 0);
if (IS_ERR(nc->clk)) {
@@ -2472,15 +2471,19 @@ static int atmel_nand_controller_probe(struct platform_device *pdev)
}

if (caps->legacy_of_bindings) {
+ struct device_node *nfc_node;
u32 ale_offs = 21;

/*
* If we are parsing legacy DT props and the DT contains a
* valid NFC node, forward the request to the sama5 logic.
*/
- if (of_find_compatible_node(pdev->dev.of_node, NULL,
- "atmel,sama5d3-nfc"))
+ nfc_node = of_get_compatible_child(pdev->dev.of_node,
+ "atmel,sama5d3-nfc");
+ if (nfc_node) {
caps = &atmel_sama5_nand_caps;
+ of_node_put(nfc_node);
+ }

/*
* Even if the compatible says we are dealing with an
--
2.18.0


2018-08-27 08:25:26

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 8/9] NFC: nfcmrvl_uart: fix OF child-node lookup

Use the new of_get_compatible_child() helper to lookup the nfc child
node instead of using of_find_compatible_node(), which searches the
entire tree from a given start node and thus can return an unrelated
(i.e. non-child) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the parent node).

Fixes: e097dc624f78 ("NFC: nfcmrvl: add UART driver")
Fixes: d8e018c0b321 ("NFC: nfcmrvl: update device tree bindings for Marvell NFC")
Cc: stable <[email protected]> # 4.2
Cc: Vincent Cuissard <[email protected]>
Cc: Samuel Ortiz <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/nfc/nfcmrvl/uart.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/nfc/nfcmrvl/uart.c b/drivers/nfc/nfcmrvl/uart.c
index 91162f8e0366..9a22056e8d9e 100644
--- a/drivers/nfc/nfcmrvl/uart.c
+++ b/drivers/nfc/nfcmrvl/uart.c
@@ -73,10 +73,9 @@ static int nfcmrvl_uart_parse_dt(struct device_node *node,
struct device_node *matched_node;
int ret;

- matched_node = of_find_compatible_node(node, NULL, "marvell,nfc-uart");
+ matched_node = of_get_compatible_child(node, "marvell,nfc-uart");
if (!matched_node) {
- matched_node = of_find_compatible_node(node, NULL,
- "mrvl,nfc-uart");
+ matched_node = of_get_compatible_child(node, "mrvl,nfc-uart");
if (!matched_node)
return -ENODEV;
}
--
2.18.0


2018-08-27 08:25:27

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 7/9] net: stmmac: dwmac-sun8i: fix OF child-node lookup

Use the new of_get_compatible_child() helper to lookup the mdio-internal
child node instead of using of_find_compatible_node(), which searches
the entire tree from a given start node and thus can return an unrelated
(i.e. non-child) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the mdio-mux node). Fortunately, this was inadvertently
balanced by a failure to drop the mdio-mux reference after lookup.

While at it, also fix the related mdio-internal- and phy-node reference
leaks.

Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs")
Cc: Corentin Labbe <[email protected]>
Cc: Andrew Lunn <[email protected]>
Cc: Giuseppe Cavallaro <[email protected]>
Cc: Alexandre Torgue <[email protected]>
Cc: Jose Abreu <[email protected]>
Cc: David S. Miller <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
index f9a61f90cfbc..0f660af01a4b 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
@@ -714,8 +714,9 @@ static int get_ephy_nodes(struct stmmac_priv *priv)
return -ENODEV;
}

- mdio_internal = of_find_compatible_node(mdio_mux, NULL,
+ mdio_internal = of_get_compatible_child(mdio_mux,
"allwinner,sun8i-h3-mdio-internal");
+ of_node_put(mdio_mux);
if (!mdio_internal) {
dev_err(priv->device, "Cannot get internal_mdio node\n");
return -ENODEV;
@@ -729,13 +730,20 @@ static int get_ephy_nodes(struct stmmac_priv *priv)
gmac->rst_ephy = of_reset_control_get_exclusive(iphynode, NULL);
if (IS_ERR(gmac->rst_ephy)) {
ret = PTR_ERR(gmac->rst_ephy);
- if (ret == -EPROBE_DEFER)
+ if (ret == -EPROBE_DEFER) {
+ of_node_put(iphynode);
+ of_node_put(mdio_internal);
return ret;
+ }
continue;
}
dev_info(priv->device, "Found internal PHY node\n");
+ of_node_put(iphynode);
+ of_node_put(mdio_internal);
return 0;
}
+
+ of_node_put(mdio_internal);
return -ENODEV;
}

--
2.18.0


2018-08-27 08:25:28

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 6/9] net: bcmgenet: fix OF child-node lookup

Use the new of_get_compatible_child() helper to lookup the mdio child
node instead of using of_find_compatible_node(), which searches the
entire tree from a given start node and thus can return an unrelated
(i.e. non-child) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the node of the device being probed).

Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines")
Cc: stable <[email protected]> # 3.15
Cc: Florian Fainelli <[email protected]>
Cc: David S. Miller <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
index 5333274a283c..87fc65560ceb 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
@@ -333,7 +333,7 @@ static struct device_node *bcmgenet_mii_of_find_mdio(struct bcmgenet_priv *priv)
if (!compat)
return NULL;

- priv->mdio_dn = of_find_compatible_node(dn, NULL, compat);
+ priv->mdio_dn = of_get_compatible_child(dn, compat);
kfree(compat);
if (!priv->mdio_dn) {
dev_err(kdev, "unable to find MDIO bus node\n");
--
2.18.0


2018-08-27 08:25:39

by Johan Hovold

[permalink] [raw]
Subject: [PATCH v2 3/9] drm/msm: fix OF child-node lookup

Use the new of_get_compatible_child() helper to lookup the legacy
pwrlevels child node instead of using of_find_compatible_node(), which
searches the entire tree from a given start node and thus can return an
unrelated (i.e. non-child) node.

This also addresses a potential use-after-free (e.g. after probe
deferral) as the tree-wide helper drops a reference to its first
argument (i.e. the probed device's node).

While at it, also fix the related child-node reference leak.

Fixes: e2af8b6b0ca1 ("drm/msm: gpu: Use OPP tables if we can")
Cc: stable <[email protected]> # 4.12
Cc: Jordan Crouse <[email protected]>
Cc: Rob Clark <[email protected]>
Cc: David Airlie <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
---
drivers/gpu/drm/msm/adreno/adreno_gpu.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
index da1363a0c54d..93d70f4a2154 100644
--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
@@ -633,8 +633,7 @@ static int adreno_get_legacy_pwrlevels(struct device *dev)
struct device_node *child, *node;
int ret;

- node = of_find_compatible_node(dev->of_node, NULL,
- "qcom,gpu-pwrlevels");
+ node = of_get_compatible_child(dev->of_node, "qcom,gpu-pwrlevels");
if (!node) {
dev_err(dev, "Could not find the GPU powerlevels\n");
return -ENXIO;
@@ -655,6 +654,8 @@ static int adreno_get_legacy_pwrlevels(struct device *dev)
dev_pm_opp_add(dev, val, 0);
}

+ of_node_put(node);
+
return 0;
}

--
2.18.0


2018-08-27 08:30:34

by Boris Brezillon

[permalink] [raw]
Subject: Re: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

Hi Johan

On Mon, 27 Aug 2018 10:21:49 +0200
Johan Hovold <[email protected]> wrote:

> Use the new of_get_compatible_child() helper to lookup the nfc child
> node instead of using of_find_compatible_node(), which searches the
> entire tree from a given start node and thus can return an unrelated
> (i.e. non-child) node.
>
> This also addresses a potential use-after-free (e.g. after probe
> deferral) as the tree-wide helper drops a reference to its first
> argument (i.e. the node of the device being probed).
>
> While at it, also fix a related nfc-node reference leak.
>
> Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> Cc: stable <[email protected]> # 4.11
> Cc: Nicolas Ferre <[email protected]>
> Cc: Josh Wu <[email protected]>
> Cc: Boris Brezillon <[email protected]>
> Signed-off-by: Johan Hovold <[email protected]>

Acked-by: Boris Brezillon <[email protected]>

I'll let Miquel queue this patch to the nand/next branch, unless you
want it to be merged in 4.19, in which case I'll queue it to the
mtd/fixes branch.

Thanks,

Boris

> ---
> drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c
> index a068b214ebaa..d3dfe63956ac 100644
> --- a/drivers/mtd/nand/raw/atmel/nand-controller.c
> +++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
> @@ -2061,8 +2061,7 @@ atmel_hsmc_nand_controller_legacy_init(struct atmel_hsmc_nand_controller *nc)
> int ret;
>
> nand_np = dev->of_node;
> - nfc_np = of_find_compatible_node(dev->of_node, NULL,
> - "atmel,sama5d3-nfc");
> + nfc_np = of_get_compatible_child(dev->of_node, "atmel,sama5d3-nfc");
>
> nc->clk = of_clk_get(nfc_np, 0);
> if (IS_ERR(nc->clk)) {
> @@ -2472,15 +2471,19 @@ static int atmel_nand_controller_probe(struct platform_device *pdev)
> }
>
> if (caps->legacy_of_bindings) {
> + struct device_node *nfc_node;
> u32 ale_offs = 21;
>
> /*
> * If we are parsing legacy DT props and the DT contains a
> * valid NFC node, forward the request to the sama5 logic.
> */
> - if (of_find_compatible_node(pdev->dev.of_node, NULL,
> - "atmel,sama5d3-nfc"))
> + nfc_node = of_get_compatible_child(pdev->dev.of_node,
> + "atmel,sama5d3-nfc");
> + if (nfc_node) {
> caps = &atmel_sama5_nand_caps;
> + of_node_put(nfc_node);
> + }
>
> /*
> * Even if the compatible says we are dealing with an


2018-08-27 08:46:31

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote:
> Hi Johan
>
> On Mon, 27 Aug 2018 10:21:49 +0200
> Johan Hovold <[email protected]> wrote:
>
> > Use the new of_get_compatible_child() helper to lookup the nfc child
> > node instead of using of_find_compatible_node(), which searches the
> > entire tree from a given start node and thus can return an unrelated
> > (i.e. non-child) node.
> >
> > This also addresses a potential use-after-free (e.g. after probe
> > deferral) as the tree-wide helper drops a reference to its first
> > argument (i.e. the node of the device being probed).
> >
> > While at it, also fix a related nfc-node reference leak.
> >
> > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> > Cc: stable <[email protected]> # 4.11
> > Cc: Nicolas Ferre <[email protected]>
> > Cc: Josh Wu <[email protected]>
> > Cc: Boris Brezillon <[email protected]>
> > Signed-off-by: Johan Hovold <[email protected]>
>
> Acked-by: Boris Brezillon <[email protected]>

Thanks for the ack.

> I'll let Miquel queue this patch to the nand/next branch, unless you
> want it to be merged in 4.19, in which case I'll queue it to the
> mtd/fixes branch.

Note that there's a dependency on the first patch of the series which
adds the new helper. Rob can pick up the entire series if the various
maintainers agree, otherwise I'll try to get at the least the helper
into -rc2.

I'd prefer getting the use-after-frees fixed in 4.19, but queuing for
4.20 should be fine too.

Thanks,
Johan

2018-08-27 08:50:36

by Boris Brezillon

[permalink] [raw]
Subject: Re: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

On Mon, 27 Aug 2018 10:44:14 +0200
Johan Hovold <[email protected]> wrote:

> On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote:
> > Hi Johan
> >
> > On Mon, 27 Aug 2018 10:21:49 +0200
> > Johan Hovold <[email protected]> wrote:
> >
> > > Use the new of_get_compatible_child() helper to lookup the nfc child
> > > node instead of using of_find_compatible_node(), which searches the
> > > entire tree from a given start node and thus can return an unrelated
> > > (i.e. non-child) node.
> > >
> > > This also addresses a potential use-after-free (e.g. after probe
> > > deferral) as the tree-wide helper drops a reference to its first
> > > argument (i.e. the node of the device being probed).
> > >
> > > While at it, also fix a related nfc-node reference leak.
> > >
> > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> > > Cc: stable <[email protected]> # 4.11
> > > Cc: Nicolas Ferre <[email protected]>
> > > Cc: Josh Wu <[email protected]>
> > > Cc: Boris Brezillon <[email protected]>
> > > Signed-off-by: Johan Hovold <[email protected]>
> >
> > Acked-by: Boris Brezillon <[email protected]>
>
> Thanks for the ack.
>
> > I'll let Miquel queue this patch to the nand/next branch, unless you
> > want it to be merged in 4.19, in which case I'll queue it to the
> > mtd/fixes branch.
>
> Note that there's a dependency on the first patch of the series which
> adds the new helper.

I was not Cc-ed on this patch :P.

> Rob can pick up the entire series if the various
> maintainers agree, otherwise I'll try to get at the least the helper
> into -rc2.

If everything goes in 4.19-rc2 through Rob's tree that's fine, but if
it's queued for 4.20 we might need an immutable tag just in case we
queue conflicting changes to the NAND tree.

Thanks,

Boris

2018-08-27 09:45:49

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote:
> On Mon, 27 Aug 2018 10:44:14 +0200
> Johan Hovold <[email protected]> wrote:
>
> > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote:
> > > Hi Johan
> > >
> > > On Mon, 27 Aug 2018 10:21:49 +0200
> > > Johan Hovold <[email protected]> wrote:
> > >
> > > > Use the new of_get_compatible_child() helper to lookup the nfc child
> > > > node instead of using of_find_compatible_node(), which searches the
> > > > entire tree from a given start node and thus can return an unrelated
> > > > (i.e. non-child) node.
> > > >
> > > > This also addresses a potential use-after-free (e.g. after probe
> > > > deferral) as the tree-wide helper drops a reference to its first
> > > > argument (i.e. the node of the device being probed).
> > > >
> > > > While at it, also fix a related nfc-node reference leak.
> > > >
> > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> > > > Cc: stable <[email protected]> # 4.11
> > > > Cc: Nicolas Ferre <[email protected]>
> > > > Cc: Josh Wu <[email protected]>
> > > > Cc: Boris Brezillon <[email protected]>
> > > > Signed-off-by: Johan Hovold <[email protected]>
> > >
> > > Acked-by: Boris Brezillon <[email protected]>
> >
> > Thanks for the ack.
> >
> > > I'll let Miquel queue this patch to the nand/next branch, unless you
> > > want it to be merged in 4.19, in which case I'll queue it to the
> > > mtd/fixes branch.
> >
> > Note that there's a dependency on the first patch of the series which
> > adds the new helper.
>
> I was not Cc-ed on this patch :P.

Yeah, sorry about that. I made sure everyone was CCed on the
cover letter, but guess I could have reused that list for the helper as
well.

> > Rob can pick up the entire series if the various
> > maintainers agree, otherwise I'll try to get at the least the helper
> > into -rc2.
>
> If everything goes in 4.19-rc2 through Rob's tree that's fine, but if
> it's queued for 4.20 we might need an immutable tag just in case we
> queue conflicting changes to the NAND tree.

Ok, thanks.

Johan

2018-08-27 14:46:08

by Ulf Hansson

[permalink] [raw]
Subject: Re: [PATCH v2 4/9] mmc: meson-mx-sdio: fix OF child-node lookup

On 27 August 2018 at 10:21, Johan Hovold <[email protected]> wrote:
> Use the new of_get_compatible_child() helper to lookup the slot child
> node instead of using of_find_compatible_node(), which searches the
> entire tree from a given start node and thus can return an unrelated
> (i.e. non-child) node.
>
> This also addresses a potential use-after-free (e.g. after probe
> deferral) as the tree-wide helper drops a reference to its first
> argument (i.e. the node of the device being probed).
>
> While at it, also fix up the related slot-node reference leak.
>
> Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs")
> Cc: stable <[email protected]> # 4.15
> Cc: Carlo Caione <[email protected]>
> Cc: Martin Blumenstingl <[email protected]>
> Cc: Ulf Hansson <[email protected]>
> Acked-by: Martin Blumenstingl <[email protected]>
> Signed-off-by: Johan Hovold <[email protected]>

Acked-by: Ulf Hansson <[email protected]>

Kind regards
Uffe

> ---
> drivers/mmc/host/meson-mx-sdio.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c
> index 09cb89645d06..2cfec33178c1 100644
> --- a/drivers/mmc/host/meson-mx-sdio.c
> +++ b/drivers/mmc/host/meson-mx-sdio.c
> @@ -517,19 +517,23 @@ static struct mmc_host_ops meson_mx_mmc_ops = {
> static struct platform_device *meson_mx_mmc_slot_pdev(struct device *parent)
> {
> struct device_node *slot_node;
> + struct platform_device *pdev;
>
> /*
> * TODO: the MMC core framework currently does not support
> * controllers with multiple slots properly. So we only register
> * the first slot for now
> */
> - slot_node = of_find_compatible_node(parent->of_node, NULL, "mmc-slot");
> + slot_node = of_get_compatible_child(parent->of_node, "mmc-slot");
> if (!slot_node) {
> dev_warn(parent, "no 'mmc-slot' sub-node found\n");
> return ERR_PTR(-ENOENT);
> }
>
> - return of_platform_device_create(slot_node, NULL, parent);
> + pdev = of_platform_device_create(slot_node, NULL, parent);
> + of_node_put(slot_node);
> +
> + return pdev;
> }
>
> static int meson_mx_mmc_add_host(struct meson_mx_mmc_host *host)
> --
> 2.18.0
>

2018-08-28 08:08:28

by Corentin Labbe

[permalink] [raw]
Subject: Re: [PATCH v2 7/9] net: stmmac: dwmac-sun8i: fix OF child-node lookup

On Mon, Aug 27, 2018 at 10:21:51AM +0200, Johan Hovold wrote:
> Use the new of_get_compatible_child() helper to lookup the mdio-internal
> child node instead of using of_find_compatible_node(), which searches
> the entire tree from a given start node and thus can return an unrelated
> (i.e. non-child) node.
>
> This also addresses a potential use-after-free (e.g. after probe
> deferral) as the tree-wide helper drops a reference to its first
> argument (i.e. the mdio-mux node). Fortunately, this was inadvertently
> balanced by a failure to drop the mdio-mux reference after lookup.
>
> While at it, also fix the related mdio-internal- and phy-node reference
> leaks.
>
> Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs")
> Cc: Corentin Labbe <[email protected]>
> Cc: Andrew Lunn <[email protected]>
> Cc: Giuseppe Cavallaro <[email protected]>
> Cc: Alexandre Torgue <[email protected]>
> Cc: Jose Abreu <[email protected]>
> Cc: David S. Miller <[email protected]>
> Signed-off-by: Johan Hovold <[email protected]>

You should have CCed sunxi maintainers
Maxime Ripard <[email protected]> (maintainer:ARM/Allwinner sunXi SoC support)
Chen-Yu Tsai <[email protected]> (maintainer:ARM/Allwinner sunXi SoC support)

Since I am just back from holidays, I will test this patch this week.

Regards

2018-08-29 07:56:29

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 7/9] net: stmmac: dwmac-sun8i: fix OF child-node lookup

On Tue, Aug 28, 2018 at 10:06:24AM +0200, Corentin Labbe wrote:
> On Mon, Aug 27, 2018 at 10:21:51AM +0200, Johan Hovold wrote:
> > Use the new of_get_compatible_child() helper to lookup the mdio-internal
> > child node instead of using of_find_compatible_node(), which searches
> > the entire tree from a given start node and thus can return an unrelated
> > (i.e. non-child) node.
> >
> > This also addresses a potential use-after-free (e.g. after probe
> > deferral) as the tree-wide helper drops a reference to its first
> > argument (i.e. the mdio-mux node). Fortunately, this was inadvertently
> > balanced by a failure to drop the mdio-mux reference after lookup.
> >
> > While at it, also fix the related mdio-internal- and phy-node reference
> > leaks.
> >
> > Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs")
> > Cc: Corentin Labbe <[email protected]>
> > Cc: Andrew Lunn <[email protected]>
> > Cc: Giuseppe Cavallaro <[email protected]>
> > Cc: Alexandre Torgue <[email protected]>
> > Cc: Jose Abreu <[email protected]>
> > Cc: David S. Miller <[email protected]>
> > Signed-off-by: Johan Hovold <[email protected]>
>
> You should have CCed sunxi maintainers
> Maxime Ripard <[email protected]> (maintainer:ARM/Allwinner sunXi SoC support)
> Chen-Yu Tsai <[email protected]> (maintainer:ARM/Allwinner sunXi SoC support)

Yeah, I cut down the CC list somewhat (I think because they didn't seem
to be actively involved in the stmmac patch handling). Thanks for adding
them back.

> Since I am just back from holidays, I will test this patch this week.

Thanks, that would be great.

Johan

2018-08-30 15:52:38

by Rob Herring

[permalink] [raw]
Subject: Re: [PATCH v2 1/9] of: add helper to lookup compatible child node

On Mon, Aug 27, 2018 at 3:22 AM Johan Hovold <[email protected]> wrote:
>
> Add of_get_compatible_child() helper that can be used to lookup
> compatible child nodes.
>
> Several drivers currently use of_find_compatible_node() to lookup child
> nodes while failing to notice that the of_find_ functions search the
> entire tree depth-first (from a given start node) and therefore can
> match unrelated nodes. The fact that these functions also drop a
> reference to the node they start searching from (e.g. the parent node)
> is typically also overlooked, something which can lead to use-after-free
> bugs.
>
> Signed-off-by: Johan Hovold <[email protected]>
> ---
> drivers/of/base.c | 25 +++++++++++++++++++++++++
> include/linux/of.h | 8 ++++++++
> 2 files changed, 33 insertions(+)

I've applied this one and plan to send to Linus tomorrow.

Rob

2018-08-31 00:49:12

by Florian Fainelli

[permalink] [raw]
Subject: Re: [PATCH v2 6/9] net: bcmgenet: fix OF child-node lookup

On 08/27/2018 01:21 AM, Johan Hovold wrote:
> Use the new of_get_compatible_child() helper to lookup the mdio child
> node instead of using of_find_compatible_node(), which searches the
> entire tree from a given start node and thus can return an unrelated
> (i.e. non-child) node.
>
> This also addresses a potential use-after-free (e.g. after probe
> deferral) as the tree-wide helper drops a reference to its first
> argument (i.e. the node of the device being probed).
>
> Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines")
> Cc: stable <[email protected]> # 3.15
> Cc: Florian Fainelli <[email protected]>
> Cc: David S. Miller <[email protected]>
> Signed-off-by: Johan Hovold <[email protected]>

Reviewed-by: Florian Fainelli <[email protected]>
--
Florian

2018-09-04 12:55:22

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 4/9] mmc: meson-mx-sdio: fix OF child-node lookup

On Mon, Aug 27, 2018 at 04:44:44PM +0200, Ulf Hansson wrote:
> On 27 August 2018 at 10:21, Johan Hovold <[email protected]> wrote:
> > Use the new of_get_compatible_child() helper to lookup the slot child
> > node instead of using of_find_compatible_node(), which searches the
> > entire tree from a given start node and thus can return an unrelated
> > (i.e. non-child) node.
> >
> > This also addresses a potential use-after-free (e.g. after probe
> > deferral) as the tree-wide helper drops a reference to its first
> > argument (i.e. the node of the device being probed).
> >
> > While at it, also fix up the related slot-node reference leak.
> >
> > Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs")
> > Cc: stable <[email protected]> # 4.15
> > Cc: Carlo Caione <[email protected]>
> > Cc: Martin Blumenstingl <[email protected]>
> > Cc: Ulf Hansson <[email protected]>
> > Acked-by: Martin Blumenstingl <[email protected]>
> > Signed-off-by: Johan Hovold <[email protected]>
>
> Acked-by: Ulf Hansson <[email protected]>

Thanks for the ack. Rob's gotten the helper into -rc2, so feel free to
pick this one up directly to whichever mmc branch you prefer. I've been
able to trigger crashes after probe deferrals due to the use-after-free,
but this seems unlikely to be exploitable.

Thanks,
Johan

2018-09-04 12:58:20

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 6/9] net: bcmgenet: fix OF child-node lookup

On Thu, Aug 30, 2018 at 05:47:33PM -0700, Florian Fainelli wrote:
> On 08/27/2018 01:21 AM, Johan Hovold wrote:
> > Use the new of_get_compatible_child() helper to lookup the mdio child
> > node instead of using of_find_compatible_node(), which searches the
> > entire tree from a given start node and thus can return an unrelated
> > (i.e. non-child) node.
> >
> > This also addresses a potential use-after-free (e.g. after probe
> > deferral) as the tree-wide helper drops a reference to its first
> > argument (i.e. the node of the device being probed).
> >
> > Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines")
> > Cc: stable <[email protected]> # 3.15
> > Cc: Florian Fainelli <[email protected]>
> > Cc: David S. Miller <[email protected]>
> > Signed-off-by: Johan Hovold <[email protected]>
>
> Reviewed-by: Florian Fainelli <[email protected]>

Thanks for reviewing.

Rob's gotten the helper into -rc2:

36156f9241cb of: add helper to lookup compatible child node

so feel free to pick this one up directly to whichever net tree you
prefer. I've been able to trigger crashes after probe deferrals due to
the use-after-free, but this seems unlikely to be exploitable.

Thanks,
Johan

2018-09-04 13:08:13

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 0/9] of: fix compatible-child-node lookups

Hi all,

On Mon, Aug 27, 2018 at 10:21:44AM +0200, Johan Hovold wrote:
> Several drivers currently use of_find_compatible_node() to lookup child
> nodes while failing to notice that the of_find_ functions search the
> entire tree depth-first (from a given start node) and therefore can
> match unrelated nodes.
>
> The fact that these functions also drop a reference to the node they
> start searching from (e.g. the parent node) is typically also
> overlooked, something which can lead to use-after-free bugs (e.g. after
> probe deferrals).
>
> This series adds a new helper, similar to of_get_child_by_name(),
> that can be used to lookup compatible child nodes, and uses the new
> helper to fix child-node lookups throughout the tree.
>
> This is related to the fixes I posted about a year ago, which addressed
> a similar anti-pattern when looking up child nodes by name. Since it
> took me more than a year to get all those fixes into Linus' tree (one
> fix is still pending), and as these fixes depend on the new helper, I'm
> suggesting that these all go in through Rob's or Greg's trees.
>
> Alternatively, the helper could go into to -rc2, and I'll be pinging
> submaintainers for the coming year as well. ;)

Rob has gotten the helper into -rc2 now:

36156f9241cb of: add helper to lookup compatible child node

so feel free to pick these fixes up directly for 4.19-rc or -next,
whichever you prefer. I've been able to trigger crashes after probe
deferrals due to the use-after-free, but this seems unlikely to be
exploitable.

I think Rob will be picking up any patches that remain by the end of the
release cycle for 4.20.

Thanks,
Johan

> Johan Hovold (9):
> of: add helper to lookup compatible child node
> drm/mediatek: fix OF sibling-node lookup
> drm/msm: fix OF child-node lookup
> mmc: meson-mx-sdio: fix OF child-node lookup
> mtd: nand: atmel: fix OF child-node lookup
> net: bcmgenet: fix OF child-node lookup
> net: stmmac: dwmac-sun8i: fix OF child-node lookup
> NFC: nfcmrvl_uart: fix OF child-node lookup
> power: supply: twl4030-charger: fix OF sibling-node lookup
>
> drivers/gpu/drm/mediatek/mtk_hdmi.c | 5 ++--
> drivers/gpu/drm/msm/adreno/adreno_gpu.c | 5 ++--
> drivers/mmc/host/meson-mx-sdio.c | 8 ++++--
> drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++---
> drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +-
> .../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 +++++++--
> drivers/nfc/nfcmrvl/uart.c | 5 ++--
> drivers/of/base.c | 25 +++++++++++++++++++
> drivers/power/supply/twl4030_charger.c | 5 ++--
> include/linux/of.h | 8 ++++++
> 10 files changed, 68 insertions(+), 18 deletions(-)

2018-09-05 06:32:50

by Ulf Hansson

[permalink] [raw]
Subject: Re: [PATCH v2 4/9] mmc: meson-mx-sdio: fix OF child-node lookup

On 4 September 2018 at 14:54, Johan Hovold <[email protected]> wrote:
> On Mon, Aug 27, 2018 at 04:44:44PM +0200, Ulf Hansson wrote:
>> On 27 August 2018 at 10:21, Johan Hovold <[email protected]> wrote:
>> > Use the new of_get_compatible_child() helper to lookup the slot child
>> > node instead of using of_find_compatible_node(), which searches the
>> > entire tree from a given start node and thus can return an unrelated
>> > (i.e. non-child) node.
>> >
>> > This also addresses a potential use-after-free (e.g. after probe
>> > deferral) as the tree-wide helper drops a reference to its first
>> > argument (i.e. the node of the device being probed).
>> >
>> > While at it, also fix up the related slot-node reference leak.
>> >
>> > Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs")
>> > Cc: stable <[email protected]> # 4.15
>> > Cc: Carlo Caione <[email protected]>
>> > Cc: Martin Blumenstingl <[email protected]>
>> > Cc: Ulf Hansson <[email protected]>
>> > Acked-by: Martin Blumenstingl <[email protected]>
>> > Signed-off-by: Johan Hovold <[email protected]>
>>
>> Acked-by: Ulf Hansson <[email protected]>
>
> Thanks for the ack. Rob's gotten the helper into -rc2, so feel free to
> pick this one up directly to whichever mmc branch you prefer. I've been
> able to trigger crashes after probe deferrals due to the use-after-free,
> but this seems unlikely to be exploitable.

Applied for fixes, thanks!

Kind regards
Uffe

2018-09-06 23:00:55

by Corentin Labbe

[permalink] [raw]
Subject: Re: [PATCH v2 7/9] net: stmmac: dwmac-sun8i: fix OF child-node lookup

On Mon, Aug 27, 2018 at 10:21:51AM +0200, Johan Hovold wrote:
> Use the new of_get_compatible_child() helper to lookup the mdio-internal
> child node instead of using of_find_compatible_node(), which searches
> the entire tree from a given start node and thus can return an unrelated
> (i.e. non-child) node.
>
> This also addresses a potential use-after-free (e.g. after probe
> deferral) as the tree-wide helper drops a reference to its first
> argument (i.e. the mdio-mux node). Fortunately, this was inadvertently
> balanced by a failure to drop the mdio-mux reference after lookup.
>
> While at it, also fix the related mdio-internal- and phy-node reference
> leaks.
>
> Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs")
> Cc: Corentin Labbe <[email protected]>
> Cc: Andrew Lunn <[email protected]>
> Cc: Giuseppe Cavallaro <[email protected]>
> Cc: Alexandre Torgue <[email protected]>
> Cc: Jose Abreu <[email protected]>
> Cc: David S. Miller <[email protected]>
> Signed-off-by: Johan Hovold <[email protected]>
> ---
> drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
> index f9a61f90cfbc..0f660af01a4b 100644
> --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
> +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
> @@ -714,8 +714,9 @@ static int get_ephy_nodes(struct stmmac_priv *priv)
> return -ENODEV;
> }
>
> - mdio_internal = of_find_compatible_node(mdio_mux, NULL,
> + mdio_internal = of_get_compatible_child(mdio_mux,
> "allwinner,sun8i-h3-mdio-internal");
> + of_node_put(mdio_mux);
> if (!mdio_internal) {
> dev_err(priv->device, "Cannot get internal_mdio node\n");
> return -ENODEV;
> @@ -729,13 +730,20 @@ static int get_ephy_nodes(struct stmmac_priv *priv)
> gmac->rst_ephy = of_reset_control_get_exclusive(iphynode, NULL);
> if (IS_ERR(gmac->rst_ephy)) {
> ret = PTR_ERR(gmac->rst_ephy);
> - if (ret == -EPROBE_DEFER)
> + if (ret == -EPROBE_DEFER) {
> + of_node_put(iphynode);
> + of_node_put(mdio_internal);
> return ret;
> + }
> continue;
> }
> dev_info(priv->device, "Found internal PHY node\n");
> + of_node_put(iphynode);
> + of_node_put(mdio_internal);
> return 0;
> }
> +
> + of_node_put(mdio_internal);
> return -ENODEV;
> }
>
> --
> 2.18.0
>

Sorry for the delay
Tested-by: Corentin Labbe <[email protected]>

2018-09-07 11:20:08

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 7/9] net: stmmac: dwmac-sun8i: fix OF child-node lookup

On Thu, Sep 06, 2018 at 10:03:37PM +0200, Corentin Labbe wrote:
> On Mon, Aug 27, 2018 at 10:21:51AM +0200, Johan Hovold wrote:
> > Use the new of_get_compatible_child() helper to lookup the mdio-internal
> > child node instead of using of_find_compatible_node(), which searches
> > the entire tree from a given start node and thus can return an unrelated
> > (i.e. non-child) node.
> >
> > This also addresses a potential use-after-free (e.g. after probe
> > deferral) as the tree-wide helper drops a reference to its first
> > argument (i.e. the mdio-mux node). Fortunately, this was inadvertently
> > balanced by a failure to drop the mdio-mux reference after lookup.
> >
> > While at it, also fix the related mdio-internal- and phy-node reference
> > leaks.
> >
> > Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs")
> > Cc: Corentin Labbe <[email protected]>
> > Cc: Andrew Lunn <[email protected]>
> > Cc: Giuseppe Cavallaro <[email protected]>
> > Cc: Alexandre Torgue <[email protected]>
> > Cc: Jose Abreu <[email protected]>
> > Cc: David S. Miller <[email protected]>
> > Signed-off-by: Johan Hovold <[email protected]>

> Tested-by: Corentin Labbe <[email protected]>

Thanks for testing.

Johan

2018-10-23 09:22:46

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 0/9] of: fix compatible-child-node lookups

Hi Rob,

On Tue, Sep 04, 2018 at 03:05:57PM +0200, Johan Hovold wrote:
> Hi all,
>
> On Mon, Aug 27, 2018 at 10:21:44AM +0200, Johan Hovold wrote:
> > Several drivers currently use of_find_compatible_node() to lookup child
> > nodes while failing to notice that the of_find_ functions search the
> > entire tree depth-first (from a given start node) and therefore can
> > match unrelated nodes.
> >
> > The fact that these functions also drop a reference to the node they
> > start searching from (e.g. the parent node) is typically also
> > overlooked, something which can lead to use-after-free bugs (e.g. after
> > probe deferrals).
> >
> > This series adds a new helper, similar to of_get_child_by_name(),
> > that can be used to lookup compatible child nodes, and uses the new
> > helper to fix child-node lookups throughout the tree.
> >
> > This is related to the fixes I posted about a year ago, which addressed
> > a similar anti-pattern when looking up child nodes by name. Since it
> > took me more than a year to get all those fixes into Linus' tree (one
> > fix is still pending), and as these fixes depend on the new helper, I'm
> > suggesting that these all go in through Rob's or Greg's trees.
> >
> > Alternatively, the helper could go into to -rc2, and I'll be pinging
> > submaintainers for the coming year as well. ;)
>
> Rob has gotten the helper into -rc2 now:
>
> 36156f9241cb of: add helper to lookup compatible child node
>
> so feel free to pick these fixes up directly for 4.19-rc or -next,
> whichever you prefer. I've been able to trigger crashes after probe
> deferrals due to the use-after-free, but this seems unlikely to be
> exploitable.
>
> I think Rob will be picking up any patches that remain by the end of the
> release cycle for 4.20.

So far only Ulf has picked up the mmc patch below directly, so if you
could take the rest through your tree for -rc1 that would be great.

Thanks,
Johan

> > Johan Hovold (9):
> > of: add helper to lookup compatible child node
> > drm/mediatek: fix OF sibling-node lookup
> > drm/msm: fix OF child-node lookup
> > mmc: meson-mx-sdio: fix OF child-node lookup
> > mtd: nand: atmel: fix OF child-node lookup
> > net: bcmgenet: fix OF child-node lookup
> > net: stmmac: dwmac-sun8i: fix OF child-node lookup
> > NFC: nfcmrvl_uart: fix OF child-node lookup
> > power: supply: twl4030-charger: fix OF sibling-node lookup
> >
> > drivers/gpu/drm/mediatek/mtk_hdmi.c | 5 ++--
> > drivers/gpu/drm/msm/adreno/adreno_gpu.c | 5 ++--
> > drivers/mmc/host/meson-mx-sdio.c | 8 ++++--
> > drivers/mtd/nand/raw/atmel/nand-controller.c | 11 +++++---
> > drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +-
> > .../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 +++++++--
> > drivers/nfc/nfcmrvl/uart.c | 5 ++--
> > drivers/of/base.c | 25 +++++++++++++++++++
> > drivers/power/supply/twl4030_charger.c | 5 ++--
> > include/linux/of.h | 8 ++++++
> > 10 files changed, 68 insertions(+), 18 deletions(-)

2018-10-23 18:33:58

by Rob Herring

[permalink] [raw]
Subject: Re: [PATCH v2 0/9] of: fix compatible-child-node lookups

On Tue, Oct 23, 2018 at 4:21 AM Johan Hovold <[email protected]> wrote:
>
> Hi Rob,
>
> On Tue, Sep 04, 2018 at 03:05:57PM +0200, Johan Hovold wrote:
> > Hi all,
> >
> > On Mon, Aug 27, 2018 at 10:21:44AM +0200, Johan Hovold wrote:
> > > Several drivers currently use of_find_compatible_node() to lookup child
> > > nodes while failing to notice that the of_find_ functions search the
> > > entire tree depth-first (from a given start node) and therefore can
> > > match unrelated nodes.
> > >
> > > The fact that these functions also drop a reference to the node they
> > > start searching from (e.g. the parent node) is typically also
> > > overlooked, something which can lead to use-after-free bugs (e.g. after
> > > probe deferrals).
> > >
> > > This series adds a new helper, similar to of_get_child_by_name(),
> > > that can be used to lookup compatible child nodes, and uses the new
> > > helper to fix child-node lookups throughout the tree.
> > >
> > > This is related to the fixes I posted about a year ago, which addressed
> > > a similar anti-pattern when looking up child nodes by name. Since it
> > > took me more than a year to get all those fixes into Linus' tree (one
> > > fix is still pending), and as these fixes depend on the new helper, I'm
> > > suggesting that these all go in through Rob's or Greg's trees.
> > >
> > > Alternatively, the helper could go into to -rc2, and I'll be pinging
> > > submaintainers for the coming year as well. ;)
> >
> > Rob has gotten the helper into -rc2 now:
> >
> > 36156f9241cb of: add helper to lookup compatible child node
> >
> > so feel free to pick these fixes up directly for 4.19-rc or -next,
> > whichever you prefer. I've been able to trigger crashes after probe
> > deferrals due to the use-after-free, but this seems unlikely to be
> > exploitable.
> >
> > I think Rob will be picking up any patches that remain by the end of the
> > release cycle for 4.20.
>
> So far only Ulf has picked up the mmc patch below directly, so if you
> could take the rest through your tree for -rc1 that would be great.

Thanks for the reminder, though before the merge window opened would
have been better. I've applied all but the mtd patch.

Rob

2018-10-23 18:41:22

by Rob Herring

[permalink] [raw]
Subject: Re: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

On Mon, Aug 27, 2018 at 4:44 AM Johan Hovold <[email protected]> wrote:
>
> On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote:
> > On Mon, 27 Aug 2018 10:44:14 +0200
> > Johan Hovold <[email protected]> wrote:
> >
> > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote:
> > > > Hi Johan
> > > >
> > > > On Mon, 27 Aug 2018 10:21:49 +0200
> > > > Johan Hovold <[email protected]> wrote:
> > > >
> > > > > Use the new of_get_compatible_child() helper to lookup the nfc child
> > > > > node instead of using of_find_compatible_node(), which searches the
> > > > > entire tree from a given start node and thus can return an unrelated
> > > > > (i.e. non-child) node.
> > > > >
> > > > > This also addresses a potential use-after-free (e.g. after probe
> > > > > deferral) as the tree-wide helper drops a reference to its first
> > > > > argument (i.e. the node of the device being probed).
> > > > >
> > > > > While at it, also fix a related nfc-node reference leak.
> > > > >
> > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> > > > > Cc: stable <[email protected]> # 4.11
> > > > > Cc: Nicolas Ferre <[email protected]>
> > > > > Cc: Josh Wu <[email protected]>
> > > > > Cc: Boris Brezillon <[email protected]>
> > > > > Signed-off-by: Johan Hovold <[email protected]>
> > > >
> > > > Acked-by: Boris Brezillon <[email protected]>
> > >
> > > Thanks for the ack.
> > >
> > > > I'll let Miquel queue this patch to the nand/next branch, unless you
> > > > want it to be merged in 4.19, in which case I'll queue it to the
> > > > mtd/fixes branch.
> > >
> > > Note that there's a dependency on the first patch of the series which
> > > adds the new helper.
> >
> > I was not Cc-ed on this patch :P.
>
> Yeah, sorry about that. I made sure everyone was CCed on the
> cover letter, but guess I could have reused that list for the helper as
> well.
>
> > > Rob can pick up the entire series if the various
> > > maintainers agree, otherwise I'll try to get at the least the helper
> > > into -rc2.
> >
> > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if
> > it's queued for 4.20 we might need an immutable tag just in case we
> > queue conflicting changes to the NAND tree.
>
> Ok, thanks.

Hi Boris, can you pick this one up. It conflicts with "mtd: rawnand:
atmel: Fix potential NULL pointer dereference"

Rob

2018-10-23 19:04:53

by Boris Brezillon

[permalink] [raw]
Subject: Re: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

On Tue, 23 Oct 2018 13:28:09 -0500
Rob Herring <[email protected]> wrote:

> On Mon, Aug 27, 2018 at 4:44 AM Johan Hovold <[email protected]> wrote:
> >
> > On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote:
> > > On Mon, 27 Aug 2018 10:44:14 +0200
> > > Johan Hovold <[email protected]> wrote:
> > >
> > > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote:
> > > > > Hi Johan
> > > > >
> > > > > On Mon, 27 Aug 2018 10:21:49 +0200
> > > > > Johan Hovold <[email protected]> wrote:
> > > > >
> > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child
> > > > > > node instead of using of_find_compatible_node(), which searches the
> > > > > > entire tree from a given start node and thus can return an unrelated
> > > > > > (i.e. non-child) node.
> > > > > >
> > > > > > This also addresses a potential use-after-free (e.g. after probe
> > > > > > deferral) as the tree-wide helper drops a reference to its first
> > > > > > argument (i.e. the node of the device being probed).
> > > > > >
> > > > > > While at it, also fix a related nfc-node reference leak.
> > > > > >
> > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> > > > > > Cc: stable <[email protected]> # 4.11
> > > > > > Cc: Nicolas Ferre <[email protected]>
> > > > > > Cc: Josh Wu <[email protected]>
> > > > > > Cc: Boris Brezillon <[email protected]>
> > > > > > Signed-off-by: Johan Hovold <[email protected]>
> > > > >
> > > > > Acked-by: Boris Brezillon <[email protected]>
> > > >
> > > > Thanks for the ack.
> > > >
> > > > > I'll let Miquel queue this patch to the nand/next branch, unless you
> > > > > want it to be merged in 4.19, in which case I'll queue it to the
> > > > > mtd/fixes branch.
> > > >
> > > > Note that there's a dependency on the first patch of the series which
> > > > adds the new helper.
> > >
> > > I was not Cc-ed on this patch :P.
> >
> > Yeah, sorry about that. I made sure everyone was CCed on the
> > cover letter, but guess I could have reused that list for the helper as
> > well.
> >
> > > > Rob can pick up the entire series if the various
> > > > maintainers agree, otherwise I'll try to get at the least the helper
> > > > into -rc2.
> > >
> > > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if
> > > it's queued for 4.20 we might need an immutable tag just in case we
> > > queue conflicting changes to the NAND tree.
> >
> > Ok, thanks.
>
> Hi Boris, can you pick this one up. It conflicts with "mtd: rawnand:
> atmel: Fix potential NULL pointer dereference"

Sure, I'll queue it for -rc2.

2018-10-24 07:34:59

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 0/9] of: fix compatible-child-node lookups

On Tue, Oct 23, 2018 at 01:32:56PM -0500, Rob Herring wrote:
> On Tue, Oct 23, 2018 at 4:21 AM Johan Hovold <[email protected]> wrote:
> >
> > Hi Rob,
> >
> > On Tue, Sep 04, 2018 at 03:05:57PM +0200, Johan Hovold wrote:

> > > I think Rob will be picking up any patches that remain by the end of the
> > > release cycle for 4.20.
> >
> > So far only Ulf has picked up the mmc patch below directly, so if you
> > could take the rest through your tree for -rc1 that would be great.
>
> Thanks for the reminder, though before the merge window opened would
> have been better. I've applied all but the mtd patch.

Yeah, sorry about that, this slipped my mind. Thanks for picking them
up.

Johan

2018-11-15 14:30:15

by Johan Hovold

[permalink] [raw]
Subject: Re: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

On Tue, Oct 23, 2018 at 08:51:17PM +0200, Boris Brezillon wrote:
> On Tue, 23 Oct 2018 13:28:09 -0500
> Rob Herring <[email protected]> wrote:
>
> > On Mon, Aug 27, 2018 at 4:44 AM Johan Hovold <[email protected]> wrote:
> > >
> > > On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote:
> > > > On Mon, 27 Aug 2018 10:44:14 +0200
> > > > Johan Hovold <[email protected]> wrote:
> > > >
> > > > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote:
> > > > > > Hi Johan
> > > > > >
> > > > > > On Mon, 27 Aug 2018 10:21:49 +0200
> > > > > > Johan Hovold <[email protected]> wrote:
> > > > > >
> > > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child
> > > > > > > node instead of using of_find_compatible_node(), which searches the
> > > > > > > entire tree from a given start node and thus can return an unrelated
> > > > > > > (i.e. non-child) node.
> > > > > > >
> > > > > > > This also addresses a potential use-after-free (e.g. after probe
> > > > > > > deferral) as the tree-wide helper drops a reference to its first
> > > > > > > argument (i.e. the node of the device being probed).
> > > > > > >
> > > > > > > While at it, also fix a related nfc-node reference leak.
> > > > > > >
> > > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> > > > > > > Cc: stable <[email protected]> # 4.11
> > > > > > > Cc: Nicolas Ferre <[email protected]>
> > > > > > > Cc: Josh Wu <[email protected]>
> > > > > > > Cc: Boris Brezillon <[email protected]>
> > > > > > > Signed-off-by: Johan Hovold <[email protected]>
> > > > > >
> > > > > > Acked-by: Boris Brezillon <[email protected]>
> > > > >
> > > > > Thanks for the ack.
> > > > >
> > > > > > I'll let Miquel queue this patch to the nand/next branch, unless you
> > > > > > want it to be merged in 4.19, in which case I'll queue it to the
> > > > > > mtd/fixes branch.
> > > > >
> > > > > Note that there's a dependency on the first patch of the series which
> > > > > adds the new helper.
> > > >
> > > > I was not Cc-ed on this patch :P.
> > >
> > > Yeah, sorry about that. I made sure everyone was CCed on the
> > > cover letter, but guess I could have reused that list for the helper as
> > > well.
> > >
> > > > > Rob can pick up the entire series if the various
> > > > > maintainers agree, otherwise I'll try to get at the least the helper
> > > > > into -rc2.
> > > >
> > > > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if
> > > > it's queued for 4.20 we might need an immutable tag just in case we
> > > > queue conflicting changes to the NAND tree.
> > >
> > > Ok, thanks.
> >
> > Hi Boris, can you pick this one up. It conflicts with "mtd: rawnand:
> > atmel: Fix potential NULL pointer dereference"
>
> Sure, I'll queue it for -rc2.

This one hasn't showed up in -next yet, so sending a reminder.

Johan

2018-11-18 10:47:42

by Boris Brezillon

[permalink] [raw]
Subject: Re: [PATCH v2 5/9] mtd: nand: atmel: fix OF child-node lookup

On Thu, 15 Nov 2018 15:26:48 +0100
Johan Hovold <[email protected]> wrote:

> On Tue, Oct 23, 2018 at 08:51:17PM +0200, Boris Brezillon wrote:
> > On Tue, 23 Oct 2018 13:28:09 -0500
> > Rob Herring <[email protected]> wrote:
> >
> > > On Mon, Aug 27, 2018 at 4:44 AM Johan Hovold <[email protected]> wrote:
> > > >
> > > > On Mon, Aug 27, 2018 at 10:48:42AM +0200, Boris Brezillon wrote:
> > > > > On Mon, 27 Aug 2018 10:44:14 +0200
> > > > > Johan Hovold <[email protected]> wrote:
> > > > >
> > > > > > On Mon, Aug 27, 2018 at 10:28:20AM +0200, Boris Brezillon wrote:
> > > > > > > Hi Johan
> > > > > > >
> > > > > > > On Mon, 27 Aug 2018 10:21:49 +0200
> > > > > > > Johan Hovold <[email protected]> wrote:
> > > > > > >
> > > > > > > > Use the new of_get_compatible_child() helper to lookup the nfc child
> > > > > > > > node instead of using of_find_compatible_node(), which searches the
> > > > > > > > entire tree from a given start node and thus can return an unrelated
> > > > > > > > (i.e. non-child) node.
> > > > > > > >
> > > > > > > > This also addresses a potential use-after-free (e.g. after probe
> > > > > > > > deferral) as the tree-wide helper drops a reference to its first
> > > > > > > > argument (i.e. the node of the device being probed).
> > > > > > > >
> > > > > > > > While at it, also fix a related nfc-node reference leak.
> > > > > > > >
> > > > > > > > Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
> > > > > > > > Cc: stable <[email protected]> # 4.11
> > > > > > > > Cc: Nicolas Ferre <[email protected]>
> > > > > > > > Cc: Josh Wu <[email protected]>
> > > > > > > > Cc: Boris Brezillon <[email protected]>
> > > > > > > > Signed-off-by: Johan Hovold <[email protected]>
> > > > > > >
> > > > > > > Acked-by: Boris Brezillon <[email protected]>
> > > > > >
> > > > > > Thanks for the ack.
> > > > > >
> > > > > > > I'll let Miquel queue this patch to the nand/next branch, unless you
> > > > > > > want it to be merged in 4.19, in which case I'll queue it to the
> > > > > > > mtd/fixes branch.
> > > > > >
> > > > > > Note that there's a dependency on the first patch of the series which
> > > > > > adds the new helper.
> > > > >
> > > > > I was not Cc-ed on this patch :P.
> > > >
> > > > Yeah, sorry about that. I made sure everyone was CCed on the
> > > > cover letter, but guess I could have reused that list for the helper as
> > > > well.
> > > >
> > > > > > Rob can pick up the entire series if the various
> > > > > > maintainers agree, otherwise I'll try to get at the least the helper
> > > > > > into -rc2.
> > > > >
> > > > > If everything goes in 4.19-rc2 through Rob's tree that's fine, but if
> > > > > it's queued for 4.20 we might need an immutable tag just in case we
> > > > > queue conflicting changes to the NAND tree.
> > > >
> > > > Ok, thanks.
> > >
> > > Hi Boris, can you pick this one up. It conflicts with "mtd: rawnand:
> > > atmel: Fix potential NULL pointer dereference"
> >
> > Sure, I'll queue it for -rc2.
>
> This one hasn't showed up in -next yet, so sending a reminder.

Applied (thanks for the reminder, I had forgotten :-)). It should show
up in -rc4.

Thanks,

Boris