V1->V2:
Fixed the check on the return value of platform_get_irq().
And propagate errors up to sata_fsl_probe()'s callers.
V2->V3:
Add fixed and CC stable and modified the patch description.
V3->V4:
Use a single structure.
V4->V5:
Delete duplicate dev_err() message.
Baokun Li (2):
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
drivers/ata/sata_fsl.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
--
2.31.1
When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,
a bug is reported:
==================================================================
BUG: Unable to handle kernel data access on read at 0x80000800805b502c
Oops: Kernel access of bad area, sig: 11 [#1]
NIP [c0000000000388a4] .ioread32+0x4/0x20
LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]
Call Trace:
.free_irq+0x1c/0x4e0 (unreliable)
.ata_host_stop+0x74/0xd0 [libata]
.release_nodes+0x330/0x3f0
.device_release_driver_internal+0x178/0x2c0
.driver_detach+0x64/0xd0
.bus_remove_driver+0x70/0xf0
.driver_unregister+0x38/0x80
.platform_driver_unregister+0x14/0x30
.fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
.__se_sys_delete_module+0x1ec/0x2d0
.system_call_exception+0xfc/0x1f0
system_call_common+0xf8/0x200
==================================================================
The triggering of the BUG is shown in the following stack:
driver_detach
device_release_driver_internal
__device_release_driver
drv->remove(dev) --> platform_drv_remove/platform_remove
drv->remove(dev) --> sata_fsl_remove
iounmap(host_priv->hcr_base); <---- unmap
kfree(host_priv); <---- free
devres_release_all
release_nodes
dr->node.release(dev, dr->data) --> ata_host_stop
ap->ops->port_stop(ap) --> sata_fsl_port_stop
ioread32(hcr_base + HCONTROL) <---- UAF
host->ops->host_stop(host)
The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should
not be executed in drv->remove. These functions should be executed in
host_stop after port_stop. Therefore, we move these functions to the
new function sata_fsl_host_stop and bind the new function to host_stop.
Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller")
Cc: [email protected]
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Baokun Li <[email protected]>
---
V2->V3:
Add fixed and CC stable and modified the patch description.
V3->V4:
Use a single structure.
drivers/ata/sata_fsl.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c
index e5838b23c9e0..2eb216792695 100644
--- a/drivers/ata/sata_fsl.c
+++ b/drivers/ata/sata_fsl.c
@@ -1394,6 +1394,14 @@ static int sata_fsl_init_controller(struct ata_host *host)
return 0;
}
+static void sata_fsl_host_stop(struct ata_host *host)
+{
+ struct sata_fsl_host_priv *host_priv = host->private_data;
+
+ iounmap(host_priv->hcr_base);
+ kfree(host_priv);
+}
+
/*
* scsi mid-layer and libata interface structures
*/
@@ -1426,6 +1434,8 @@ static struct ata_port_operations sata_fsl_ops = {
.port_start = sata_fsl_port_start,
.port_stop = sata_fsl_port_stop,
+ .host_stop = sata_fsl_host_stop,
+
.pmp_attach = sata_fsl_pmp_attach,
.pmp_detach = sata_fsl_pmp_detach,
};
@@ -1558,8 +1568,6 @@ static int sata_fsl_remove(struct platform_device *ofdev)
ata_host_detach(host);
irq_dispose_mapping(host_priv->irq);
- iounmap(host_priv->hcr_base);
- kfree(host_priv);
return 0;
}
--
2.31.1
Trying to remove the fsl-sata module in the PPC64 GNU/Linux
leads to the following warning:
------------[ cut here ]------------
remove_proc_entry: removing non-empty directory 'irq/69',
leaking at least 'fsl-sata[ff0221000.sata]'
WARNING: CPU: 3 PID: 1048 at fs/proc/generic.c:722
.remove_proc_entry+0x20c/0x220
IRQMASK: 0
NIP [c00000000033826c] .remove_proc_entry+0x20c/0x220
LR [c000000000338268] .remove_proc_entry+0x208/0x220
Call Trace:
.remove_proc_entry+0x208/0x220 (unreliable)
.unregister_irq_proc+0x104/0x140
.free_desc+0x44/0xb0
.irq_free_descs+0x9c/0xf0
.irq_dispose_mapping+0x64/0xa0
.sata_fsl_remove+0x58/0xa0 [sata_fsl]
.platform_drv_remove+0x40/0x90
.device_release_driver_internal+0x160/0x2c0
.driver_detach+0x64/0xd0
.bus_remove_driver+0x70/0xf0
.driver_unregister+0x38/0x80
.platform_driver_unregister+0x14/0x30
.fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
---[ end trace 0ea876d4076908f5 ]---
The driver creates the mapping by calling irq_of_parse_and_map(),
so it also has to dispose the mapping. But the easy way out is to
simply use platform_get_irq() instead of irq_of_parse_map(). Also
we should adapt return value checking and propagate error values.
In this case the mapping is not managed by the device but by
the of core, so the device has not to dispose the mapping.
Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller")
Cc: [email protected]
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Baokun Li <[email protected]>
---
V1->V2:
Adapt return value checking and propagate error values.
V2->V3:
Add fixed and CC stable.
V4->V5:
Delete duplicate dev_err() message.
drivers/ata/sata_fsl.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c
index 2eb216792695..3b31a4f596d8 100644
--- a/drivers/ata/sata_fsl.c
+++ b/drivers/ata/sata_fsl.c
@@ -1490,9 +1490,9 @@ static int sata_fsl_probe(struct platform_device *ofdev)
host_priv->ssr_base = ssr_base;
host_priv->csr_base = csr_base;
- irq = irq_of_parse_and_map(ofdev->dev.of_node, 0);
- if (!irq) {
- dev_err(&ofdev->dev, "invalid irq from platform\n");
+ irq = platform_get_irq(ofdev, 0);
+ if (irq < 0) {
+ retval = irq;
goto error_exit_with_cleanup;
}
host_priv->irq = irq;
@@ -1567,8 +1567,6 @@ static int sata_fsl_remove(struct platform_device *ofdev)
ata_host_detach(host);
- irq_dispose_mapping(host_priv->irq);
-
return 0;
}
--
2.31.1
On 2021/11/26 11:03, Baokun Li wrote:
> V1->V2:
> Fixed the check on the return value of platform_get_irq().
> And propagate errors up to sata_fsl_probe()'s callers.
> V2->V3:
> Add fixed and CC stable and modified the patch description.
> V3->V4:
> Use a single structure.
> V4->V5:
> Delete duplicate dev_err() message.
>
> Baokun Li (2):
> sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
> sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
>
> drivers/ata/sata_fsl.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
The series looks good to me now.
Sergei ? Are you OK with it ?
--
Damien Le Moal
Western Digital Research
Hello!
On 11/26/21 4:56 AM, Damien Le Moal wrote:
>> V1->V2:
>> Fixed the check on the return value of platform_get_irq().
>> And propagate errors up to sata_fsl_probe()'s callers.
>> V2->V3:
>> Add fixed and CC stable and modified the patch description.
>> V3->V4:
>> Use a single structure.
>> V4->V5:
>> Delete duplicate dev_err() message.
>>
>> Baokun Li (2):
>> sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
>> sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
>>
>> drivers/ata/sata_fsl.c | 20 +++++++++++++-------
>> 1 file changed, 13 insertions(+), 7 deletions(-)
>>
>
> The series looks good to me now.
>
> Sergei ? Are you OK with it ?
Yeah, I'll just give the patches by Reviewed-by's.
MBR, Sergei
On 11/26/21 5:03 AM, Baokun Li wrote:
> When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,
> a bug is reported:
> ==================================================================
> BUG: Unable to handle kernel data access on read at 0x80000800805b502c
> Oops: Kernel access of bad area, sig: 11 [#1]
> NIP [c0000000000388a4] .ioread32+0x4/0x20
> LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]
> Call Trace:
> .free_irq+0x1c/0x4e0 (unreliable)
> .ata_host_stop+0x74/0xd0 [libata]
> .release_nodes+0x330/0x3f0
> .device_release_driver_internal+0x178/0x2c0
> .driver_detach+0x64/0xd0
> .bus_remove_driver+0x70/0xf0
> .driver_unregister+0x38/0x80
> .platform_driver_unregister+0x14/0x30
> .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
> .__se_sys_delete_module+0x1ec/0x2d0
> .system_call_exception+0xfc/0x1f0
> system_call_common+0xf8/0x200
> ==================================================================
>
> The triggering of the BUG is shown in the following stack:
>
> driver_detach
> device_release_driver_internal
> __device_release_driver
> drv->remove(dev) --> platform_drv_remove/platform_remove
> drv->remove(dev) --> sata_fsl_remove
> iounmap(host_priv->hcr_base); <---- unmap
> kfree(host_priv); <---- free
> devres_release_all
> release_nodes
> dr->node.release(dev, dr->data) --> ata_host_stop
> ap->ops->port_stop(ap) --> sata_fsl_port_stop
> ioread32(hcr_base + HCONTROL) <---- UAF
> host->ops->host_stop(host)
>
> The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should
> not be executed in drv->remove. These functions should be executed in
> host_stop after port_stop. Therefore, we move these functions to the
> new function sata_fsl_host_stop and bind the new function to host_stop.
>
> Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller")
> Cc: [email protected]
> Reported-by: Hulk Robot <[email protected]>
> Signed-off-by: Baokun Li <[email protected]>
Reviewed-by: Sergei Shtylyov <[email protected]>
MBR, Sergei
On 11/26/21 5:03 AM, Baokun Li wrote:
> Trying to remove the fsl-sata module in the PPC64 GNU/Linux
> leads to the following warning:
> ------------[ cut here ]------------
> remove_proc_entry: removing non-empty directory 'irq/69',
> leaking at least 'fsl-sata[ff0221000.sata]'
> WARNING: CPU: 3 PID: 1048 at fs/proc/generic.c:722
> .remove_proc_entry+0x20c/0x220
> IRQMASK: 0
> NIP [c00000000033826c] .remove_proc_entry+0x20c/0x220
> LR [c000000000338268] .remove_proc_entry+0x208/0x220
> Call Trace:
> .remove_proc_entry+0x208/0x220 (unreliable)
> .unregister_irq_proc+0x104/0x140
> .free_desc+0x44/0xb0
> .irq_free_descs+0x9c/0xf0
> .irq_dispose_mapping+0x64/0xa0
> .sata_fsl_remove+0x58/0xa0 [sata_fsl]
> .platform_drv_remove+0x40/0x90
> .device_release_driver_internal+0x160/0x2c0
> .driver_detach+0x64/0xd0
> .bus_remove_driver+0x70/0xf0
> .driver_unregister+0x38/0x80
> .platform_driver_unregister+0x14/0x30
> .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
> ---[ end trace 0ea876d4076908f5 ]---
>
> The driver creates the mapping by calling irq_of_parse_and_map(),
> so it also has to dispose the mapping. But the easy way out is to
> simply use platform_get_irq() instead of irq_of_parse_map(). Also
> we should adapt return value checking and propagate error values.
>
> In this case the mapping is not managed by the device but by
> the of core, so the device has not to dispose the mapping.
>
> Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller")
> Cc: [email protected]
> Reported-by: Hulk Robot <[email protected]>
> Signed-off-by: Baokun Li <[email protected]>
Reviewed-by: Sergei Shtylyov <[email protected]>
MBR, Sergei
在 2021/11/27 3:43, Sergei Shtylyov 写道:
> On 11/26/21 5:03 AM, Baokun Li wrote:
>
>> When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux,
>> a bug is reported:
>> ==================================================================
>> BUG: Unable to handle kernel data access on read at 0x80000800805b502c
>> Oops: Kernel access of bad area, sig: 11 [#1]
>> NIP [c0000000000388a4] .ioread32+0x4/0x20
>> LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl]
>> Call Trace:
>> .free_irq+0x1c/0x4e0 (unreliable)
>> .ata_host_stop+0x74/0xd0 [libata]
>> .release_nodes+0x330/0x3f0
>> .device_release_driver_internal+0x178/0x2c0
>> .driver_detach+0x64/0xd0
>> .bus_remove_driver+0x70/0xf0
>> .driver_unregister+0x38/0x80
>> .platform_driver_unregister+0x14/0x30
>> .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
>> .__se_sys_delete_module+0x1ec/0x2d0
>> .system_call_exception+0xfc/0x1f0
>> system_call_common+0xf8/0x200
>> ==================================================================
>>
>> The triggering of the BUG is shown in the following stack:
>>
>> driver_detach
>> device_release_driver_internal
>> __device_release_driver
>> drv->remove(dev) --> platform_drv_remove/platform_remove
>> drv->remove(dev) --> sata_fsl_remove
>> iounmap(host_priv->hcr_base); <---- unmap
>> kfree(host_priv); <---- free
>> devres_release_all
>> release_nodes
>> dr->node.release(dev, dr->data) --> ata_host_stop
>> ap->ops->port_stop(ap) --> sata_fsl_port_stop
>> ioread32(hcr_base + HCONTROL) <---- UAF
>> host->ops->host_stop(host)
>>
>> The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should
>> not be executed in drv->remove. These functions should be executed in
>> host_stop after port_stop. Therefore, we move these functions to the
>> new function sata_fsl_host_stop and bind the new function to host_stop.
>>
>> Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller")
>> Cc: [email protected]
>> Reported-by: Hulk Robot <[email protected]>
>> Signed-off-by: Baokun Li <[email protected]>
> Reviewed-by: Sergei Shtylyov <[email protected]>
>
> MBR, Sergei
> .
Thank you for your review.
--
With Best Regards,
Baokun Li
.
在 2021/11/27 3:44, Sergei Shtylyov 写道:
> On 11/26/21 5:03 AM, Baokun Li wrote:
>
>> Trying to remove the fsl-sata module in the PPC64 GNU/Linux
>> leads to the following warning:
>> ------------[ cut here ]------------
>> remove_proc_entry: removing non-empty directory 'irq/69',
>> leaking at least 'fsl-sata[ff0221000.sata]'
>> WARNING: CPU: 3 PID: 1048 at fs/proc/generic.c:722
>> .remove_proc_entry+0x20c/0x220
>> IRQMASK: 0
>> NIP [c00000000033826c] .remove_proc_entry+0x20c/0x220
>> LR [c000000000338268] .remove_proc_entry+0x208/0x220
>> Call Trace:
>> .remove_proc_entry+0x208/0x220 (unreliable)
>> .unregister_irq_proc+0x104/0x140
>> .free_desc+0x44/0xb0
>> .irq_free_descs+0x9c/0xf0
>> .irq_dispose_mapping+0x64/0xa0
>> .sata_fsl_remove+0x58/0xa0 [sata_fsl]
>> .platform_drv_remove+0x40/0x90
>> .device_release_driver_internal+0x160/0x2c0
>> .driver_detach+0x64/0xd0
>> .bus_remove_driver+0x70/0xf0
>> .driver_unregister+0x38/0x80
>> .platform_driver_unregister+0x14/0x30
>> .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl]
>> ---[ end trace 0ea876d4076908f5 ]---
>>
>> The driver creates the mapping by calling irq_of_parse_and_map(),
>> so it also has to dispose the mapping. But the easy way out is to
>> simply use platform_get_irq() instead of irq_of_parse_map(). Also
>> we should adapt return value checking and propagate error values.
>>
>> In this case the mapping is not managed by the device but by
>> the of core, so the device has not to dispose the mapping.
>>
>> Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller")
>> Cc: [email protected]
>> Reported-by: Hulk Robot <[email protected]>
>> Signed-off-by: Baokun Li <[email protected]>
> Reviewed-by: Sergei Shtylyov <[email protected]>
>
> MBR, Sergei
> .
Thank you for your review.
--
With Best Regards,
Baokun Li
.
On 2021/11/26 11:03, Baokun Li wrote:
> V1->V2:
> Fixed the check on the return value of platform_get_irq().
> And propagate errors up to sata_fsl_probe()'s callers.
> V2->V3:
> Add fixed and CC stable and modified the patch description.
> V3->V4:
> Use a single structure.
> V4->V5:
> Delete duplicate dev_err() message.
>
> Baokun Li (2):
> sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
> sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
>
> drivers/ata/sata_fsl.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
Applied to for-5.16-fixes. Thanks.
--
Damien Le Moal
Western Digital Research