Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932224AbdIGMeO (ORCPT ); Thu, 7 Sep 2017 08:34:14 -0400 Received: from mail-bn3nam01on0072.outbound.protection.outlook.com ([104.47.33.72]:55036 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932105AbdIGMeL (ORCPT ); Thu, 7 Sep 2017 08:34:11 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Jan.Glauber@cavium.com; Date: Thu, 7 Sep 2017 14:33:55 +0200 From: Jan Glauber To: Ulf Hansson Cc: David Daney , "linux-mmc@vger.kernel.org" , Rob Herring , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] mmc: cavium: Fix use-after-free in of_platform_device_destroy Message-ID: <20170907123355.GB22336@hc> References: <20170907112417.21495-1-jglauber@cavium.com> <20170907121940.GA22336@hc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Originating-IP: [88.67.130.225] X-ClientProxiedBy: DB6PR1001CA0037.EURPRD10.PROD.OUTLOOK.COM (10.168.69.151) To CY1PR07MB2587.namprd07.prod.outlook.com (10.167.16.137) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5aff0646-dbff-43fa-88e0-08d4f5ecbc1a X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:CY1PR07MB2587; X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2587;3:dXRwyugW0HfQWZCNWxF1J80CvoJ6eW2D0FKyRhfm1u9KxBbtc6X9EzxNPZ/1NrD9+csctwCebxeFmE750+5GRUhugEjxsHvqbxoczY6J4fdb8imurTi12kBJtAPuupmjD+DvX2uxVy7D9Etxnqi04z7x+bFgiUg+iCvxQ9XdtVrcR0KDxXQ2y7pFmOIvBZIQvUE/YgVit0t4D8ajGKanUDp7X2pPFVDyl8eQnwZAFw2CtTJUkhGgS1XdVV8pbqUN;25:KgEDbYYOtiY1h5J1g70zs8SxxyvEXb9VEfjxCdHteolklBo47iKhTx5x/uwOEY5CEBNgU/yt5fI2efwYyEL3AdTOoIgWWXehdi7Tv7ACBxmLJrPqj7Ak+lenTsu9VUVrmihGXSl9tEiFDeKWRsN0+jqmIV0JBXDcAfbh/5Hq8/eSnMqB5TMS0CIomioyZnrQSWDRgQ7bnPRzCewyYqMG736KyT+WiSqxrHtg4aU2opqt9WUbAmNR/uOGQhT+50yDajOecWRP3W5RUBBcvwv3rKIiiPddKajZnmPpj/Auud7WRiynmf6EUtFoGr79TfB7WHbMSZthJx7+92ZFBJtzJA==;31:GQDE+LC7b8DYJ2QtdysjExUjj6WhWEBcCeNZyCHXJlqeDod0ef6XJ48a3xzAZf45Ir/VGxU6zbChbZt10jDsWhCRm676Remr2pGsbTwCQcWt1EQx9b6R2wfi0XluHxdjaOnKSSUsghallZ+3V83mFHbXfGQWGPjnoxuv9Nw5M/d1EYH/EI2Xz79akbTbMMsyfk56Kn/BIP0L+tH+yjUV2cr3lUX6W/ztvM81U8RKQAs= X-MS-TrafficTypeDiagnostic: CY1PR07MB2587: X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2587;20:ZY2JywqQr+Eg4rfnfQ3zP9KVif0Ur5QHpkv9b5Q2TF0pTOWgARpcJjJvu9xl2obrJk7dXLq35QlVX4rFyVtVN2cv8FmjuDsLMfZt6U65q/QjIDeRDJEgv0otRt8U5CCDNgx6qK3+leI80Q7iQZXoeWl6ETyy9b4aFpbuTLBuRG0VwGukJ9udt8RWNPDNFZ6G1Rs2PhVSSp06CzuEZ8ox+15Pi7McHmCufsWitptFsVCqzFRS4FJ9zxYsY/uv+CCJAKKj10n2o1AXgfE3YcAk/bgrw9knzyXBY2QpPTxJZhjGFZw5hlPi1wGOxCqxn2c42qrWjfmGZLiKzjc54CWLwWU2Xd+qFhymcDdG1CndBrLAGu+70Tm/LhbeanVr8pD5sjFsJKTkYaSisSAvXaDWXriNzxqsdTsRup1B3x+JJyRolp4bwGRLIq9MVW19Dkv7nvjC4omytOt0oRLWQ0qDDySkxmdkxUG8FZocNprPL8QDJdNwA+1CgEhB+5WYEp+EG6/aMDKOyh9K4zDJZKJnd+fuBc2o4e9nRnTIxrwguE8Q3PmDsWfcrec8eb1ZxP8lA2q1NzU3WR9PRXROd2bayBEa+zEV+94gNH0wVTQL6mw=;4:mDRkHnw34dmb1VhKruGdX4OHr+QADRwRXrttf2yuRRWYRCKNLg4rvysdwz4EF6IIJz7VXHJuOGjwdn98noeIkNYT1x4dKWS0vpgjoJxknKGt2OxhRdW7aQrFwwNZhQ9lvhiIlnPeaWUv8JEFxzTLqEQJmDGl/nH41JRgYEiRZbWpsP4HSiGcRwM/aFQ678W6JMNLOfpJFGSI7aX+8g2CU1QgrWZqggZ9/Qszzz8YDJi1EyWc0dOoSCLMnJYLcRe1 X-Exchange-Antispam-Report-Test: UriScan:; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(100000703101)(100105400095)(6041248)(20161123564025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:CY1PR07MB2587;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:CY1PR07MB2587; X-Forefront-PRVS: 04238CD941 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6009001)(189002)(199003)(24454002)(5660300001)(229853002)(7736002)(33716001)(23726003)(1076002)(50466002)(6116002)(230783001)(72206003)(3846002)(47776003)(66066001)(106356001)(101416001)(478600001)(33656002)(42186005)(105586002)(50986999)(68736007)(54356999)(76176999)(81156014)(2906002)(81166006)(8936002)(8676002)(6666003)(6246003)(110136004)(6916009)(42882006)(2950100002)(93886005)(6496005)(189998001)(53936002)(53546010)(54906002)(305945005)(4326008)(25786009)(83506001)(97736004)(4001350100001)(9686003)(55016002)(5890100001)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR07MB2587;H:hc;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;CY1PR07MB2587;23:JjgCLWlTTAu7c6ha6xi2MAH0zKUxlWEgsC3If0uQg?= =?us-ascii?Q?58c6NhlWEdrNG8kfpTBP42Li2A1BFk6758JIezi/ibY4j20DMYK2LTBtkTF0?= =?us-ascii?Q?5UixvScXmLgffOZawBPzOOZYslvtpb+pL3HSewpiZrHR0o3eVfKM/CF4MVuD?= =?us-ascii?Q?WW3hhal3zVt/OCdnsZLnpzeb7x0qYpUY8lqMZdEi9mxQjUWYMlExCUD3tKdn?= =?us-ascii?Q?/O55DoRvaVJj2ctTlS2IM8IRHYDJEUp2eY2u3ms1acL6qssKCZvtOZqnqZbg?= =?us-ascii?Q?1rxM6EAwYfAY18yKwszbW1w5b4fAdxNstvjOOSxh5Sa82fw+Gzs3qGK7Exb9?= =?us-ascii?Q?uEOzSnH4DM/foCnrxYmQFg7unZi91WvbadyBQR+Mr1ztXy+pbJswhhRcdsiT?= =?us-ascii?Q?5ozkmD+RNy2N3yROhjW5gAZ8Hk+rXNcirawTFUskWLfVLN4qtwnyx4xvTagc?= =?us-ascii?Q?I5lgvt0xWvWtJ0sVi1bBk5Xie3dnLRGnnWJ7CynvIm/HiSMR8R+f30crITvL?= =?us-ascii?Q?577v0E9mXPGA8seI+NkpDxEBrvLqw1iqaaCK0JuI4WaJ3bpAjsYpEPLtXPsQ?= =?us-ascii?Q?pmH5jMBSen4ABgDfMjyFl6Gb0xYblOarQ/RP2jJzWH2WwP9u9QLLlbZzKvzr?= =?us-ascii?Q?FlGk8glOmBjKLLOsd5VnfiGJyO+M8Qw2ozaf6QPUZcfvI2J3luyVLSkYw8JD?= =?us-ascii?Q?X/x2u8Y+sw/MESfpOsmokYNjiKpIa0gzAS4xZzZ273D0o9G2MG8obUEaQBlK?= =?us-ascii?Q?+4Yh80R1jc/mkyvE7RAhCykDIV74Gy8Ram5UC9ykVg2lkNrSDFCdMynlPMhn?= =?us-ascii?Q?hV63LqzJ5v5mtKV+3Zjna/Mb61oIDHLCgyH/kUCw5+Lt4F+G8xZYRt3ichyq?= =?us-ascii?Q?gJET82L7sja/YWPXA1JYIzvFO/vwxDfU3cs2shDICiaIQIf99SyTsQG79csU?= =?us-ascii?Q?XLaCxlwn0Knu/2vYFE1vEZFkkYYotYpkHFroEudAm+g/wu26jS1ka3HVUSx3?= =?us-ascii?Q?5YyR61XCfmpYmAhtqoqbhi/+S3cqlBXCeqXiA+cg3mIINX87Snp6XWRdSttA?= =?us-ascii?Q?4DpbWYPhZuMEQBZwmBH6N2zEKj/C8p+hOTzRw5AbbJjfyitchUAwOHKNw3fW?= =?us-ascii?Q?tig6dQ7zxL99MjFy7Nw3C1tg61hAaPvf9SUnk/4PM/UgLAPtS74Ve1EAwv3t?= =?us-ascii?Q?8MwNo9BRtkZrJp+zz2tVC/1qysSaruj+2i+KdFBHRJHvWhYwipBTqoN5dFXt?= =?us-ascii?Q?RWA0RmaO3C7V5fe+92D9mADCewl249BnvptB7+XFj4v+Y2YEwek2x+OzYuN7?= =?us-ascii?B?UT09?= X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2587;6:rAtjYbVzZlvzGQHdx4F7iOB/9nT8h5ZcBKUGf4gFQc6MP0EqfjgMv+gv3pVBb4rE7s8H+NxWgHES2HEBzLJG6iB3OiWhBEde7BETiVLk77avGMo7pNAg6xEDipdRzK+77bfGZ/6nABMYW7AuJXpI8G6ZR1BzHhWJkw79KeGY3j8YRTQ18uh0Q95SxrRdPZ4WPjovBIlkmFExzhCe7cG+ZULZkq6vqPl9RZonUAdgZ2QIzwm1mOIILJ67RTwa6CoMrkkNPJrKsQtkWjqlsEwb6iM6zgDiwfoVWPwalP16KEcSQXQVqY7/+PgnMa7/RR82Zdj7DS3IgsL0y3cTZHEEPQ==;5:Y/Ry/BygpW52iB1CyibgJUkB/WAWCkUbXquqXAGQSsYXeMiiJhsCBNUj8o5n7yWV80gv/OGnAJDOJoBqZMtQ/YvESm0N0CZ+sH4Ou+KPLUxtZ6/bNlajTkutPyxGBhRK6jmG0utZWIohmWOV8Vqa4A==;24:29rXNZ3l9cg1gZvkOld+P0s8EoLw7lphfLto9jETbymrxyv3aAYzHTzl7+c33ohSKGNoHgyJapD0YcP0skSUA/43VjmDZsqqb1fQMI/ubYM=;7:CUdORXi6GtHc7UMy9caenW2nokibfGYqGH0g8rY5nTpTlwuvyIwXFeQRNgoGbI45uaRLrOddJ3W828iVPEp34g8xA2RTLXPEDd60AJchBmzYP9zFc8+qoLuiP+kld8DKcroYmJ8DSGdxZylWyrITQKOriUxI080Xpw/T1TWM54b8r+fBc7VbI5Nn/gYkboEdDWiwXI/H5UL6xiyNpv4q/Bt+Jpjx+iYsG9eKxSYWjqc= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: caviumnetworks.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2017 12:34:06.8493 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR07MB2587 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4818 Lines: 109 On Thu, Sep 07, 2017 at 02:21:17PM +0200, Ulf Hansson wrote: > On 7 September 2017 at 14:19, Jan Glauber > wrote: > > Thanks Uffe. The fix would only be required for 4.13, as only with that the > > Cavium GPIO driver became available. > > Okay, I drop the fixes tag then, because it points to a commit present > in 4.12 as well. > > Make sense? Thinking twice it may still be a good idea to have the fixes tag, for distribution backports. So yes, please keep it. thanks, Jan > Kind regards > Uffe > > > > > --Jan > > > > On Thu, Sep 07, 2017 at 02:07:01PM +0200, Ulf Hansson wrote: > >> On 7 September 2017 at 13:24, Jan Glauber wrote: > >> > KASAN reported the following: > >> > > >> > [ 19.338655] ================================================================== > >> > [ 19.345946] BUG: KASAN: use-after-free in of_platform_device_destroy+0x88/0x100 > >> > [ 19.345966] Read of size 8 at addr fffffe01aa6f1468 by task systemd-udevd/264 > >> > > >> > [ 19.345983] CPU: 1 PID: 264 Comm: systemd-udevd Not tainted 4.13.0-jang+ #737 > >> > [ 19.345989] Hardware name: Cavium ThunderX CN81XX board (DT) > >> > [ 19.345995] Call trace: > >> > [ 19.346013] [] dump_backtrace+0x0/0x368 > >> > [ 19.346026] [] show_stack+0x24/0x30 > >> > [ 19.346040] [] dump_stack+0xa4/0xc8 > >> > [ 19.346057] [] print_address_description+0x68/0x258 > >> > [ 19.346070] [] kasan_report+0x238/0x2f8 > >> > [ 19.346082] [] __asan_load8+0x88/0xb8 > >> > [ 19.346098] [] of_platform_device_destroy+0x88/0x100 > >> > [ 19.346131] [] thunder_mmc_probe+0x314/0x550 [thunderx_mmc] > >> > [ 19.346147] [] pci_device_probe+0x158/0x1f8 > >> > [ 19.346162] [] driver_probe_device+0x394/0x5f8 > >> > [ 19.346174] [] __driver_attach+0x154/0x158 > >> > [ 19.346185] [] bus_for_each_dev+0xdc/0x140 > >> > [ 19.346196] [] driver_attach+0x38/0x48 > >> > [ 19.346207] [] bus_add_driver+0x290/0x3c8 > >> > [ 19.346219] [] driver_register+0xbc/0x1a0 > >> > [ 19.346232] [] __pci_register_driver+0xc4/0xd8 > >> > [ 19.346260] [] thunder_mmc_driver_init+0x24/0x10000 [thunderx_mmc] > >> > [ 19.346273] [] do_one_initcall+0x98/0x1c0 > >> > [ 19.346289] [] do_init_module+0xe0/0x2cc > >> > [ 19.346303] [] load_module+0x3238/0x35c0 > >> > [ 19.346318] [] SyS_finit_module+0x190/0x1a0 > >> > [ 19.346329] [] __sys_trace_return+0x0/0x4 > >> > > >> > This is caused by: > >> > > >> > platform_device_register() > >> > -> platform_device_unregister(to_platform_device(dev)) > >> > freeing struct device > >> > -> of_node_clear_flag(dev->of_node, ...) > >> > writing to the freed device > >> > > >> > The issue is solved by increasing the reference count before calling > >> > of_platform_device_destroy() so freeing the device is postponed after > >> > the call. > >> > > >> > Fixes: 8fb83b142823 ("mmc: cavium: Fix probing race with regulator") > >> > Signed-off-by: Jan Glauber > >> > >> Thanks, applied for fixes and added a stable tag. > >> > >> Kind regards > >> Uffe > >> > >> > --- > >> > drivers/mmc/host/cavium-thunderx.c | 6 +++++- > >> > 1 file changed, 5 insertions(+), 1 deletion(-) > >> > > >> > diff --git a/drivers/mmc/host/cavium-thunderx.c b/drivers/mmc/host/cavium-thunderx.c > >> > index b9cc95998799..eee08d81b242 100644 > >> > --- a/drivers/mmc/host/cavium-thunderx.c > >> > +++ b/drivers/mmc/host/cavium-thunderx.c > >> > @@ -7,6 +7,7 @@ > >> > * > >> > * Copyright (C) 2016 Cavium Inc. > >> > */ > >> > +#include > >> > #include > >> > #include > >> > #include > >> > @@ -149,8 +150,11 @@ static int thunder_mmc_probe(struct pci_dev *pdev, > >> > for (i = 0; i < CAVIUM_MAX_MMC; i++) { > >> > if (host->slot[i]) > >> > cvm_mmc_of_slot_remove(host->slot[i]); > >> > - if (host->slot_pdev[i]) > >> > + if (host->slot_pdev[i]) { > >> > + get_device(&host->slot_pdev[i]->dev); > >> > of_platform_device_destroy(&host->slot_pdev[i]->dev, NULL); > >> > + put_device(&host->slot_pdev[i]->dev); > >> > + } > >> > } > >> > clk_disable_unprepare(host->clk); > >> > return ret; > >> > -- > >> > 2.9.0.rc0.21.g7777322 > >> >