Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932224AbdIGMeO (ORCPT <rfc822;w@1wt.eu>);
        Thu, 7 Sep 2017 08:34:14 -0400
Received: from mail-bn3nam01on0072.outbound.protection.outlook.com ([104.47.33.72]:55036
        "EHLO NAM01-BN3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S932105AbdIGMeL (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Sep 2017 08:34:11 -0400
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=Jan.Glauber@cavium.com; 
Date: Thu, 7 Sep 2017 14:33:55 +0200
From: Jan Glauber <jan.glauber@caviumnetworks.com>
To: Ulf Hansson <ulf.hansson@linaro.org>
Cc: David Daney <david.daney@cavium.com>,
        "linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
        Rob Herring <robh+dt@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mmc: cavium: Fix use-after-free in
 of_platform_device_destroy
Message-ID: <20170907123355.GB22336@hc>
References: <20170907112417.21495-1-jglauber@cavium.com>
 <CAPDyKFos=uPbuy1oQREMpE6hyaYbVxhVKSQNWkrE3VyoxzoL8g@mail.gmail.com>
 <20170907121940.GA22336@hc>
 <CAPDyKFri9EFwAk3n0Oxt-+pNQak9KT5V9mURevgEN_CEF0Gmfw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAPDyKFri9EFwAk3n0Oxt-+pNQak9KT5V9mURevgEN_CEF0Gmfw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Originating-IP: [88.67.130.225]
X-ClientProxiedBy: DB6PR1001CA0037.EURPRD10.PROD.OUTLOOK.COM (10.168.69.151)
 To CY1PR07MB2587.namprd07.prod.outlook.com (10.167.16.137)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 5aff0646-dbff-43fa-88e0-08d4f5ecbc1a
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:CY1PR07MB2587;
X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2587;3:dXRwyugW0HfQWZCNWxF1J80CvoJ6eW2D0FKyRhfm1u9KxBbtc6X9EzxNPZ/1NrD9+csctwCebxeFmE750+5GRUhugEjxsHvqbxoczY6J4fdb8imurTi12kBJtAPuupmjD+DvX2uxVy7D9Etxnqi04z7x+bFgiUg+iCvxQ9XdtVrcR0KDxXQ2y7pFmOIvBZIQvUE/YgVit0t4D8ajGKanUDp7X2pPFVDyl8eQnwZAFw2CtTJUkhGgS1XdVV8pbqUN;25:KgEDbYYOtiY1h5J1g70zs8SxxyvEXb9VEfjxCdHteolklBo47iKhTx5x/uwOEY5CEBNgU/yt5fI2efwYyEL3AdTOoIgWWXehdi7Tv7ACBxmLJrPqj7Ak+lenTsu9VUVrmihGXSl9tEiFDeKWRsN0+jqmIV0JBXDcAfbh/5Hq8/eSnMqB5TMS0CIomioyZnrQSWDRgQ7bnPRzCewyYqMG736KyT+WiSqxrHtg4aU2opqt9WUbAmNR/uOGQhT+50yDajOecWRP3W5RUBBcvwv3rKIiiPddKajZnmPpj/Auud7WRiynmf6EUtFoGr79TfB7WHbMSZthJx7+92ZFBJtzJA==;31:GQDE+LC7b8DYJ2QtdysjExUjj6WhWEBcCeNZyCHXJlqeDod0ef6XJ48a3xzAZf45Ir/VGxU6zbChbZt10jDsWhCRm676Remr2pGsbTwCQcWt1EQx9b6R2wfi0XluHxdjaOnKSSUsghallZ+3V83mFHbXfGQWGPjnoxuv9Nw5M/d1EYH/EI2Xz79akbTbMMsyfk56Kn/BIP0L+tH+yjUV2cr3lUX6W/ztvM81U8RKQAs=
X-MS-TrafficTypeDiagnostic: CY1PR07MB2587:
X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2587;20:ZY2JywqQr+Eg4rfnfQ3zP9KVif0Ur5QHpkv9b5Q2TF0pTOWgARpcJjJvu9xl2obrJk7dXLq35QlVX4rFyVtVN2cv8FmjuDsLMfZt6U65q/QjIDeRDJEgv0otRt8U5CCDNgx6qK3+leI80Q7iQZXoeWl6ETyy9b4aFpbuTLBuRG0VwGukJ9udt8RWNPDNFZ6G1Rs2PhVSSp06CzuEZ8ox+15Pi7McHmCufsWitptFsVCqzFRS4FJ9zxYsY/uv+CCJAKKj10n2o1AXgfE3YcAk/bgrw9knzyXBY2QpPTxJZhjGFZw5hlPi1wGOxCqxn2c42qrWjfmGZLiKzjc54CWLwWU2Xd+qFhymcDdG1CndBrLAGu+70Tm/LhbeanVr8pD5sjFsJKTkYaSisSAvXaDWXriNzxqsdTsRup1B3x+JJyRolp4bwGRLIq9MVW19Dkv7nvjC4omytOt0oRLWQ0qDDySkxmdkxUG8FZocNprPL8QDJdNwA+1CgEhB+5WYEp+EG6/aMDKOyh9K4zDJZKJnd+fuBc2o4e9nRnTIxrwguE8Q3PmDsWfcrec8eb1ZxP8lA2q1NzU3WR9PRXROd2bayBEa+zEV+94gNH0wVTQL6mw=;4:mDRkHnw34dmb1VhKruGdX4OHr+QADRwRXrttf2yuRRWYRCKNLg4rvysdwz4EF6IIJz7VXHJuOGjwdn98noeIkNYT1x4dKWS0vpgjoJxknKGt2OxhRdW7aQrFwwNZhQ9lvhiIlnPeaWUv8JEFxzTLqEQJmDGl/nH41JRgYEiRZbWpsP4HSiGcRwM/aFQ678W6JMNLOfpJFGSI7aX+8g2CU1QgrWZqggZ9/Qszzz8YDJi1EyWc0dOoSCLMnJYLcRe1
X-Exchange-Antispam-Report-Test: UriScan:;
X-Microsoft-Antispam-PRVS: <CY1PR07MB2587037ED871A901BAA8A1C391940@CY1PR07MB2587.namprd07.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(100000703101)(100105400095)(6041248)(20161123564025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:CY1PR07MB2587;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:CY1PR07MB2587;
X-Forefront-PRVS: 04238CD941
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6009001)(189002)(199003)(24454002)(5660300001)(229853002)(7736002)(33716001)(23726003)(1076002)(50466002)(6116002)(230783001)(72206003)(3846002)(47776003)(66066001)(106356001)(101416001)(478600001)(33656002)(42186005)(105586002)(50986999)(68736007)(54356999)(76176999)(81156014)(2906002)(81166006)(8936002)(8676002)(6666003)(6246003)(110136004)(6916009)(42882006)(2950100002)(93886005)(6496005)(189998001)(53936002)(53546010)(54906002)(305945005)(4326008)(25786009)(83506001)(97736004)(4001350100001)(9686003)(55016002)(5890100001)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR07MB2587;H:hc;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;CY1PR07MB2587;23:JjgCLWlTTAu7c6ha6xi2MAH0zKUxlWEgsC3If0uQg?=
 =?us-ascii?Q?58c6NhlWEdrNG8kfpTBP42Li2A1BFk6758JIezi/ibY4j20DMYK2LTBtkTF0?=
 =?us-ascii?Q?5UixvScXmLgffOZawBPzOOZYslvtpb+pL3HSewpiZrHR0o3eVfKM/CF4MVuD?=
 =?us-ascii?Q?WW3hhal3zVt/OCdnsZLnpzeb7x0qYpUY8lqMZdEi9mxQjUWYMlExCUD3tKdn?=
 =?us-ascii?Q?/O55DoRvaVJj2ctTlS2IM8IRHYDJEUp2eY2u3ms1acL6qssKCZvtOZqnqZbg?=
 =?us-ascii?Q?1rxM6EAwYfAY18yKwszbW1w5b4fAdxNstvjOOSxh5Sa82fw+Gzs3qGK7Exb9?=
 =?us-ascii?Q?uEOzSnH4DM/foCnrxYmQFg7unZi91WvbadyBQR+Mr1ztXy+pbJswhhRcdsiT?=
 =?us-ascii?Q?5ozkmD+RNy2N3yROhjW5gAZ8Hk+rXNcirawTFUskWLfVLN4qtwnyx4xvTagc?=
 =?us-ascii?Q?I5lgvt0xWvWtJ0sVi1bBk5Xie3dnLRGnnWJ7CynvIm/HiSMR8R+f30crITvL?=
 =?us-ascii?Q?577v0E9mXPGA8seI+NkpDxEBrvLqw1iqaaCK0JuI4WaJ3bpAjsYpEPLtXPsQ?=
 =?us-ascii?Q?pmH5jMBSen4ABgDfMjyFl6Gb0xYblOarQ/RP2jJzWH2WwP9u9QLLlbZzKvzr?=
 =?us-ascii?Q?FlGk8glOmBjKLLOsd5VnfiGJyO+M8Qw2ozaf6QPUZcfvI2J3luyVLSkYw8JD?=
 =?us-ascii?Q?X/x2u8Y+sw/MESfpOsmokYNjiKpIa0gzAS4xZzZ273D0o9G2MG8obUEaQBlK?=
 =?us-ascii?Q?+4Yh80R1jc/mkyvE7RAhCykDIV74Gy8Ram5UC9ykVg2lkNrSDFCdMynlPMhn?=
 =?us-ascii?Q?hV63LqzJ5v5mtKV+3Zjna/Mb61oIDHLCgyH/kUCw5+Lt4F+G8xZYRt3ichyq?=
 =?us-ascii?Q?gJET82L7sja/YWPXA1JYIzvFO/vwxDfU3cs2shDICiaIQIf99SyTsQG79csU?=
 =?us-ascii?Q?XLaCxlwn0Knu/2vYFE1vEZFkkYYotYpkHFroEudAm+g/wu26jS1ka3HVUSx3?=
 =?us-ascii?Q?5YyR61XCfmpYmAhtqoqbhi/+S3cqlBXCeqXiA+cg3mIINX87Snp6XWRdSttA?=
 =?us-ascii?Q?4DpbWYPhZuMEQBZwmBH6N2zEKj/C8p+hOTzRw5AbbJjfyitchUAwOHKNw3fW?=
 =?us-ascii?Q?tig6dQ7zxL99MjFy7Nw3C1tg61hAaPvf9SUnk/4PM/UgLAPtS74Ve1EAwv3t?=
 =?us-ascii?Q?8MwNo9BRtkZrJp+zz2tVC/1qysSaruj+2i+KdFBHRJHvWhYwipBTqoN5dFXt?=
 =?us-ascii?Q?RWA0RmaO3C7V5fe+92D9mADCewl249BnvptB7+XFj4v+Y2YEwek2x+OzYuN7?=
 =?us-ascii?B?UT09?=
X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2587;6:rAtjYbVzZlvzGQHdx4F7iOB/9nT8h5ZcBKUGf4gFQc6MP0EqfjgMv+gv3pVBb4rE7s8H+NxWgHES2HEBzLJG6iB3OiWhBEde7BETiVLk77avGMo7pNAg6xEDipdRzK+77bfGZ/6nABMYW7AuJXpI8G6ZR1BzHhWJkw79KeGY3j8YRTQ18uh0Q95SxrRdPZ4WPjovBIlkmFExzhCe7cG+ZULZkq6vqPl9RZonUAdgZ2QIzwm1mOIILJ67RTwa6CoMrkkNPJrKsQtkWjqlsEwb6iM6zgDiwfoVWPwalP16KEcSQXQVqY7/+PgnMa7/RR82Zdj7DS3IgsL0y3cTZHEEPQ==;5:Y/Ry/BygpW52iB1CyibgJUkB/WAWCkUbXquqXAGQSsYXeMiiJhsCBNUj8o5n7yWV80gv/OGnAJDOJoBqZMtQ/YvESm0N0CZ+sH4Ou+KPLUxtZ6/bNlajTkutPyxGBhRK6jmG0utZWIohmWOV8Vqa4A==;24:29rXNZ3l9cg1gZvkOld+P0s8EoLw7lphfLto9jETbymrxyv3aAYzHTzl7+c33ohSKGNoHgyJapD0YcP0skSUA/43VjmDZsqqb1fQMI/ubYM=;7:CUdORXi6GtHc7UMy9caenW2nokibfGYqGH0g8rY5nTpTlwuvyIwXFeQRNgoGbI45uaRLrOddJ3W828iVPEp34g8xA2RTLXPEDd60AJchBmzYP9zFc8+qoLuiP+kld8DKcroYmJ8DSGdxZylWyrITQKOriUxI080Xpw/T1TWM54b8r+fBc7VbI5Nn/gYkboEdDWiwXI/H5UL6xiyNpv4q/Bt+Jpjx+iYsG9eKxSYWjqc=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: caviumnetworks.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2017 12:34:06.8493 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR07MB2587
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4818
Lines: 109

On Thu, Sep 07, 2017 at 02:21:17PM +0200, Ulf Hansson wrote:
> On 7 September 2017 at 14:19, Jan Glauber
> <jan.glauber@caviumnetworks.com> wrote:
> > Thanks Uffe. The fix would only be required for 4.13, as only with that the
> > Cavium GPIO driver became available.
> 
> Okay, I drop the fixes tag then, because it points to a commit present
> in 4.12 as well.
> 
> Make sense?

Thinking twice it may still be a good idea to have the fixes tag, for
distribution backports. So yes, please keep it.

thanks,
Jan

> Kind regards
> Uffe
> 
> >
> > --Jan
> >
> > On Thu, Sep 07, 2017 at 02:07:01PM +0200, Ulf Hansson wrote:
> >> On 7 September 2017 at 13:24, Jan Glauber <jglauber@cavium.com> wrote:
> >> > KASAN reported the following:
> >> >
> >> > [   19.338655] ==================================================================
> >> > [   19.345946] BUG: KASAN: use-after-free in of_platform_device_destroy+0x88/0x100
> >> > [   19.345966] Read of size 8 at addr fffffe01aa6f1468 by task systemd-udevd/264
> >> >
> >> > [   19.345983] CPU: 1 PID: 264 Comm: systemd-udevd Not tainted 4.13.0-jang+ #737
> >> > [   19.345989] Hardware name: Cavium ThunderX CN81XX board (DT)
> >> > [   19.345995] Call trace:
> >> > [   19.346013] [<fffffc800808b1b0>] dump_backtrace+0x0/0x368
> >> > [   19.346026] [<fffffc800808b6bc>] show_stack+0x24/0x30
> >> > [   19.346040] [<fffffc8008cbb944>] dump_stack+0xa4/0xc8
> >> > [   19.346057] [<fffffc80082c2870>] print_address_description+0x68/0x258
> >> > [   19.346070] [<fffffc80082c2d70>] kasan_report+0x238/0x2f8
> >> > [   19.346082] [<fffffc80082c14a8>] __asan_load8+0x88/0xb8
> >> > [   19.346098] [<fffffc8008aacee0>] of_platform_device_destroy+0x88/0x100
> >> > [   19.346131] [<fffffc8000e02fa4>] thunder_mmc_probe+0x314/0x550 [thunderx_mmc]
> >> > [   19.346147] [<fffffc800879d560>] pci_device_probe+0x158/0x1f8
> >> > [   19.346162] [<fffffc800886e53c>] driver_probe_device+0x394/0x5f8
> >> > [   19.346174] [<fffffc800886e8f4>] __driver_attach+0x154/0x158
> >> > [   19.346185] [<fffffc800886b12c>] bus_for_each_dev+0xdc/0x140
> >> > [   19.346196] [<fffffc800886d9f8>] driver_attach+0x38/0x48
> >> > [   19.346207] [<fffffc800886d148>] bus_add_driver+0x290/0x3c8
> >> > [   19.346219] [<fffffc800886fc5c>] driver_register+0xbc/0x1a0
> >> > [   19.346232] [<fffffc800879b78c>] __pci_register_driver+0xc4/0xd8
> >> > [   19.346260] [<fffffc8000e80024>] thunder_mmc_driver_init+0x24/0x10000 [thunderx_mmc]
> >> > [   19.346273] [<fffffc8008083a80>] do_one_initcall+0x98/0x1c0
> >> > [   19.346289] [<fffffc8008177b54>] do_init_module+0xe0/0x2cc
> >> > [   19.346303] [<fffffc8008175cf0>] load_module+0x3238/0x35c0
> >> > [   19.346318] [<fffffc8008176438>] SyS_finit_module+0x190/0x1a0
> >> > [   19.346329] [<fffffc80080834a0>] __sys_trace_return+0x0/0x4
> >> >
> >> > This is caused by:
> >> >
> >> >   platform_device_register()
> >> >    -> platform_device_unregister(to_platform_device(dev))
> >> >         freeing struct device
> >> >    -> of_node_clear_flag(dev->of_node, ...)
> >> >         writing to the freed device
> >> >
> >> > The issue is solved by increasing the reference count before calling
> >> > of_platform_device_destroy() so freeing the device is postponed after
> >> > the call.
> >> >
> >> > Fixes: 8fb83b142823 ("mmc: cavium: Fix probing race with regulator")
> >> > Signed-off-by: Jan Glauber <jglauber@cavium.com>
> >>
> >> Thanks, applied for fixes and added a stable tag.
> >>
> >> Kind regards
> >> Uffe
> >>
> >> > ---
> >> >  drivers/mmc/host/cavium-thunderx.c | 6 +++++-
> >> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >> >
> >> > diff --git a/drivers/mmc/host/cavium-thunderx.c b/drivers/mmc/host/cavium-thunderx.c
> >> > index b9cc95998799..eee08d81b242 100644
> >> > --- a/drivers/mmc/host/cavium-thunderx.c
> >> > +++ b/drivers/mmc/host/cavium-thunderx.c
> >> > @@ -7,6 +7,7 @@
> >> >   *
> >> >   * Copyright (C) 2016 Cavium Inc.
> >> >   */
> >> > +#include <linux/device.h>
> >> >  #include <linux/dma-mapping.h>
> >> >  #include <linux/interrupt.h>
> >> >  #include <linux/mmc/mmc.h>
> >> > @@ -149,8 +150,11 @@ static int thunder_mmc_probe(struct pci_dev *pdev,
> >> >         for (i = 0; i < CAVIUM_MAX_MMC; i++) {
> >> >                 if (host->slot[i])
> >> >                         cvm_mmc_of_slot_remove(host->slot[i]);
> >> > -               if (host->slot_pdev[i])
> >> > +               if (host->slot_pdev[i]) {
> >> > +                       get_device(&host->slot_pdev[i]->dev);
> >> >                         of_platform_device_destroy(&host->slot_pdev[i]->dev, NULL);
> >> > +                       put_device(&host->slot_pdev[i]->dev);
> >> > +               }
> >> >         }
> >> >         clk_disable_unprepare(host->clk);
> >> >         return ret;
> >> > --
> >> > 2.9.0.rc0.21.g7777322
> >> >