Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932178AbdIGRPT (ORCPT ); Thu, 7 Sep 2017 13:15:19 -0400 Received: from mail-by2nam01on0059.outbound.protection.outlook.com ([104.47.34.59]:27904 "EHLO NAM01-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753606AbdIGRPR (ORCPT ); Thu, 7 Sep 2017 13:15:17 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=David.Daney@cavium.com; Subject: Re: [PATCH] mmc: cavium: Fix use-after-free in of_platform_device_destroy To: Rob Herring , Jan Glauber Cc: Ulf Hansson , David Daney , "linux-mmc@vger.kernel.org" , "linux-kernel@vger.kernel.org" References: <20170907112417.21495-1-jglauber@cavium.com> From: David Daney Message-ID: Date: Thu, 7 Sep 2017 10:15:12 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [50.233.148.156] X-ClientProxiedBy: DM5PR07CA0046.namprd07.prod.outlook.com (10.168.109.32) To DM5PR07MB3500.namprd07.prod.outlook.com (10.164.153.31) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a3667b05-7659-465f-97f9-08d4f61401f6 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:DM5PR07MB3500; X-Microsoft-Exchange-Diagnostics: 1;DM5PR07MB3500;3:Ym9ipv5TQp9iDPgurBW/0IGxApa4nUdTPC3813sHsmK0h4WCi2lfy4HJXigilN9T65SWfOUr3JAw+jlWcinRJS5IVdxtOWZXonKRGM8s/qetPGBaRMprqaQrXtcJ/SDdRfaSO0cAdQvBAdATrzQTFIL9QdZPllo0srcWGrW6JkA1R+2wu96TmSBaqulC9wT/v3Sr6h2gYlstHWTkCVcf2zlkIA6xlFHBP1EaCmAXqoRs+MOTMSuhNJAHGobtSZzk;25:fGPeeHICgjlc1tF5sAwGa2LCKeUMlprxJw8Jr9sSL48y/8S09kku94hy015N//6I9Dan2oTZSgCKKJYVCpHvPfvYiY9dDyF/UOHUyXhF/kEDib+Jl+wDBdWbRCT4HVilSbDImjIdSV7PongAMxIol6zhJPa1T4v+Pyc5CBWygwBY1+Z1fwX3aKRvSV9Ong1H3kZQXbZM9aMWbWzbSU3tCuvdNPES0ljkghbprgZ08dJ9kogfgfQh1z7mNp9jdAAq1m9dQPFaj+NCCfZlyOLaEvNrWlmQe0O7BLRkHyPLNXDfqe+cxDJX3QNTaJyIHSVB5XsYzzgO7x23ZSyYbhkukg==;31:SHBwvO5JQolvle6zYfhJN52rv1BGzrqzMZ4mKVnVjD+oaFQJ2E2EYAvN3UkiyIvxFvQA6pvTbrHso0P/WpPPNYQ8t7ykQ0y62sD3hK5m55U5Jwk4BSOtWyY5GlGF5O+L7bdfhK8MejvcICRp6QHC7EcsotjlqH/1RIf/MHQVsP/vQjSZLCGTJLFrn8EQ+SaC7Fb5kF44SSVXLPTUs/of88Ksn3TVoVAargmXTdZ7MSI= X-MS-TrafficTypeDiagnostic: DM5PR07MB3500: X-Microsoft-Exchange-Diagnostics: 1;DM5PR07MB3500;20:P/W4yDZ24D3GYYCSdjWbadC2DQRNwIR0/sm56ulyjLV0oo7pyi/VkubZkvdS4mxtKyFDiHzhUfAY9VqiFq+6DzI+jr1HbfmsVn9iawrEnW3QYk/XK4lSl4FQ+nvwmQoCVjn90FN5+Vdir5Kw7Cp3OTt/jcu7T20fYe9kkpIcvGPa0l+NF11UDEW3smCYtsz3pmIeL5a0OnIE2LuLACfObikpgwUkZj9T5JCGI713Jfd50aH5fQPbJAFnqxn24xlgfh40A54VVCoJnYhPdST4+QyqbTFLNvOpNFpqbLG3raKwjrVXPzsab34vzLjLdEn46wLAhes2rKjsnZrA/84wvOeBR+IDcR1Bw9mcPMIe6QjcO8LvOAa8DvBYI35qrb6jGtJKN34m0Mc6S7TmokXTy7rZzzcWrGj1UdAJymH4swTsKvF86Yrre1/19Pphn/b3dOyYGwfg1VRU778CTQdi126y9YymMOqXnnljyqVqh32VSfaLCJ30si1rchJYzNX4Sbl+DY0RUb2WGl6oSYBWMgYHrbr7+YsHxM/y1rG+mmQLyJyNSp/7LHpLtlHJsSndRIEedneS/taFuYzJfTulxoJEmkKZd9Yq9ccKtf7AC4c=;4:4X3mbP1num10OL/SGmQKfslnZSJ5iEGKuw+4u5X3WqJ1SZSu0C9haoiEWxMG7iKl5UHsq0d2H4UxKeNf/ogEV4t1X8K9rqJxfWJzneNtbfP11OQzSidY/Rr9v991rOGGEnGaqiP0GsHtFTorK9PahqxbZBjiW2p+MHcN24kx53kMiYneX526iatRjwVzjoZlmQrcCGfCtHF353ggT3dywRY/yrQtGuC3Kdp+PD1v2l6U0Ta+zMCtUxctQdJlyLHQ X-Exchange-Antispam-Report-Test: UriScan:; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(3002001)(10201501046)(6041248)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123562025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:DM5PR07MB3500;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DM5PR07MB3500; X-Forefront-PRVS: 04238CD941 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6009001)(189002)(24454002)(199003)(377454003)(4001350100001)(6116002)(81166006)(81156014)(8936002)(5660300001)(65826007)(47776003)(8676002)(53416004)(33646002)(3846002)(66066001)(65806001)(65956001)(53546010)(42186005)(4326008)(50466002)(6246003)(53936002)(6512007)(83506001)(36756003)(230700001)(31686004)(23676002)(25786009)(64126003)(478600001)(189998001)(6506006)(6486002)(54356999)(76176999)(101416001)(54906002)(50986999)(5890100001)(305945005)(69596002)(2906002)(97736004)(106356001)(105586002)(6666003)(229853002)(2950100002)(42882006)(31696002)(72206003)(7736002)(230783001)(68736007);DIR:OUT;SFP:1101;SCL:1;SRVR:DM5PR07MB3500;H:ddl.caveonetworks.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjA3TUIzNTAwOzIzOlVjbWhnUlRDSjM4Mi9pOUVaSjRoQ3B2WGhh?= =?utf-8?B?MGZoa3QrWldRLzB1SVlQQVhCMVAxakMyR3ZCOWpJdnlFdXE0ZTMzc1VmeU9V?= =?utf-8?B?SWlTTTRITSt0eW9SUjJobnlIQitodzZJaFlxSUpkUnFNbHhKVHdhQ09oWEV3?= =?utf-8?B?NmdudHVLNS9iUDZhOUsvV1psTC9IWXVpeTFDV01xTEhuRTRlL3p4SGh6QUZn?= =?utf-8?B?bVRXYWlRV1VoZlpxOHdUQzJ3SzBudnFQT0J2cmEwTzJDKy82dFlLZGkrVWtZ?= =?utf-8?B?NjJtVXdiQVozeVpsVS9XRmJKbnB3bno2MHJFV25TNnQ0OHF4ZHRBWWI2bFZH?= =?utf-8?B?Vm83VUdiTXE5N3ZJOFJCQ1dKQlUrWFpzT0FGMCtLUUR4aVNIWnFKYnNUQmIy?= =?utf-8?B?Tm45R3R6Sk1NdVRobU4wYTZIUTNTNkU0WXNaQU5td3NjdGp1bTB4VzFWaTBn?= =?utf-8?B?STlxb2p2ejZMS0Q1bE9LYmVRTXNTS3ExZG55VDNXSUJVMldQQytjemxlaVBy?= =?utf-8?B?T3BDdHQ5TDlZN0c3OXVrcEEycHFSbENUOFZJcURRcjhkbjVMQVE3Q2UrMmNC?= =?utf-8?B?Y1B2R3dNR0VnOWhvUU9CbjluZTQ4Uk9YR1NLc2hCODUwL0gyc2RJSXFlNDIv?= =?utf-8?B?ZDJMZkQ5Vm1HekFoVzVHa2FhVGY2dVpYWmphS015UGdjMkZHQ1prM0dyWUhC?= =?utf-8?B?RzYwN3ptWGZveTZOYXlIb21NWGFJTnJYQnpZOHAremd5R2J0ektBSmw5YlpD?= =?utf-8?B?Um9vekYwVXhCMkVrOUl6R2tBOElUckRFbEVMVHZKVlhMVlNVRDBzYThqK0JG?= =?utf-8?B?bVdsUFJTd0NkOE9CRjJYTkd5M0pLUkxzWHhSakFYaHhGdFJIZ05EWXpBK1cy?= =?utf-8?B?WmxETkdkOGVMOU5NeVc0K2doQjduei8yOW1lOVFER2h2MWw5aHpaTUlUTkUy?= =?utf-8?B?Z203TWg4WG9hb1YyR2pkMU5VS0FUUDZBLzI1dk9MT1lMWlVnM0pNVEwzVHRO?= =?utf-8?B?WUM3ZXFlbHpUVDV0VmU1Ym1MQmVhSldIdThsTEJrcVlKczNpeldhMTM1S2tZ?= =?utf-8?B?cmw4R1gyRDZkTndyV2cwZTRzdVdzbkpIVWE1aWQ1bDM3QUt6ZWxXZjhOcnJF?= =?utf-8?B?MmlWY0xrUmhDVlhmaHo1aHpCdGs0WEFldUtBOHJiUzhvQjR0T25FZmJJQ3Jl?= =?utf-8?B?ZGFNMXVPSTVhQ0I1aGVyV0s4V0x2N0t4SW9pa1JRRG1NRzhqOEFwRVBpZngr?= =?utf-8?B?ZkxnVUZrdjhramZRTCtpcjc3emN3K3FFUzh0by9LWmxsZHJkRUplUkRZWjJX?= =?utf-8?B?SVZiVDJ4YUZPTVlCSE8zZjdGUm81UzVQbW9uTFdiMk9nZXJkdTYwelRXYmNP?= =?utf-8?B?UXhIa0FDcGlpZ3VGbWpPMUFZWXpQNTd0eHcxWGF2STN5QmdzWlo5dEVDMjMw?= =?utf-8?B?QzAyV3lWR1lxRWVVclYrWlpyeEVIeDVrOEwzQldCSFBvaGxIVG5YT3RZNisy?= =?utf-8?B?eEszTTFxbExZZEJmVnRKSW9RNDIxMkJFUGhUU2dHbEdjNlF5dVlickFEeTVn?= =?utf-8?B?cWx3REg2S0FreittN1I5OTg1RWQxU2JwUzdyTTdZUm50Nkt6T3dHVGVKeW1T?= =?utf-8?B?Q215RnhFNnEyeUsvampveUdBWm8wRGMxNUcvTVVoMCtKWnRBZFlud21xSHV1?= =?utf-8?B?cC9GQWRFSlNoRnlLbXIzb1V5NlgrK0UxWTQxTVJqVmtlbzFya2Y2bStHaGVW?= =?utf-8?B?Nkx4eStHRlFWZ29zL1ZpOGtJTndKUjB3b0tuaGdiOW1ITE1kSm4vd09VNUJC?= =?utf-8?B?UWplWlVoNllid3lqTTFmekxESGhIWDFkWlJtTGZRVk9nYVZtRkU4ck5rYngv?= =?utf-8?Q?NdUO6IE+PgZ8lHLewYxYWkTGWxBsiZQa?= X-Microsoft-Exchange-Diagnostics: 1;DM5PR07MB3500;6:/mE2QMxbgoYRuAdPMgZ055OzpFdI6B8YBnbdd3cmQByPyiBVOywGizJ9xcpos1aPd46XNU39OkbECLXrXAvnOeuuJjpqaTAftLC+gTSqHLH6PVOYrO6nGS166iS2pNleXoMqeEvuJakQWP+3wTTa++gX/YImvzCVAYpP78hTkDNGYe0D9mr3NvCSo4RVnZ3h6VQ8gsBO0NgC+SEzSVaLheO31n/3oWZ7KsQLGSKQVQN1PWZvgkh6NV5TH8HGGL2QyyRxxv/NR9zQL4yghzBLAhuFQDzmuX1jrvKtjxvZRk5B4jWL3we4eIOQwmVfefaRdBy+3/PAucpWdu9srZlcfQ==;5:fulQiI11Shl0PpnwSoK5gxzfo9kjU6zVA4PaN7fT6/wVY3HQDHNtC40RU9dy9y/hX1NpyxFfKlUiEsJUpn1EvWYzi1wHxKFG0nn8TQw4bHLDwoGu+9Nl8i/TLwj5DzOvBPx+iELtO3244+6zuS3EHg==;24:VOKxpZfrQe3C5IIRM5una0FIUEOPGl8b9SAtyzLaT5IAyX4lL63QEcFcCDv6jywc4Fa/cvyYREosLoBETr9B5yL+DkCRKq8TVycQMiGTyCg=;7:m/POyoXu5+nqhPc/2ojgPuJATqBUCAEyjkTOd8ppBCN6EoIg/QC9SmOWU5C7cQAgcQHUrCAmH0PC9/HgDD0mma0fkyeil+oEUxQn27Cdvo5quvTVnMbcC4OU0Dx0sR4DYDY+VntP08yJ9/spW0Nke0kz4Esz4LchWlSNp82gJ0XSQdYD89YZDk8/GMsEE5picD1GwewRjRHhVrNsxk4QoVUEHSsume+h3bNeQvMlqpA= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: caviumnetworks.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2017 17:15:15.1299 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR07MB3500 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4240 Lines: 94 On 09/07/2017 09:58 AM, Rob Herring wrote: > On Thu, Sep 7, 2017 at 6:24 AM, Jan Glauber wrote: >> KASAN reported the following: >> >> [ 19.338655] ================================================================== >> [ 19.345946] BUG: KASAN: use-after-free in of_platform_device_destroy+0x88/0x100 >> [ 19.345966] Read of size 8 at addr fffffe01aa6f1468 by task systemd-udevd/264 >> >> [ 19.345983] CPU: 1 PID: 264 Comm: systemd-udevd Not tainted 4.13.0-jang+ #737 >> [ 19.345989] Hardware name: Cavium ThunderX CN81XX board (DT) >> [ 19.345995] Call trace: >> [ 19.346013] [] dump_backtrace+0x0/0x368 >> [ 19.346026] [] show_stack+0x24/0x30 >> [ 19.346040] [] dump_stack+0xa4/0xc8 >> [ 19.346057] [] print_address_description+0x68/0x258 >> [ 19.346070] [] kasan_report+0x238/0x2f8 >> [ 19.346082] [] __asan_load8+0x88/0xb8 >> [ 19.346098] [] of_platform_device_destroy+0x88/0x100 >> [ 19.346131] [] thunder_mmc_probe+0x314/0x550 [thunderx_mmc] >> [ 19.346147] [] pci_device_probe+0x158/0x1f8 >> [ 19.346162] [] driver_probe_device+0x394/0x5f8 >> [ 19.346174] [] __driver_attach+0x154/0x158 >> [ 19.346185] [] bus_for_each_dev+0xdc/0x140 >> [ 19.346196] [] driver_attach+0x38/0x48 >> [ 19.346207] [] bus_add_driver+0x290/0x3c8 >> [ 19.346219] [] driver_register+0xbc/0x1a0 >> [ 19.346232] [] __pci_register_driver+0xc4/0xd8 >> [ 19.346260] [] thunder_mmc_driver_init+0x24/0x10000 [thunderx_mmc] >> [ 19.346273] [] do_one_initcall+0x98/0x1c0 >> [ 19.346289] [] do_init_module+0xe0/0x2cc >> [ 19.346303] [] load_module+0x3238/0x35c0 >> [ 19.346318] [] SyS_finit_module+0x190/0x1a0 >> [ 19.346329] [] __sys_trace_return+0x0/0x4 >> >> This is caused by: >> >> platform_device_register() >> -> platform_device_unregister(to_platform_device(dev)) >> freeing struct device >> -> of_node_clear_flag(dev->of_node, ...) >> writing to the freed device >> >> The issue is solved by increasing the reference count before calling >> of_platform_device_destroy() so freeing the device is postponed after >> the call. >> >> Fixes: 8fb83b142823 ("mmc: cavium: Fix probing race with regulator") >> Signed-off-by: Jan Glauber >> --- >> drivers/mmc/host/cavium-thunderx.c | 6 +++++- >> 1 file changed, 5 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/mmc/host/cavium-thunderx.c b/drivers/mmc/host/cavium-thunderx.c >> index b9cc95998799..eee08d81b242 100644 >> --- a/drivers/mmc/host/cavium-thunderx.c >> +++ b/drivers/mmc/host/cavium-thunderx.c >> @@ -7,6 +7,7 @@ >> * >> * Copyright (C) 2016 Cavium Inc. >> */ >> +#include >> #include >> #include >> #include >> @@ -149,8 +150,11 @@ static int thunder_mmc_probe(struct pci_dev *pdev, >> for (i = 0; i < CAVIUM_MAX_MMC; i++) { >> if (host->slot[i]) >> cvm_mmc_of_slot_remove(host->slot[i]); >> - if (host->slot_pdev[i]) >> + if (host->slot_pdev[i]) { >> + get_device(&host->slot_pdev[i]->dev); >> of_platform_device_destroy(&host->slot_pdev[i]->dev, NULL); >> + put_device(&host->slot_pdev[i]->dev); > > Why do you think this is Cavium specific? > > From my look of it, the problem is in of_platform_device_destroy. We > should save the node ptr before the unregister call and use that to > clear the flags. > I agree, forcing all users of the core functions like of_platform_device_destroy() to get this right every time is not likely to work. Modifying of_platform_device_destroy() to make it safe to call from this context is preferable as it will lead to a more robust kernel overall. Thanks, David Daney > Rob >