Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932178AbdIGRPT (ORCPT <rfc822;w@1wt.eu>);
        Thu, 7 Sep 2017 13:15:19 -0400
Received: from mail-by2nam01on0059.outbound.protection.outlook.com ([104.47.34.59]:27904
        "EHLO NAM01-BY2-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1753606AbdIGRPR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Sep 2017 13:15:17 -0400
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=David.Daney@cavium.com; 
Subject: Re: [PATCH] mmc: cavium: Fix use-after-free in
 of_platform_device_destroy
To: Rob Herring <robh+dt@kernel.org>, Jan Glauber <jglauber@cavium.com>
Cc: Ulf Hansson <ulf.hansson@linaro.org>,
        David Daney <david.daney@cavium.com>,
        "linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
References: <20170907112417.21495-1-jglauber@cavium.com>
 <CAL_JsqJcG_dtGA7uje1gEeQUT=7P89-3r8=zuFiGJPu6hmsDUQ@mail.gmail.com>
From: David Daney <ddaney@caviumnetworks.com>
Message-ID: <befaabff-60e4-5e8f-59b4-e0892f040d88@caviumnetworks.com>
Date: Thu, 7 Sep 2017 10:15:12 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAL_JsqJcG_dtGA7uje1gEeQUT=7P89-3r8=zuFiGJPu6hmsDUQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [50.233.148.156]
X-ClientProxiedBy: DM5PR07CA0046.namprd07.prod.outlook.com (10.168.109.32) To
 DM5PR07MB3500.namprd07.prod.outlook.com (10.164.153.31)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a3667b05-7659-465f-97f9-08d4f61401f6
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:DM5PR07MB3500;
X-Microsoft-Exchange-Diagnostics: 1;DM5PR07MB3500;3:Ym9ipv5TQp9iDPgurBW/0IGxApa4nUdTPC3813sHsmK0h4WCi2lfy4HJXigilN9T65SWfOUr3JAw+jlWcinRJS5IVdxtOWZXonKRGM8s/qetPGBaRMprqaQrXtcJ/SDdRfaSO0cAdQvBAdATrzQTFIL9QdZPllo0srcWGrW6JkA1R+2wu96TmSBaqulC9wT/v3Sr6h2gYlstHWTkCVcf2zlkIA6xlFHBP1EaCmAXqoRs+MOTMSuhNJAHGobtSZzk;25:fGPeeHICgjlc1tF5sAwGa2LCKeUMlprxJw8Jr9sSL48y/8S09kku94hy015N//6I9Dan2oTZSgCKKJYVCpHvPfvYiY9dDyF/UOHUyXhF/kEDib+Jl+wDBdWbRCT4HVilSbDImjIdSV7PongAMxIol6zhJPa1T4v+Pyc5CBWygwBY1+Z1fwX3aKRvSV9Ong1H3kZQXbZM9aMWbWzbSU3tCuvdNPES0ljkghbprgZ08dJ9kogfgfQh1z7mNp9jdAAq1m9dQPFaj+NCCfZlyOLaEvNrWlmQe0O7BLRkHyPLNXDfqe+cxDJX3QNTaJyIHSVB5XsYzzgO7x23ZSyYbhkukg==;31:SHBwvO5JQolvle6zYfhJN52rv1BGzrqzMZ4mKVnVjD+oaFQJ2E2EYAvN3UkiyIvxFvQA6pvTbrHso0P/WpPPNYQ8t7ykQ0y62sD3hK5m55U5Jwk4BSOtWyY5GlGF5O+L7bdfhK8MejvcICRp6QHC7EcsotjlqH/1RIf/MHQVsP/vQjSZLCGTJLFrn8EQ+SaC7Fb5kF44SSVXLPTUs/of88Ksn3TVoVAargmXTdZ7MSI=
X-MS-TrafficTypeDiagnostic: DM5PR07MB3500:
X-Microsoft-Exchange-Diagnostics: 1;DM5PR07MB3500;20:P/W4yDZ24D3GYYCSdjWbadC2DQRNwIR0/sm56ulyjLV0oo7pyi/VkubZkvdS4mxtKyFDiHzhUfAY9VqiFq+6DzI+jr1HbfmsVn9iawrEnW3QYk/XK4lSl4FQ+nvwmQoCVjn90FN5+Vdir5Kw7Cp3OTt/jcu7T20fYe9kkpIcvGPa0l+NF11UDEW3smCYtsz3pmIeL5a0OnIE2LuLACfObikpgwUkZj9T5JCGI713Jfd50aH5fQPbJAFnqxn24xlgfh40A54VVCoJnYhPdST4+QyqbTFLNvOpNFpqbLG3raKwjrVXPzsab34vzLjLdEn46wLAhes2rKjsnZrA/84wvOeBR+IDcR1Bw9mcPMIe6QjcO8LvOAa8DvBYI35qrb6jGtJKN34m0Mc6S7TmokXTy7rZzzcWrGj1UdAJymH4swTsKvF86Yrre1/19Pphn/b3dOyYGwfg1VRU778CTQdi126y9YymMOqXnnljyqVqh32VSfaLCJ30si1rchJYzNX4Sbl+DY0RUb2WGl6oSYBWMgYHrbr7+YsHxM/y1rG+mmQLyJyNSp/7LHpLtlHJsSndRIEedneS/taFuYzJfTulxoJEmkKZd9Yq9ccKtf7AC4c=;4:4X3mbP1num10OL/SGmQKfslnZSJ5iEGKuw+4u5X3WqJ1SZSu0C9haoiEWxMG7iKl5UHsq0d2H4UxKeNf/ogEV4t1X8K9rqJxfWJzneNtbfP11OQzSidY/Rr9v991rOGGEnGaqiP0GsHtFTorK9PahqxbZBjiW2p+MHcN24kx53kMiYneX526iatRjwVzjoZlmQrcCGfCtHF353ggT3dywRY/yrQtGuC3Kdp+PD1v2l6U0Ta+zMCtUxctQdJlyLHQ
X-Exchange-Antispam-Report-Test: UriScan:;
X-Microsoft-Antispam-PRVS: <DM5PR07MB3500D71F602F8167A75B9CA197940@DM5PR07MB3500.namprd07.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(3002001)(10201501046)(6041248)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123562025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:DM5PR07MB3500;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DM5PR07MB3500;
X-Forefront-PRVS: 04238CD941
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6009001)(189002)(24454002)(199003)(377454003)(4001350100001)(6116002)(81166006)(81156014)(8936002)(5660300001)(65826007)(47776003)(8676002)(53416004)(33646002)(3846002)(66066001)(65806001)(65956001)(53546010)(42186005)(4326008)(50466002)(6246003)(53936002)(6512007)(83506001)(36756003)(230700001)(31686004)(23676002)(25786009)(64126003)(478600001)(189998001)(6506006)(6486002)(54356999)(76176999)(101416001)(54906002)(50986999)(5890100001)(305945005)(69596002)(2906002)(97736004)(106356001)(105586002)(6666003)(229853002)(2950100002)(42882006)(31696002)(72206003)(7736002)(230783001)(68736007);DIR:OUT;SFP:1101;SCL:1;SRVR:DM5PR07MB3500;H:ddl.caveonetworks.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjA3TUIzNTAwOzIzOlVjbWhnUlRDSjM4Mi9pOUVaSjRoQ3B2WGhh?=
 =?utf-8?B?MGZoa3QrWldRLzB1SVlQQVhCMVAxakMyR3ZCOWpJdnlFdXE0ZTMzc1VmeU9V?=
 =?utf-8?B?SWlTTTRITSt0eW9SUjJobnlIQitodzZJaFlxSUpkUnFNbHhKVHdhQ09oWEV3?=
 =?utf-8?B?NmdudHVLNS9iUDZhOUsvV1psTC9IWXVpeTFDV01xTEhuRTRlL3p4SGh6QUZn?=
 =?utf-8?B?bVRXYWlRV1VoZlpxOHdUQzJ3SzBudnFQT0J2cmEwTzJDKy82dFlLZGkrVWtZ?=
 =?utf-8?B?NjJtVXdiQVozeVpsVS9XRmJKbnB3bno2MHJFV25TNnQ0OHF4ZHRBWWI2bFZH?=
 =?utf-8?B?Vm83VUdiTXE5N3ZJOFJCQ1dKQlUrWFpzT0FGMCtLUUR4aVNIWnFKYnNUQmIy?=
 =?utf-8?B?Tm45R3R6Sk1NdVRobU4wYTZIUTNTNkU0WXNaQU5td3NjdGp1bTB4VzFWaTBn?=
 =?utf-8?B?STlxb2p2ejZMS0Q1bE9LYmVRTXNTS3ExZG55VDNXSUJVMldQQytjemxlaVBy?=
 =?utf-8?B?T3BDdHQ5TDlZN0c3OXVrcEEycHFSbENUOFZJcURRcjhkbjVMQVE3Q2UrMmNC?=
 =?utf-8?B?Y1B2R3dNR0VnOWhvUU9CbjluZTQ4Uk9YR1NLc2hCODUwL0gyc2RJSXFlNDIv?=
 =?utf-8?B?ZDJMZkQ5Vm1HekFoVzVHa2FhVGY2dVpYWmphS015UGdjMkZHQ1prM0dyWUhC?=
 =?utf-8?B?RzYwN3ptWGZveTZOYXlIb21NWGFJTnJYQnpZOHAremd5R2J0ektBSmw5YlpD?=
 =?utf-8?B?Um9vekYwVXhCMkVrOUl6R2tBOElUckRFbEVMVHZKVlhMVlNVRDBzYThqK0JG?=
 =?utf-8?B?bVdsUFJTd0NkOE9CRjJYTkd5M0pLUkxzWHhSakFYaHhGdFJIZ05EWXpBK1cy?=
 =?utf-8?B?WmxETkdkOGVMOU5NeVc0K2doQjduei8yOW1lOVFER2h2MWw5aHpaTUlUTkUy?=
 =?utf-8?B?Z203TWg4WG9hb1YyR2pkMU5VS0FUUDZBLzI1dk9MT1lMWlVnM0pNVEwzVHRO?=
 =?utf-8?B?WUM3ZXFlbHpUVDV0VmU1Ym1MQmVhSldIdThsTEJrcVlKczNpeldhMTM1S2tZ?=
 =?utf-8?B?cmw4R1gyRDZkTndyV2cwZTRzdVdzbkpIVWE1aWQ1bDM3QUt6ZWxXZjhOcnJF?=
 =?utf-8?B?MmlWY0xrUmhDVlhmaHo1aHpCdGs0WEFldUtBOHJiUzhvQjR0T25FZmJJQ3Jl?=
 =?utf-8?B?ZGFNMXVPSTVhQ0I1aGVyV0s4V0x2N0t4SW9pa1JRRG1NRzhqOEFwRVBpZngr?=
 =?utf-8?B?ZkxnVUZrdjhramZRTCtpcjc3emN3K3FFUzh0by9LWmxsZHJkRUplUkRZWjJX?=
 =?utf-8?B?SVZiVDJ4YUZPTVlCSE8zZjdGUm81UzVQbW9uTFdiMk9nZXJkdTYwelRXYmNP?=
 =?utf-8?B?UXhIa0FDcGlpZ3VGbWpPMUFZWXpQNTd0eHcxWGF2STN5QmdzWlo5dEVDMjMw?=
 =?utf-8?B?QzAyV3lWR1lxRWVVclYrWlpyeEVIeDVrOEwzQldCSFBvaGxIVG5YT3RZNisy?=
 =?utf-8?B?eEszTTFxbExZZEJmVnRKSW9RNDIxMkJFUGhUU2dHbEdjNlF5dVlickFEeTVn?=
 =?utf-8?B?cWx3REg2S0FreittN1I5OTg1RWQxU2JwUzdyTTdZUm50Nkt6T3dHVGVKeW1T?=
 =?utf-8?B?Q215RnhFNnEyeUsvampveUdBWm8wRGMxNUcvTVVoMCtKWnRBZFlud21xSHV1?=
 =?utf-8?B?cC9GQWRFSlNoRnlLbXIzb1V5NlgrK0UxWTQxTVJqVmtlbzFya2Y2bStHaGVW?=
 =?utf-8?B?Nkx4eStHRlFWZ29zL1ZpOGtJTndKUjB3b0tuaGdiOW1ITE1kSm4vd09VNUJC?=
 =?utf-8?B?UWplWlVoNllid3lqTTFmekxESGhIWDFkWlJtTGZRVk9nYVZtRkU4ck5rYngv?=
 =?utf-8?Q?NdUO6IE+PgZ8lHLewYxYWkTGWxBsiZQa?=
X-Microsoft-Exchange-Diagnostics: 1;DM5PR07MB3500;6:/mE2QMxbgoYRuAdPMgZ055OzpFdI6B8YBnbdd3cmQByPyiBVOywGizJ9xcpos1aPd46XNU39OkbECLXrXAvnOeuuJjpqaTAftLC+gTSqHLH6PVOYrO6nGS166iS2pNleXoMqeEvuJakQWP+3wTTa++gX/YImvzCVAYpP78hTkDNGYe0D9mr3NvCSo4RVnZ3h6VQ8gsBO0NgC+SEzSVaLheO31n/3oWZ7KsQLGSKQVQN1PWZvgkh6NV5TH8HGGL2QyyRxxv/NR9zQL4yghzBLAhuFQDzmuX1jrvKtjxvZRk5B4jWL3we4eIOQwmVfefaRdBy+3/PAucpWdu9srZlcfQ==;5:fulQiI11Shl0PpnwSoK5gxzfo9kjU6zVA4PaN7fT6/wVY3HQDHNtC40RU9dy9y/hX1NpyxFfKlUiEsJUpn1EvWYzi1wHxKFG0nn8TQw4bHLDwoGu+9Nl8i/TLwj5DzOvBPx+iELtO3244+6zuS3EHg==;24:VOKxpZfrQe3C5IIRM5una0FIUEOPGl8b9SAtyzLaT5IAyX4lL63QEcFcCDv6jywc4Fa/cvyYREosLoBETr9B5yL+DkCRKq8TVycQMiGTyCg=;7:m/POyoXu5+nqhPc/2ojgPuJATqBUCAEyjkTOd8ppBCN6EoIg/QC9SmOWU5C7cQAgcQHUrCAmH0PC9/HgDD0mma0fkyeil+oEUxQn27Cdvo5quvTVnMbcC4OU0Dx0sR4DYDY+VntP08yJ9/spW0Nke0kz4Esz4LchWlSNp82gJ0XSQdYD89YZDk8/GMsEE5picD1GwewRjRHhVrNsxk4QoVUEHSsume+h3bNeQvMlqpA=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: caviumnetworks.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2017 17:15:15.1299 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR07MB3500
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4240
Lines: 94

On 09/07/2017 09:58 AM, Rob Herring wrote:
> On Thu, Sep 7, 2017 at 6:24 AM, Jan Glauber <jglauber@cavium.com> wrote:
>> KASAN reported the following:
>>
>> [   19.338655] ==================================================================
>> [   19.345946] BUG: KASAN: use-after-free in of_platform_device_destroy+0x88/0x100
>> [   19.345966] Read of size 8 at addr fffffe01aa6f1468 by task systemd-udevd/264
>>
>> [   19.345983] CPU: 1 PID: 264 Comm: systemd-udevd Not tainted 4.13.0-jang+ #737
>> [   19.345989] Hardware name: Cavium ThunderX CN81XX board (DT)
>> [   19.345995] Call trace:
>> [   19.346013] [<fffffc800808b1b0>] dump_backtrace+0x0/0x368
>> [   19.346026] [<fffffc800808b6bc>] show_stack+0x24/0x30
>> [   19.346040] [<fffffc8008cbb944>] dump_stack+0xa4/0xc8
>> [   19.346057] [<fffffc80082c2870>] print_address_description+0x68/0x258
>> [   19.346070] [<fffffc80082c2d70>] kasan_report+0x238/0x2f8
>> [   19.346082] [<fffffc80082c14a8>] __asan_load8+0x88/0xb8
>> [   19.346098] [<fffffc8008aacee0>] of_platform_device_destroy+0x88/0x100
>> [   19.346131] [<fffffc8000e02fa4>] thunder_mmc_probe+0x314/0x550 [thunderx_mmc]
>> [   19.346147] [<fffffc800879d560>] pci_device_probe+0x158/0x1f8
>> [   19.346162] [<fffffc800886e53c>] driver_probe_device+0x394/0x5f8
>> [   19.346174] [<fffffc800886e8f4>] __driver_attach+0x154/0x158
>> [   19.346185] [<fffffc800886b12c>] bus_for_each_dev+0xdc/0x140
>> [   19.346196] [<fffffc800886d9f8>] driver_attach+0x38/0x48
>> [   19.346207] [<fffffc800886d148>] bus_add_driver+0x290/0x3c8
>> [   19.346219] [<fffffc800886fc5c>] driver_register+0xbc/0x1a0
>> [   19.346232] [<fffffc800879b78c>] __pci_register_driver+0xc4/0xd8
>> [   19.346260] [<fffffc8000e80024>] thunder_mmc_driver_init+0x24/0x10000 [thunderx_mmc]
>> [   19.346273] [<fffffc8008083a80>] do_one_initcall+0x98/0x1c0
>> [   19.346289] [<fffffc8008177b54>] do_init_module+0xe0/0x2cc
>> [   19.346303] [<fffffc8008175cf0>] load_module+0x3238/0x35c0
>> [   19.346318] [<fffffc8008176438>] SyS_finit_module+0x190/0x1a0
>> [   19.346329] [<fffffc80080834a0>] __sys_trace_return+0x0/0x4
>>
>> This is caused by:
>>
>>    platform_device_register()
>>     -> platform_device_unregister(to_platform_device(dev))
>>          freeing struct device
>>     -> of_node_clear_flag(dev->of_node, ...)
>>          writing to the freed device
>>
>> The issue is solved by increasing the reference count before calling
>> of_platform_device_destroy() so freeing the device is postponed after
>> the call.
>>
>> Fixes: 8fb83b142823 ("mmc: cavium: Fix probing race with regulator")
>> Signed-off-by: Jan Glauber <jglauber@cavium.com>
>> ---
>>   drivers/mmc/host/cavium-thunderx.c | 6 +++++-
>>   1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/mmc/host/cavium-thunderx.c b/drivers/mmc/host/cavium-thunderx.c
>> index b9cc95998799..eee08d81b242 100644
>> --- a/drivers/mmc/host/cavium-thunderx.c
>> +++ b/drivers/mmc/host/cavium-thunderx.c
>> @@ -7,6 +7,7 @@
>>    *
>>    * Copyright (C) 2016 Cavium Inc.
>>    */
>> +#include <linux/device.h>
>>   #include <linux/dma-mapping.h>
>>   #include <linux/interrupt.h>
>>   #include <linux/mmc/mmc.h>
>> @@ -149,8 +150,11 @@ static int thunder_mmc_probe(struct pci_dev *pdev,
>>          for (i = 0; i < CAVIUM_MAX_MMC; i++) {
>>                  if (host->slot[i])
>>                          cvm_mmc_of_slot_remove(host->slot[i]);
>> -               if (host->slot_pdev[i])
>> +               if (host->slot_pdev[i]) {
>> +                       get_device(&host->slot_pdev[i]->dev);
>>                          of_platform_device_destroy(&host->slot_pdev[i]->dev, NULL);
>> +                       put_device(&host->slot_pdev[i]->dev);
> 
> Why do you think this is Cavium specific?
> 
>  From my look of it, the problem is in of_platform_device_destroy. We
> should save the node ptr before the unregister call and use that to
> clear the flags.
> 

I agree, forcing all users of the core functions like 
of_platform_device_destroy() to get this right every time is not likely 
to work.

Modifying of_platform_device_destroy() to make it safe to call from this 
context is preferable as it will lead to a more robust kernel overall.

Thanks,
David Daney


> Rob
>