Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755715AbdIGSO0 (ORCPT ); Thu, 7 Sep 2017 14:14:26 -0400 Received: from mail-bn3nam01on0089.outbound.protection.outlook.com ([104.47.33.89]:28736 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755172AbdIGSOY (ORCPT ); Thu, 7 Sep 2017 14:14:24 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Jan.Glauber@cavium.com; Date: Thu, 7 Sep 2017 20:14:09 +0200 From: Jan Glauber To: Rob Herring Cc: Ulf Hansson , David Daney , "linux-mmc@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] mmc: cavium: Fix use-after-free in of_platform_device_destroy Message-ID: <20170907181409.GA27717@hc> References: <20170907112417.21495-1-jglauber@cavium.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Originating-IP: [46.223.66.108] X-ClientProxiedBy: DB6PR0601CA0034.eurprd06.prod.outlook.com (10.169.209.20) To CY1PR07MB2585.namprd07.prod.outlook.com (10.167.16.135) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2c166875-8da0-4554-9606-08d4f61c436a X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:CY1PR07MB2585; X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2585;3:uurUs3uR/0I8Ug9Nr9T4TQTibl16PaSlsfa9g8ZMw2gR1R5r7JtwdS9/lmC6hDjwAUqZ7wmhCgUZzaV53iWrGF4J1y4LRSjDeKpj0y9zySrGO0Jvu/x307j9FobcyiVoJtI0s+tXOTssaITN8yIQ9jxGRu9mW4mrFCDukjiDslWXNJswSwDrGhSK/hDhF4GB8sYuSvZXq7zlYIQbbkuNgLAWhSSFESYiU1F37tR81Lftbm5if8bIl+4w8gCkxRtt;25:3RFSvvInGBpmTqkuRj9COK65NIbY1elmdzw3kbZdpBrLqkBK7HhftKW3UuOowDynly+asxFO7jFA40VEfvYyfQXh0n0K42Bo9qIFfAkn1k4lHBoXuI/+JdNxR3VCLaAQcf+H7WSwMKk5hUUltONim9KJpwsg+SxZ0wqwry5EwFkT2bpwML7sqBGHREXWbqZa31kS9XvHXCFZpBYgNw3Vurj6kUhSwDdoNQlqqFf5F0/U/zLV+Vmx94a1hflPWcQUQebbSOa+cZSXmt3cRiO6nVRfk2qZRqPLvVutW0lXcVZucUQnYSTwCmV0bArkFlgbTW2H7PWtzZCwRlYtSFwy+g==;31:U0+babCSwjhkncl57fxAfK1J1N+PwKtLkHXTbEDfsFwZgHJXQfXpWZ4FYxd5MzY4kh2PAGCrcRGZoYmlFGqcksPtPwBaZRfPkTPm6KRLaiBlVdceNR94Nl/RiO9zPrKNq7kh0Gxu5/gqCmshvBYYC/W7blNnZ+Qb38YR0K+rekZgIqAYT8kS1Fqg9AmuQA9VNgSOmjjAJ0eeUMHeq1MfuJR3+eZIdePectYSObZDswI= X-MS-TrafficTypeDiagnostic: CY1PR07MB2585: X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2585;20:nVBFIvRUjETTOUlz6qdgZy8aFT5L7yQYVhgmcZfHWTp1CzdSJZVY48nF5Yf58rCKpJX8atjxk68740nPobxfOYdnc9NvIVkxIKowyYvp3rRQQRjypGbZGozx1OABbgepIq16iCDrObYZJwzB5Ef3x4oLLCqIUMB1p7ftt6mVHfbcVsaouSrbSDCdB0F7pWi51lExD5q/3dLocr9pQeGTjLrACfoW1vV0cCrDSeak3JIl+cfk+7V2l0ihXPxkErqk5L4xhdU2FJJfargHFUSpraMWaNnor6dAUdDzwHL9gSvxgo3qWIUFSpMfYCrtecB+OZuPeQbr7GZGeNpQlPAPOvO7Dlmah8l7XudUYNqpZpXebRZiJs8l+nzeLnTaXkXDb+0L4ibgIiGEVBYuq+gNADv2TND2GlEH7NHO+o8AznvYliUluhBYttMydEp/K2LU1rfCTJ91f5YNEKN4tVdB4hqiPb0Tho41THh59XZnz8iWSDSQLYEVyWDGiAAzN8SKBrl+mID4gLyFk6vYjgrLwiJHe1s39MJmCcHfPIaTQsecBAmUZ5r85D/0uzEyovQxrqU+JfxEQPuO0vADLlzQRTKgXymnD8z8yMB+bAbgTo4=;4:IQ+WjLgEMXQWAnVdGKZCc0W6UlNneMNj+UgLII5ailNdRO/pKugRdYKxdXcbxtxaY8apOiBwE4HrcQg4hWPTMJ+dXC67w5z5blY2cBjfirPdAtijdeRI7yFZw3CWYvdn+LLWpsdOY6OOsR3C/9sWcHO7IuazYA127MjwfprVQHDOzSrr1EtgCZbYomeU2auPIU+TiBpRqzDOYT0iaVBQVYe04k64s40Xlq5NWyLJTHGq3yCD8bjLMfqEDOzanKBP X-Exchange-Antispam-Report-Test: UriScan:; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(100000703101)(100105400095)(6041248)(20161123560025)(20161123564025)(20161123558100)(20161123555025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:CY1PR07MB2585;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:CY1PR07MB2585; X-Forefront-PRVS: 04238CD941 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6009001)(39860400002)(377454003)(24454002)(189002)(199003)(42186005)(54906002)(1076002)(42882006)(305945005)(53936002)(2950100002)(47776003)(81156014)(6496005)(81166006)(8676002)(9686003)(76176999)(54356999)(68736007)(50986999)(110136004)(7736002)(105586002)(106356001)(53546010)(6246003)(5660300001)(101416001)(72206003)(55016002)(229853002)(23726003)(4326008)(83506001)(4001350100001)(6116002)(3846002)(25786009)(33656002)(2906002)(230783001)(189998001)(33716001)(478600001)(6666003)(5890100001)(8936002)(50466002)(66066001)(97736004)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR07MB2585;H:hc;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;CY1PR07MB2585;23:pELsRNvIy8KAzNe65lOqnq0sM3iSQnZ7YtAVwUfuB?= =?us-ascii?Q?fD5A3KAVF1raKhI644oxq6W6CJBOWwrtP0EvV0fvcLb/hYBeyGUONe3WSwf1?= =?us-ascii?Q?Vtqx6Tif3UeNvjbOd1SX/fPR33gKIQ8WzZsXSC2Y66icSVmYyFtYKsce3SG2?= =?us-ascii?Q?NGP2iHEjbuQ1OjXpz42u+uac2EvSdhayXVvSqGJ9jGSqIWwYIFDSuudw0uTM?= =?us-ascii?Q?6TEepLkJ8HUJTJiqc2SCYFzs2kEEHVLKkc6ICap5ZzpTUdLF1cIeIcLoZ4Np?= =?us-ascii?Q?RkyyclsVZOFVANmPYgDaK7Kdkm1qpemkp8F03M5dcYbHOvrj81WYSY/PnG+D?= =?us-ascii?Q?XSlQIcsmLmk5hSNQ70mGr2FEv4MBF020AEQv2vwwDLaVVaLCcd1e8Yv0du23?= =?us-ascii?Q?IO3DC0DMbq/HW9XB8ENNkICsbpawCqpplYfiLryiYN6iTNlJIAfvJJ+x6YXv?= =?us-ascii?Q?kGeOSiIBUC+b3hvtJma6jAstROGtSfe/EgPyVmcdgf9MLL+ou73STiwzwpxH?= =?us-ascii?Q?kPWHeHwIAEXA8AWt/w9DpWCR0r8FyXWs+Jaqu/Ndz8CWeKYRRbVPJoRngJf+?= =?us-ascii?Q?12S9s/jFm1z0aQGiv2Gn3oOGX6htWP0QIb8hYibj7rgdNOYI+q9iVXG2jOfC?= =?us-ascii?Q?Sruw7hbjpkyCt8fl4rry8DCDSPaSNhUiDn96mlrx9f+sOeMQCzCAwNuqS7dE?= =?us-ascii?Q?S0O6Yejd+warIs/KzlfnXHJuQ+DnqWn8AwjWcP906eMZfzjsoJICUsWomayc?= =?us-ascii?Q?ESPxAgseEL04JEfrFQ24l0pVPKGKWjQSzszy9c4CRGiLa1x7Me7Y1BUT9Qhv?= =?us-ascii?Q?nMZIAuq5fgIEwNf6wAQEwwvvcX/w9PWVU7Kc6AuxuNi6A/MeOjSdOKxAYV8+?= =?us-ascii?Q?edRvUAWygoQWDNov/0V3YqXs8s0tUP2mGsQSdllkxLNKeKDlpXuDQ8Ug4LsH?= =?us-ascii?Q?PLnaLPI9SX2lcmkLyZm3zpQBa+/cDP/yTIQw5dDzHeCP2YcnzIv83L9PHLok?= =?us-ascii?Q?ETF70mAcsUNty9W28zhiQXqqAtvs0Ao4jRQa5orQUAcHEBYQlgxroIZUVj/I?= =?us-ascii?Q?HOPl+wGfO76wcHEG3vVx8XYwuGZDBp9YVZ+c+vwlQnVer30c6b5J4cNvB3Cf?= =?us-ascii?Q?h5yyJGs3sUQTOoG6qc1iqkBnKx1j9N+P2JBN8ngmY1Vzt2sc7Q2wtb3Li3BW?= =?us-ascii?Q?7V3hkipiIbwNF3/3Jw6YLrTHl9rNYhppLrqdZlFyiozBgRQmLddLUpgnR7iU?= =?us-ascii?Q?Wz6wxnB2mKAorDrHrAkkom7WDv3+JAixQX8E9j5Wek5wzG6J5QjkwI1YBJb/?= =?us-ascii?B?UT09?= X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2585;6:k6c4mctUOEqPK8W8fKfDaOvvIi2amTAsEmo47F7v+AUIZ3GLfBeNU3Yh1AUGxPp5nu7HnHtdR4gle5lDPCDbQXfdxHXz7g0J/oMYn+Uvh61qX+QrfowsRmowsLqo9f2qcjDfBIrZvYklSSN7P/odH2syr1txz8fYaAzviMQp2gAneV8/Mr52KXIdlOVQaTyjHSKAwFJd63N5YLyhUP6XtHxfuOfHrGw3gmH21HtJuo7oTlHZIQybZM8/pM3XkaMlES6rYwUQSzN9bT58UV6iCuhF1X4IIjuAN+PkqzbRDxrUBVseZNMZRS+X1BPDT0JU7dRGlTPjpSlKjpHN37fevA==;5:HbStrSwfUT5lKo69S+c4lN5j62qaui7x7amLm7i0252NpV/BsIhYtbhx5X11lNvn8sHr+StOefRs9a7mRiw8g1GNcdsPbrN4YmRR7euuehNj9Ue/IgPx2F6mTGtXoY80+lh3K/YOSCWUIwD6UiFjnw==;24:Yj8XwmF/ufN3Rcwz57Lo09zjR8h9v+IHrtqIGeyzrB7ByuFLGdLNEedpaf2SSfxSv6JLUn6sf80JvO0tqAldLfCdJNoAG0Qr7DUro3stxc4=;7:mCX53glv4QS40l7hWOjNTHlV6Da/wBVvtWIM0ZfP5GgJbC49t7K78XTuqiJDn9fiS7ZkuKIYQEeR7HJ42uOuJknUi7QM/3a6ojQVTy/S30Lt5eIiMbvX5EA2pW94g2pDP7XC3ljelHXmgo3Is4W9FDtAqHvGkUq8LOyz1ls4Y1oX9tI7ejq9CApyCEtwUH6WJEJt2aSSrey92InxMVFc1BCGizwoxDZK17+ueCgG5P8= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: caviumnetworks.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2017 18:14:20.1814 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR07MB2585 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4485 Lines: 92 On Thu, Sep 07, 2017 at 11:58:58AM -0500, Rob Herring wrote: > On Thu, Sep 7, 2017 at 6:24 AM, Jan Glauber wrote: > > KASAN reported the following: > > > > [ 19.338655] ================================================================== > > [ 19.345946] BUG: KASAN: use-after-free in of_platform_device_destroy+0x88/0x100 > > [ 19.345966] Read of size 8 at addr fffffe01aa6f1468 by task systemd-udevd/264 > > > > [ 19.345983] CPU: 1 PID: 264 Comm: systemd-udevd Not tainted 4.13.0-jang+ #737 > > [ 19.345989] Hardware name: Cavium ThunderX CN81XX board (DT) > > [ 19.345995] Call trace: > > [ 19.346013] [] dump_backtrace+0x0/0x368 > > [ 19.346026] [] show_stack+0x24/0x30 > > [ 19.346040] [] dump_stack+0xa4/0xc8 > > [ 19.346057] [] print_address_description+0x68/0x258 > > [ 19.346070] [] kasan_report+0x238/0x2f8 > > [ 19.346082] [] __asan_load8+0x88/0xb8 > > [ 19.346098] [] of_platform_device_destroy+0x88/0x100 > > [ 19.346131] [] thunder_mmc_probe+0x314/0x550 [thunderx_mmc] > > [ 19.346147] [] pci_device_probe+0x158/0x1f8 > > [ 19.346162] [] driver_probe_device+0x394/0x5f8 > > [ 19.346174] [] __driver_attach+0x154/0x158 > > [ 19.346185] [] bus_for_each_dev+0xdc/0x140 > > [ 19.346196] [] driver_attach+0x38/0x48 > > [ 19.346207] [] bus_add_driver+0x290/0x3c8 > > [ 19.346219] [] driver_register+0xbc/0x1a0 > > [ 19.346232] [] __pci_register_driver+0xc4/0xd8 > > [ 19.346260] [] thunder_mmc_driver_init+0x24/0x10000 [thunderx_mmc] > > [ 19.346273] [] do_one_initcall+0x98/0x1c0 > > [ 19.346289] [] do_init_module+0xe0/0x2cc > > [ 19.346303] [] load_module+0x3238/0x35c0 > > [ 19.346318] [] SyS_finit_module+0x190/0x1a0 > > [ 19.346329] [] __sys_trace_return+0x0/0x4 > > > > This is caused by: > > > > platform_device_register() > > -> platform_device_unregister(to_platform_device(dev)) > > freeing struct device > > -> of_node_clear_flag(dev->of_node, ...) > > writing to the freed device > > > > The issue is solved by increasing the reference count before calling > > of_platform_device_destroy() so freeing the device is postponed after > > the call. > > > > Fixes: 8fb83b142823 ("mmc: cavium: Fix probing race with regulator") > > Signed-off-by: Jan Glauber > > --- > > drivers/mmc/host/cavium-thunderx.c | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/mmc/host/cavium-thunderx.c b/drivers/mmc/host/cavium-thunderx.c > > index b9cc95998799..eee08d81b242 100644 > > --- a/drivers/mmc/host/cavium-thunderx.c > > +++ b/drivers/mmc/host/cavium-thunderx.c > > @@ -7,6 +7,7 @@ > > * > > * Copyright (C) 2016 Cavium Inc. > > */ > > +#include > > #include > > #include > > #include > > @@ -149,8 +150,11 @@ static int thunder_mmc_probe(struct pci_dev *pdev, > > for (i = 0; i < CAVIUM_MAX_MMC; i++) { > > if (host->slot[i]) > > cvm_mmc_of_slot_remove(host->slot[i]); > > - if (host->slot_pdev[i]) > > + if (host->slot_pdev[i]) { > > + get_device(&host->slot_pdev[i]->dev); > > of_platform_device_destroy(&host->slot_pdev[i]->dev, NULL); > > + put_device(&host->slot_pdev[i]->dev); > > Why do you think this is Cavium specific? First, the usage in the Cavium driver is quite special. The device is not a platform device, I create this as a dummy device because mmc_parse_of would not work otherwise. Second, I assumed the of_node_clear_flag() after removal of the device is a more general pattern and only not working for our case because of the dummy device hack. I've not looked too closely at the platform code, so I might be wrong here. > >From my look of it, the problem is in of_platform_device_destroy. We > should save the node ptr before the unregister call and use that to > clear the flags. This would be a larger patch and would need much more testing I guess. --Jan