Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755715AbdIGSO0 (ORCPT <rfc822;w@1wt.eu>);
        Thu, 7 Sep 2017 14:14:26 -0400
Received: from mail-bn3nam01on0089.outbound.protection.outlook.com ([104.47.33.89]:28736
        "EHLO NAM01-BN3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1755172AbdIGSOY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Sep 2017 14:14:24 -0400
Authentication-Results: spf=none (sender IP is )
 smtp.mailfrom=Jan.Glauber@cavium.com; 
Date: Thu, 7 Sep 2017 20:14:09 +0200
From: Jan Glauber <jan.glauber@caviumnetworks.com>
To: Rob Herring <robh+dt@kernel.org>
Cc: Ulf Hansson <ulf.hansson@linaro.org>,
        David Daney <david.daney@cavium.com>,
        "linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mmc: cavium: Fix use-after-free in
 of_platform_device_destroy
Message-ID: <20170907181409.GA27717@hc>
References: <20170907112417.21495-1-jglauber@cavium.com>
 <CAL_JsqJcG_dtGA7uje1gEeQUT=7P89-3r8=zuFiGJPu6hmsDUQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL_JsqJcG_dtGA7uje1gEeQUT=7P89-3r8=zuFiGJPu6hmsDUQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Originating-IP: [46.223.66.108]
X-ClientProxiedBy: DB6PR0601CA0034.eurprd06.prod.outlook.com (10.169.209.20)
 To CY1PR07MB2585.namprd07.prod.outlook.com (10.167.16.135)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2c166875-8da0-4554-9606-08d4f61c436a
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:CY1PR07MB2585;
X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2585;3:uurUs3uR/0I8Ug9Nr9T4TQTibl16PaSlsfa9g8ZMw2gR1R5r7JtwdS9/lmC6hDjwAUqZ7wmhCgUZzaV53iWrGF4J1y4LRSjDeKpj0y9zySrGO0Jvu/x307j9FobcyiVoJtI0s+tXOTssaITN8yIQ9jxGRu9mW4mrFCDukjiDslWXNJswSwDrGhSK/hDhF4GB8sYuSvZXq7zlYIQbbkuNgLAWhSSFESYiU1F37tR81Lftbm5if8bIl+4w8gCkxRtt;25:3RFSvvInGBpmTqkuRj9COK65NIbY1elmdzw3kbZdpBrLqkBK7HhftKW3UuOowDynly+asxFO7jFA40VEfvYyfQXh0n0K42Bo9qIFfAkn1k4lHBoXuI/+JdNxR3VCLaAQcf+H7WSwMKk5hUUltONim9KJpwsg+SxZ0wqwry5EwFkT2bpwML7sqBGHREXWbqZa31kS9XvHXCFZpBYgNw3Vurj6kUhSwDdoNQlqqFf5F0/U/zLV+Vmx94a1hflPWcQUQebbSOa+cZSXmt3cRiO6nVRfk2qZRqPLvVutW0lXcVZucUQnYSTwCmV0bArkFlgbTW2H7PWtzZCwRlYtSFwy+g==;31:U0+babCSwjhkncl57fxAfK1J1N+PwKtLkHXTbEDfsFwZgHJXQfXpWZ4FYxd5MzY4kh2PAGCrcRGZoYmlFGqcksPtPwBaZRfPkTPm6KRLaiBlVdceNR94Nl/RiO9zPrKNq7kh0Gxu5/gqCmshvBYYC/W7blNnZ+Qb38YR0K+rekZgIqAYT8kS1Fqg9AmuQA9VNgSOmjjAJ0eeUMHeq1MfuJR3+eZIdePectYSObZDswI=
X-MS-TrafficTypeDiagnostic: CY1PR07MB2585:
X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2585;20:nVBFIvRUjETTOUlz6qdgZy8aFT5L7yQYVhgmcZfHWTp1CzdSJZVY48nF5Yf58rCKpJX8atjxk68740nPobxfOYdnc9NvIVkxIKowyYvp3rRQQRjypGbZGozx1OABbgepIq16iCDrObYZJwzB5Ef3x4oLLCqIUMB1p7ftt6mVHfbcVsaouSrbSDCdB0F7pWi51lExD5q/3dLocr9pQeGTjLrACfoW1vV0cCrDSeak3JIl+cfk+7V2l0ihXPxkErqk5L4xhdU2FJJfargHFUSpraMWaNnor6dAUdDzwHL9gSvxgo3qWIUFSpMfYCrtecB+OZuPeQbr7GZGeNpQlPAPOvO7Dlmah8l7XudUYNqpZpXebRZiJs8l+nzeLnTaXkXDb+0L4ibgIiGEVBYuq+gNADv2TND2GlEH7NHO+o8AznvYliUluhBYttMydEp/K2LU1rfCTJ91f5YNEKN4tVdB4hqiPb0Tho41THh59XZnz8iWSDSQLYEVyWDGiAAzN8SKBrl+mID4gLyFk6vYjgrLwiJHe1s39MJmCcHfPIaTQsecBAmUZ5r85D/0uzEyovQxrqU+JfxEQPuO0vADLlzQRTKgXymnD8z8yMB+bAbgTo4=;4:IQ+WjLgEMXQWAnVdGKZCc0W6UlNneMNj+UgLII5ailNdRO/pKugRdYKxdXcbxtxaY8apOiBwE4HrcQg4hWPTMJ+dXC67w5z5blY2cBjfirPdAtijdeRI7yFZw3CWYvdn+LLWpsdOY6OOsR3C/9sWcHO7IuazYA127MjwfprVQHDOzSrr1EtgCZbYomeU2auPIU+TiBpRqzDOYT0iaVBQVYe04k64s40Xlq5NWyLJTHGq3yCD8bjLMfqEDOzanKBP
X-Exchange-Antispam-Report-Test: UriScan:;
X-Microsoft-Antispam-PRVS: <CY1PR07MB25858EA57D78C56AF8453B7391940@CY1PR07MB2585.namprd07.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(100000703101)(100105400095)(6041248)(20161123560025)(20161123564025)(20161123558100)(20161123555025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:CY1PR07MB2585;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:CY1PR07MB2585;
X-Forefront-PRVS: 04238CD941
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6009001)(39860400002)(377454003)(24454002)(189002)(199003)(42186005)(54906002)(1076002)(42882006)(305945005)(53936002)(2950100002)(47776003)(81156014)(6496005)(81166006)(8676002)(9686003)(76176999)(54356999)(68736007)(50986999)(110136004)(7736002)(105586002)(106356001)(53546010)(6246003)(5660300001)(101416001)(72206003)(55016002)(229853002)(23726003)(4326008)(83506001)(4001350100001)(6116002)(3846002)(25786009)(33656002)(2906002)(230783001)(189998001)(33716001)(478600001)(6666003)(5890100001)(8936002)(50466002)(66066001)(97736004)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR07MB2585;H:hc;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;CY1PR07MB2585;23:pELsRNvIy8KAzNe65lOqnq0sM3iSQnZ7YtAVwUfuB?=
 =?us-ascii?Q?fD5A3KAVF1raKhI644oxq6W6CJBOWwrtP0EvV0fvcLb/hYBeyGUONe3WSwf1?=
 =?us-ascii?Q?Vtqx6Tif3UeNvjbOd1SX/fPR33gKIQ8WzZsXSC2Y66icSVmYyFtYKsce3SG2?=
 =?us-ascii?Q?NGP2iHEjbuQ1OjXpz42u+uac2EvSdhayXVvSqGJ9jGSqIWwYIFDSuudw0uTM?=
 =?us-ascii?Q?6TEepLkJ8HUJTJiqc2SCYFzs2kEEHVLKkc6ICap5ZzpTUdLF1cIeIcLoZ4Np?=
 =?us-ascii?Q?RkyyclsVZOFVANmPYgDaK7Kdkm1qpemkp8F03M5dcYbHOvrj81WYSY/PnG+D?=
 =?us-ascii?Q?XSlQIcsmLmk5hSNQ70mGr2FEv4MBF020AEQv2vwwDLaVVaLCcd1e8Yv0du23?=
 =?us-ascii?Q?IO3DC0DMbq/HW9XB8ENNkICsbpawCqpplYfiLryiYN6iTNlJIAfvJJ+x6YXv?=
 =?us-ascii?Q?kGeOSiIBUC+b3hvtJma6jAstROGtSfe/EgPyVmcdgf9MLL+ou73STiwzwpxH?=
 =?us-ascii?Q?kPWHeHwIAEXA8AWt/w9DpWCR0r8FyXWs+Jaqu/Ndz8CWeKYRRbVPJoRngJf+?=
 =?us-ascii?Q?12S9s/jFm1z0aQGiv2Gn3oOGX6htWP0QIb8hYibj7rgdNOYI+q9iVXG2jOfC?=
 =?us-ascii?Q?Sruw7hbjpkyCt8fl4rry8DCDSPaSNhUiDn96mlrx9f+sOeMQCzCAwNuqS7dE?=
 =?us-ascii?Q?S0O6Yejd+warIs/KzlfnXHJuQ+DnqWn8AwjWcP906eMZfzjsoJICUsWomayc?=
 =?us-ascii?Q?ESPxAgseEL04JEfrFQ24l0pVPKGKWjQSzszy9c4CRGiLa1x7Me7Y1BUT9Qhv?=
 =?us-ascii?Q?nMZIAuq5fgIEwNf6wAQEwwvvcX/w9PWVU7Kc6AuxuNi6A/MeOjSdOKxAYV8+?=
 =?us-ascii?Q?edRvUAWygoQWDNov/0V3YqXs8s0tUP2mGsQSdllkxLNKeKDlpXuDQ8Ug4LsH?=
 =?us-ascii?Q?PLnaLPI9SX2lcmkLyZm3zpQBa+/cDP/yTIQw5dDzHeCP2YcnzIv83L9PHLok?=
 =?us-ascii?Q?ETF70mAcsUNty9W28zhiQXqqAtvs0Ao4jRQa5orQUAcHEBYQlgxroIZUVj/I?=
 =?us-ascii?Q?HOPl+wGfO76wcHEG3vVx8XYwuGZDBp9YVZ+c+vwlQnVer30c6b5J4cNvB3Cf?=
 =?us-ascii?Q?h5yyJGs3sUQTOoG6qc1iqkBnKx1j9N+P2JBN8ngmY1Vzt2sc7Q2wtb3Li3BW?=
 =?us-ascii?Q?7V3hkipiIbwNF3/3Jw6YLrTHl9rNYhppLrqdZlFyiozBgRQmLddLUpgnR7iU?=
 =?us-ascii?Q?Wz6wxnB2mKAorDrHrAkkom7WDv3+JAixQX8E9j5Wek5wzG6J5QjkwI1YBJb/?=
 =?us-ascii?B?UT09?=
X-Microsoft-Exchange-Diagnostics: 1;CY1PR07MB2585;6:k6c4mctUOEqPK8W8fKfDaOvvIi2amTAsEmo47F7v+AUIZ3GLfBeNU3Yh1AUGxPp5nu7HnHtdR4gle5lDPCDbQXfdxHXz7g0J/oMYn+Uvh61qX+QrfowsRmowsLqo9f2qcjDfBIrZvYklSSN7P/odH2syr1txz8fYaAzviMQp2gAneV8/Mr52KXIdlOVQaTyjHSKAwFJd63N5YLyhUP6XtHxfuOfHrGw3gmH21HtJuo7oTlHZIQybZM8/pM3XkaMlES6rYwUQSzN9bT58UV6iCuhF1X4IIjuAN+PkqzbRDxrUBVseZNMZRS+X1BPDT0JU7dRGlTPjpSlKjpHN37fevA==;5:HbStrSwfUT5lKo69S+c4lN5j62qaui7x7amLm7i0252NpV/BsIhYtbhx5X11lNvn8sHr+StOefRs9a7mRiw8g1GNcdsPbrN4YmRR7euuehNj9Ue/IgPx2F6mTGtXoY80+lh3K/YOSCWUIwD6UiFjnw==;24:Yj8XwmF/ufN3Rcwz57Lo09zjR8h9v+IHrtqIGeyzrB7ByuFLGdLNEedpaf2SSfxSv6JLUn6sf80JvO0tqAldLfCdJNoAG0Qr7DUro3stxc4=;7:mCX53glv4QS40l7hWOjNTHlV6Da/wBVvtWIM0ZfP5GgJbC49t7K78XTuqiJDn9fiS7ZkuKIYQEeR7HJ42uOuJknUi7QM/3a6ojQVTy/S30Lt5eIiMbvX5EA2pW94g2pDP7XC3ljelHXmgo3Is4W9FDtAqHvGkUq8LOyz1ls4Y1oX9tI7ejq9CApyCEtwUH6WJEJt2aSSrey92InxMVFc1BCGizwoxDZK17+ueCgG5P8=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: caviumnetworks.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2017 18:14:20.1814 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR07MB2585
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4485
Lines: 92

On Thu, Sep 07, 2017 at 11:58:58AM -0500, Rob Herring wrote:
> On Thu, Sep 7, 2017 at 6:24 AM, Jan Glauber <jglauber@cavium.com> wrote:
> > KASAN reported the following:
> >
> > [   19.338655] ==================================================================
> > [   19.345946] BUG: KASAN: use-after-free in of_platform_device_destroy+0x88/0x100
> > [   19.345966] Read of size 8 at addr fffffe01aa6f1468 by task systemd-udevd/264
> >
> > [   19.345983] CPU: 1 PID: 264 Comm: systemd-udevd Not tainted 4.13.0-jang+ #737
> > [   19.345989] Hardware name: Cavium ThunderX CN81XX board (DT)
> > [   19.345995] Call trace:
> > [   19.346013] [<fffffc800808b1b0>] dump_backtrace+0x0/0x368
> > [   19.346026] [<fffffc800808b6bc>] show_stack+0x24/0x30
> > [   19.346040] [<fffffc8008cbb944>] dump_stack+0xa4/0xc8
> > [   19.346057] [<fffffc80082c2870>] print_address_description+0x68/0x258
> > [   19.346070] [<fffffc80082c2d70>] kasan_report+0x238/0x2f8
> > [   19.346082] [<fffffc80082c14a8>] __asan_load8+0x88/0xb8
> > [   19.346098] [<fffffc8008aacee0>] of_platform_device_destroy+0x88/0x100
> > [   19.346131] [<fffffc8000e02fa4>] thunder_mmc_probe+0x314/0x550 [thunderx_mmc]
> > [   19.346147] [<fffffc800879d560>] pci_device_probe+0x158/0x1f8
> > [   19.346162] [<fffffc800886e53c>] driver_probe_device+0x394/0x5f8
> > [   19.346174] [<fffffc800886e8f4>] __driver_attach+0x154/0x158
> > [   19.346185] [<fffffc800886b12c>] bus_for_each_dev+0xdc/0x140
> > [   19.346196] [<fffffc800886d9f8>] driver_attach+0x38/0x48
> > [   19.346207] [<fffffc800886d148>] bus_add_driver+0x290/0x3c8
> > [   19.346219] [<fffffc800886fc5c>] driver_register+0xbc/0x1a0
> > [   19.346232] [<fffffc800879b78c>] __pci_register_driver+0xc4/0xd8
> > [   19.346260] [<fffffc8000e80024>] thunder_mmc_driver_init+0x24/0x10000 [thunderx_mmc]
> > [   19.346273] [<fffffc8008083a80>] do_one_initcall+0x98/0x1c0
> > [   19.346289] [<fffffc8008177b54>] do_init_module+0xe0/0x2cc
> > [   19.346303] [<fffffc8008175cf0>] load_module+0x3238/0x35c0
> > [   19.346318] [<fffffc8008176438>] SyS_finit_module+0x190/0x1a0
> > [   19.346329] [<fffffc80080834a0>] __sys_trace_return+0x0/0x4
> >
> > This is caused by:
> >
> >   platform_device_register()
> >    -> platform_device_unregister(to_platform_device(dev))
> >         freeing struct device
> >    -> of_node_clear_flag(dev->of_node, ...)
> >         writing to the freed device
> >
> > The issue is solved by increasing the reference count before calling
> > of_platform_device_destroy() so freeing the device is postponed after
> > the call.
> >
> > Fixes: 8fb83b142823 ("mmc: cavium: Fix probing race with regulator")
> > Signed-off-by: Jan Glauber <jglauber@cavium.com>
> > ---
> >  drivers/mmc/host/cavium-thunderx.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/mmc/host/cavium-thunderx.c b/drivers/mmc/host/cavium-thunderx.c
> > index b9cc95998799..eee08d81b242 100644
> > --- a/drivers/mmc/host/cavium-thunderx.c
> > +++ b/drivers/mmc/host/cavium-thunderx.c
> > @@ -7,6 +7,7 @@
> >   *
> >   * Copyright (C) 2016 Cavium Inc.
> >   */
> > +#include <linux/device.h>
> >  #include <linux/dma-mapping.h>
> >  #include <linux/interrupt.h>
> >  #include <linux/mmc/mmc.h>
> > @@ -149,8 +150,11 @@ static int thunder_mmc_probe(struct pci_dev *pdev,
> >         for (i = 0; i < CAVIUM_MAX_MMC; i++) {
> >                 if (host->slot[i])
> >                         cvm_mmc_of_slot_remove(host->slot[i]);
> > -               if (host->slot_pdev[i])
> > +               if (host->slot_pdev[i]) {
> > +                       get_device(&host->slot_pdev[i]->dev);
> >                         of_platform_device_destroy(&host->slot_pdev[i]->dev, NULL);
> > +                       put_device(&host->slot_pdev[i]->dev);
> 
> Why do you think this is Cavium specific?

First, the usage in the Cavium driver is quite special. The device
is not a platform device, I create this as a dummy device because
mmc_parse_of would not work otherwise.

Second, I assumed the of_node_clear_flag() after removal of the device
is a more general pattern and only not working for our case because
of the dummy device hack. I've not looked too closely at the platform
code, so I might be wrong here.

> >From my look of it, the problem is in of_platform_device_destroy. We
> should save the node ptr before the unregister call and use that to
> clear the flags.

This would be a larger patch and would need much more testing I guess.

--Jan