Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4303409imu; Tue, 18 Dec 2018 12:23:50 -0800 (PST) X-Google-Smtp-Source: AFSGD/UGPEgxvfS5KJUO9lpyQjkiBCEq2vzZXqRhBoq2qor5sxS382fMejKpEutS1y1GsFIkYcLI X-Received: by 2002:a63:4002:: with SMTP id n2mr16720272pga.137.1545164630358; Tue, 18 Dec 2018 12:23:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545164630; cv=none; d=google.com; s=arc-20160816; b=u0xIajmOvBzD55yYzQeU7xFPoGl31FxpqH7PPjYuEF2GzhBGnPIxuVZ05zR9URdH4R PZDl5geSKD5F7usQ3YqbSw+SxdQ93IOHNLc6qTt969tpsaCPkJCVIlX8qrb3radOvtMw KaTWeH69D+1nWtFEsc5WYfOMjKgcH8D1gnE2PKY9FzCQDMHaOkvnDjXPQHifCYS6zEtm z3kejd/lltWTJdmTTIxkA1qKQJ2VDLR+LX64CFkvyCZ4Z1e8LY88+v4GEpNRr1Ycfft7 R2rMpz9Yekt4dIxYNkAJE187mJO6+/FA3PpZyMt7LnvYSgzg6pqtwjqnZ8Y/Uw09eIXk OI9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=TUW7JqMm/20Ve1m4CrpEQUQb3YihKsE0PnwO35c3oY4=; b=JaboN8sqRe2M0RPU9EbtIDojcn0AA6Y8/6f89cRDju+4uE8NNcv8YjEpKTkpY17X7D U8x1IlGqIHGhsPQsrn2mrz/MnEEDcO3rXParckiHNlUBh4gF4La4rYQPNl1YBRD/1TXD iPmZVxLvK4I1jKw23SxZEwXBcHDvqRvtFsVt6w59sI9QhmP0MVAD4nmXHtu1VKZx/ngv /9j8AorOfW45cIjJPto/3qwR9m+NJkKw+sRKwcqHbKosni9cYP69GMest1rljDkoQ+gX kSn2GsvT0tBfhcZnbVA0LjENEF65FVUB5XNalaFoaxPtyV6iuFIHSTSkXHUv8+xck38m inag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="lP/NX9sW"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q26si12165918pgk.162.2018.12.18.12.23.34; Tue, 18 Dec 2018 12:23:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="lP/NX9sW"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727316AbeLRTkY (ORCPT + 99 others); Tue, 18 Dec 2018 14:40:24 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:32992 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726912AbeLRTkX (ORCPT ); Tue, 18 Dec 2018 14:40:23 -0500 Received: by mail-pg1-f194.google.com with SMTP id z11so8284823pgu.0; Tue, 18 Dec 2018 11:40:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=TUW7JqMm/20Ve1m4CrpEQUQb3YihKsE0PnwO35c3oY4=; b=lP/NX9sW5V/T1Si/tQftCb0yJ6lVyUpwU06O2dM04fXoIZITq3AUBggPdVe8p9KZ6r HozC783vaxcpI2UguP6uUwejtf9gqNCL5gRLHfhVrV69Pg5cKhwceJH9BXN1sQadBYfZ UcnBHjATQ89X6VglXhMg72II+A/W+ZBUrqjZs/lPKTEcWY5P+Pi1o5mFfoPyo5OOhiW3 3BqQ0aTPA1OZqTwn8zC+FnS22Kdg+X3N3YkLEIgt0RmsW8/7/YQqZqpwAja+ZpHK+hwz pvgneHjOz0d3RcI11WXS5G7IoHkBLCbm0V6HQc1tpdSwqn5bz9nR8I2Rg0aE/vy+mzWZ hmlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=TUW7JqMm/20Ve1m4CrpEQUQb3YihKsE0PnwO35c3oY4=; b=UPuJR7WuEDzC2RhLIh2hseojPMHyjSwMq94+qsV88TiPiG67mDgGBGBnci9jkF2tMH nOQGI4ffqwKklHb78xGWo6XFNXKltiLc94EwHNwgWCZUrfeJsAHY5G0ul2CZsYaud6H4 f+9N35lwrnm3E9UB70ZVVYyTeXb3hXPTuCeNsyVTefrgQVKe54gQ8AT4kl1ASGdAJIaz EmbRwLWxPRJEfPIJrNdC+vRfohujGc89/0n1iMzRak25uH0VfAdi5qW2hvPvASVF7qql qGI1h5DrEr8g+/pR0AlwTeJ+7LMDgvWuA1GlBO9AucNBQWcyNr/fjxlAsLRJNZuVpK8I 18Hw== X-Gm-Message-State: AA+aEWZkXzEkhjaF8PJPkO0FxZgOe/HKZeNhi4NvvhvghwlJk8CworrS Cn5T0gE30M/UqdLcMpHnFnE= X-Received: by 2002:a62:1043:: with SMTP id y64mr18117460pfi.78.1545162023096; Tue, 18 Dec 2018 11:40:23 -0800 (PST) Received: from localhost.localdomain (c-24-6-192-50.hsd1.ca.comcast.net. [24.6.192.50]) by smtp.gmail.com with ESMTPSA id b202sm29493069pfb.88.2018.12.18.11.40.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 18 Dec 2018 11:40:22 -0800 (PST) From: frowand.list@gmail.com To: robh+dt@kernel.org, Michael Bringmann , linuxppc-dev@lists.ozlabs.org Cc: Michael Ellerman , Tyrel Datwyler , Thomas Falcon , Juliet Kim , devicetree@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 0/2] of: phandle_cache, fix refcounts, remove stale entry Date: Tue, 18 Dec 2018 11:40:01 -0800 Message-Id: <1545162003-11577-1-git-send-email-frowand.list@gmail.com> X-Mailer: git-send-email 1.9.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Frank Rowand Non-overlay dynamic devicetree node removal may leave the node in the phandle cache. Subsequent calls to of_find_node_by_phandle() will incorrectly find the stale entry. This bug exposed the foloowing phandle cache refcount bug. The refcount of phandle_cache entries is not incremented while in the cache, allowing use after free error after kfree() of the cached entry. Changes since v2: - patch 2/2: add temporary variable np in __of_free_phandle_cache_entry() to improve readability - patch 2/2: explain reason for WARN_ON() in comment - patch 2/2: add Fixes tag in patch comment Changes since v1: - make __of_free_phandle_cache() static - add WARN_ON(1) for unexpected condition in of_find_node_by_phandle() Frank Rowand (2): of: of_node_get()/of_node_put() nodes held in phandle cache of: __of_detach_node() - remove node from phandle cache drivers/of/base.c | 101 ++++++++++++++++++++++++++++++++++++------------ drivers/of/dynamic.c | 3 ++ drivers/of/of_private.h | 4 ++ 3 files changed, 83 insertions(+), 25 deletions(-) -- Frank Rowand