Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3109510ybi; Fri, 5 Jul 2019 02:05:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqwrBR0GEEg7BSl4Qd+ZezqzYP9yebJyb60qmLD/yVfpj7eLAQd/w/6DiUi7NSwN5Nx43Aqm X-Received: by 2002:a17:90a:8c06:: with SMTP id a6mr4010322pjo.45.1562317515889; Fri, 05 Jul 2019 02:05:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562317515; cv=none; d=google.com; s=arc-20160816; b=rJA3PW+F3rDrTV8ODQK2g42j2neMJNlchOq73YvpGWcCBITA10FwbMg0otE6HGmZxl i44BCQiao1u79HvnFUCZKMOeYiCbjl4nCIuF5p65VsJb3QzmuP+MITsrVbwLJese+0pX rbufC8odN3Wkh6Af9tI0XGj13mNHweQjIaQDgV0n3YQX2OORp3odrNBlDxBBFNlA9qSH SFmxOa5l03yKcugKYMzPtTg9WOUXcZuzCRJdYHLXV4k+ZqCYXhzB90avdnbKc4sQ2XUi qWS7G2Duozf1cpMAIwnv/qseqSYIA9VJNkGMn1DMAo6cWa+gtaJnahNdtsUUaENCCBhu iSSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=YHPhqTH0YWICAOGTiKcbBxTnj99N0FE/8L8Yigafoyc=; b=h5Xq58r0FHob08HXShiNS+Tz6niiH8qybV9WBW1T3Zg7564eOGO0OBmLhkQ5GdtLmZ VDJgu8152PImGbK7qhYMKA5c5wkHg58kjUjcu45RmTRur3s+85vdNyGCFJ+wT9Vuo3YL 2ru66d2iyWc4Bo9kA1Ny6kUkDqFn9dY1TRgUjmZFpINhHAX/nzqzx5EqQrz04xAnimIz 8NFavupufetu+2t31mifBfrKLCltJXTyAkkZZbDQn4hOAgTeKvE0E+F+NPqWyP897Uco X/PCor94Z1aydZz8poLeInqKLsVcjsiaxuzo3mc/PVc2LUV/CL9Qr3CAnK4AK4YvDpOT j3Ew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b14si7559127pjq.0.2019.07.05.02.04.59; Fri, 05 Jul 2019 02:05:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728094AbfGEJEI (ORCPT + 99 others); Fri, 5 Jul 2019 05:04:08 -0400 Received: from mx7.zte.com.cn ([202.103.147.169]:55016 "EHLO mxct.zte.com.cn" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727982AbfGEJEH (ORCPT ); Fri, 5 Jul 2019 05:04:07 -0400 Received: from mse-fl1.zte.com.cn (unknown [10.30.14.238]) by Forcepoint Email with ESMTPS id 823F65DFFAA7B06D2835; Fri, 5 Jul 2019 17:04:00 +0800 (CST) Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse-fl1.zte.com.cn with ESMTP id x6591Fw5033077; Fri, 5 Jul 2019 17:01:15 +0800 (GMT-8) (envelope-from wen.yang99@zte.com.cn) Received: from fox-host8.localdomain ([10.74.120.8]) by szsmtp06.zte.com.cn (Lotus Domino Release 8.5.3FP6) with ESMTP id 2019070517014955-2109273 ; Fri, 5 Jul 2019 17:01:49 +0800 From: Wen Yang To: linux-kernel@vger.kernel.org Cc: xue.zhihong@zte.com.cn, wang.yi59@zte.com.cn, cheng.shengyu@zte.com.cn, Wen Yang , Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , Rob Herring , linuxppc-dev@lists.ozlabs.org Subject: [PATCH] powerpc: fix use-after-free on fixup_port_irq() Date: Fri, 5 Jul 2019 16:59:36 +0800 Message-Id: <1562317176-13317-1-git-send-email-wen.yang99@zte.com.cn> X-Mailer: git-send-email 1.8.3.1 X-MIMETrack: Itemize by SMTP Server on SZSMTP06/server/zte_ltd(Release 8.5.3FP6|November 21, 2013) at 2019-07-05 17:01:49, Serialize by Router on notes_smtp/zte_ltd(Release 9.0.1FP7|August 17, 2016) at 2019-07-05 17:01:21, Serialize complete at 2019-07-05 17:01:21 X-MAIL: mse-fl1.zte.com.cn x6591Fw5033077 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is a possible use-after-free issue in the fixup_port_irq(): 460 static void __init fixup_port_irq(int index, 461 struct device_node *np, 462 struct plat_serial8250_port *port) 463 { ... 469 if (!virq && legacy_serial_infos[index].irq_check_parent) { 470 np = of_get_parent(np); --> modified here. ... 474 of_node_put(np); ---> released here 475 } ... 481 #ifdef CONFIG_SERIAL_8250_FSL 482 if (of_device_is_compatible(np, "fsl,ns16550")) --> dereferenced here ... 484 #endif 485 } We solve this problem by introducing a new parent_np variable. Fixes: 9deaa53ac7fa ("serial: add irq handler for Freescale 16550 errata.") Signed-off-by: Wen Yang Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Michael Ellerman Cc: Rob Herring Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-kernel@vger.kernel.org --- arch/powerpc/kernel/legacy_serial.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/arch/powerpc/kernel/legacy_serial.c b/arch/powerpc/kernel/legacy_serial.c index 7cea597..0105f3e 100644 --- a/arch/powerpc/kernel/legacy_serial.c +++ b/arch/powerpc/kernel/legacy_serial.c @@ -461,17 +461,18 @@ static void __init fixup_port_irq(int index, struct device_node *np, struct plat_serial8250_port *port) { + struct device_node *parent_np; unsigned int virq; DBG("fixup_port_irq(%d)\n", index); virq = irq_of_parse_and_map(np, 0); if (!virq && legacy_serial_infos[index].irq_check_parent) { - np = of_get_parent(np); - if (np == NULL) + parent_np = of_get_parent(np); + if (parent_np == NULL) return; - virq = irq_of_parse_and_map(np, 0); - of_node_put(np); + virq = irq_of_parse_and_map(parent_np, 0); + of_node_put(parent_np); } if (!virq) return; -- 2.9.5