From: Rob Herring <robh@kernel.org>
To: Lizhi Hou <lizhi.hou@xilinx.com>
Cc: linux-kernel@vger.kernel.org, linux-fpga@vger.kernel.org,
maxz@xilinx.com, sonal.santan@xilinx.com, yliu@xilinx.com,
michal.simek@xilinx.com, stefanos@xilinx.com,
devicetree@vger.kernel.org, trix@redhat.com, mdf@kernel.org,
dwmw2@infradead.org, Max Zhen <max.zhen@xilinx.com>
Subject: Re: [PATCH V2 XRT Alveo Infrastructure 3/9] of: handle fdt buffer alignment inside unflatten function
Date: Mon, 29 Nov 2021 19:57:19 -0600 [thread overview]
Message-ID: <YaWE/2ikgpXi2hzY@robh.at.kernel.org> (raw)
In-Reply-To: <20211119222412.1092763-4-lizhi.hou@xilinx.com>
On Fri, Nov 19, 2021 at 02:24:06PM -0800, Lizhi Hou wrote:
> Add alignment check to of_fdt_unflatten_tree(). If it is not aligned,
> allocate a aligned buffer and copy the fdt blob. So the caller does not
> have to deal with the buffer alignment before calling this function.
> XRT uses this function to unflatten fdt which is from Alveo firmware.
>
> Signed-off-by: Sonal Santan <sonal.santan@xilinx.com>
> Signed-off-by: Max Zhen <max.zhen@xilinx.com>
> Signed-off-by: Lizhi Hou <lizhi.hou@xilinx.com>
> ---
> drivers/of/fdt.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
> index 4546572af24b..d64445e43ceb 100644
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -455,13 +455,28 @@ void *of_fdt_unflatten_tree(const unsigned long *blob,
> struct device_node *dad,
> struct device_node **mynodes)
> {
> + void *new_fdt = NULL, *fdt_align;
> void *mem;
>
> + if (fdt_check_header(blob)) {
> + pr_err("Invalid fdt blob\n");
> + return NULL;
> + }
> + fdt_align = (void *)PTR_ALIGN(blob, FDT_ALIGN_SIZE);
> + if (fdt_align != blob) {
> + new_fdt = kmalloc(fdt_totalsize(blob) + FDT_ALIGN_SIZE, GFP_KERNEL);
> + if (!new_fdt)
> + return NULL;
> + fdt_align = PTR_ALIGN(new_fdt, FDT_ALIGN_SIZE);
Where's the copy?
> + }
> +
> mutex_lock(&of_fdt_unflatten_mutex);
> - mem = __unflatten_device_tree(blob, dad, mynodes, &kernel_tree_alloc,
> + mem = __unflatten_device_tree(fdt_align, dad, mynodes, &kernel_tree_alloc,
> true);
> mutex_unlock(&of_fdt_unflatten_mutex);
>
> + kfree(new_fdt);
You know the unflattened DT just references strings and property values
from the flattened DT. So you just caused a use after free.
Fix your firmware to align the DT.
Rob
next prev parent reply other threads:[~2021-11-30 1:57 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-19 22:24 [PATCH V2 XRT Alveo Infrastructure 0/9] XRT Alveo driver infrastructure overview Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 1/9] Documentation: fpga: Add a document describing XRT Alveo driver infrastructure Lizhi Hou
2021-12-02 7:04 ` Xu Yilun
2021-12-04 0:33 ` Lizhi Hou
2021-12-07 19:29 ` Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 2/9] Documentation: devicetree: bindings: add xrt group binding Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 3/9] of: handle fdt buffer alignment inside unflatten function Lizhi Hou
2021-11-30 1:57 ` Rob Herring [this message]
2021-11-30 21:13 ` Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 4/9] of: create empty of root Lizhi Hou
2021-11-30 1:59 ` Rob Herring
2021-11-30 21:21 ` Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 5/9] fpga: xrt: xrt-lib initialization Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 6/9] fpga: xrt: xrt bus and device Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 7/9] fpga: xrt: lib-xrt xroot APIs Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 8/9] fpga: xrt: xrt group device driver Lizhi Hou
2021-11-19 22:24 ` [PATCH V2 XRT Alveo Infrastructure 9/9] fpga: xrt: management physical function driver Lizhi Hou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YaWE/2ikgpXi2hzY@robh.at.kernel.org \
--to=robh@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dwmw2@infradead.org \
--cc=linux-fpga@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizhi.hou@xilinx.com \
--cc=max.zhen@xilinx.com \
--cc=maxz@xilinx.com \
--cc=mdf@kernel.org \
--cc=michal.simek@xilinx.com \
--cc=sonal.santan@xilinx.com \
--cc=stefanos@xilinx.com \
--cc=trix@redhat.com \
--cc=yliu@xilinx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.