From: Stephen Boyd <sboyd@kernel.org>
To: "Nuno Sá" <nuno.sa@analog.com>, linux-clk@vger.kernel.org
Cc: Michael Turquette <mturquette@baylibre.com>
Subject: Re: [RFC PATCH 2/4] clk: fix clk not being unlinked from consumers list
Date: Thu, 21 Apr 2022 17:20:01 -0700 [thread overview]
Message-ID: <20220422002003.3120DC385A7@smtp.kernel.org> (raw)
In-Reply-To: <20220407133036.213217-3-nuno.sa@analog.com>
Quoting Nuno Sá (2022-04-07 06:30:34)
> When a clk_hw is resgistered we add a struct clk handle to it's
s/resgistered/registered/
> consumers list.
Please add that the clk handle is created in __clk_register() per the
alloc_clk() call.
> Hence, we need to remove it when unregistering the
> clk_hw. This could actually lead to a use after free if a provider get's
s/get's/gets/
> removed before a consumer. When removing the consumer, __clk_put() is
> called and that will do 'hlist_del(&clk->clks_node)' which will touch in
> already freed memory.
Did this actually happen? I don't see how __clk_put() is called on the
internal hw->clk pointer. This pointer in hw->clk should be removed but
so far we've kept it around and various clk providers have used it. If
we start removing it now I'm not sure it will work because we would
probably expose many dangling pointer problems.
>
> Fixes: 1df4046a93e08 ("clk: Combine __clk_get() and __clk_create_clk()")
> Signed-off-by: Nuno Sá <nuno.sa@analog.com>
> ---
> drivers/clk/clk.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
> index ed119182aa1b..e82c3ee1da13 100644
> --- a/drivers/clk/clk.c
> +++ b/drivers/clk/clk.c
> @@ -4198,6 +4198,7 @@ void clk_unregister(struct clk *clk)
> pr_warn("%s: unregistering protected clock: %s\n",
> __func__, clk->core->name);
>
> + clk_core_unlink_consumer(clk);
> kref_put(&clk->core->ref, __clk_release);
> free_clk(clk);
> unlock:
> --
> 2.35.1
>
next prev parent reply other threads:[~2022-04-22 0:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-07 13:30 [RFC PATCH 0/4] Dynamic OF and use after free related fixes Nuno Sá
2022-04-07 13:30 ` [RFC PATCH 1/4] clk: clk-conf: properly release of nodes Nuno Sá
2022-04-21 19:58 ` Stephen Boyd
2022-04-22 7:18 ` Sa, Nuno
2022-04-22 7:20 ` Sa, Nuno
2022-04-07 13:30 ` [RFC PATCH 2/4] clk: fix clk not being unlinked from consumers list Nuno Sá
2022-04-22 0:20 ` Stephen Boyd [this message]
2022-04-22 7:40 ` Sa, Nuno
2022-04-07 13:30 ` [RFC PATCH 3/4] clk: refcount the active parent clk_core Nuno Sá
2022-04-07 13:30 ` [RFC PATCH 4/4] clk: use clk_core_unlink_consumer() helper Nuno Sá
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220422002003.3120DC385A7@smtp.kernel.org \
--to=sboyd@kernel.org \
--cc=linux-clk@vger.kernel.org \
--cc=mturquette@baylibre.com \
--cc=nuno.sa@analog.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox