[PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[Joe Hattori]

As of_find_node_by_name() release the reference of the given OF node,
tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
use, resulting in possible UAFs. Given the DT structure, utilize the
for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.

This bug was found by an experimental verification tool that I am
developing.

Fixes: 96e5da7c8424 ("memory: tegra: Introduce Tegra20 EMC driver")
Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
---
 drivers/memory/tegra/tegra20-emc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/memory/tegra/tegra20-emc.c b/drivers/memory/tegra/tegra20-emc.c
index 7193f848d17e..9b7d30a21a5b 100644
--- a/drivers/memory/tegra/tegra20-emc.c
+++ b/drivers/memory/tegra/tegra20-emc.c
@@ -474,14 +474,15 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
 
 	ram_code = tegra_read_ram_code();
 
-	for (np = of_find_node_by_name(dev->of_node, "emc-tables"); np;
-	     np = of_find_node_by_name(np, "emc-tables")) {
+	for_each_child_of_node(dev->of_node, np) {
+		if (!of_node_name_eq(np, "emc-tables"))
+			continue;
 		err = of_property_read_u32(np, "nvidia,ram-code", &value);
 		if (err || value != ram_code) {
 			struct device_node *lpddr2_np;
 			bool cfg_mismatches = false;
 
-			lpddr2_np = of_find_node_by_name(np, "lpddr2");
+			lpddr2_np = of_get_child_by_name(np, "lpddr2");
 			if (lpddr2_np) {
 				const struct lpddr2_info *info;
 
@@ -518,7 +519,6 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
 			}
 
 			if (cfg_mismatches) {
-				of_node_put(np);
 				continue;
 			}
 		}
-- 
2.34.1

Re: [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[Krzysztof Kozlowski]

On 17/12/2024 10:14, Joe Hattori wrote:
> As of_find_node_by_name() release the reference of the given OF node,

No, it does not.

> tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
> use, resulting in possible UAFs. Given the DT structure, utilize the
> for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.
> 
> This bug was found by an experimental verification tool that I am
> developing.
> 
> Fixes: 96e5da7c8424 ("memory: tegra: Introduce Tegra20 EMC driver")
> Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
> ---
>  drivers/memory/tegra/tegra20-emc.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/memory/tegra/tegra20-emc.c b/drivers/memory/tegra/tegra20-emc.c
> index 7193f848d17e..9b7d30a21a5b 100644
> --- a/drivers/memory/tegra/tegra20-emc.c
> +++ b/drivers/memory/tegra/tegra20-emc.c
> @@ -474,14 +474,15 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>  
>  	ram_code = tegra_read_ram_code();
>  
> -	for (np = of_find_node_by_name(dev->of_node, "emc-tables"); np;
> -	     np = of_find_node_by_name(np, "emc-tables")) {
> +	for_each_child_of_node(dev->of_node, np) {

I don't understand how this change is related to described problem.

> +		if (!of_node_name_eq(np, "emc-tables"))
> +			continue;
>  		err = of_property_read_u32(np, "nvidia,ram-code", &value);
>  		if (err || value != ram_code) {
>  			struct device_node *lpddr2_np;
>  			bool cfg_mismatches = false;
>  
> -			lpddr2_np = of_find_node_by_name(np, "lpddr2");
> +			lpddr2_np = of_get_child_by_name(np, "lpddr2");

Why?

>  			if (lpddr2_np) {
>  				const struct lpddr2_info *info;
>  
> @@ -518,7 +519,6 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>  			}
>  
>  			if (cfg_mismatches) {
> -				of_node_put(np);

If of_find_node_by_name() drops reference, why this was needed?

>  				continue;



Best regards,
Krzysztof

Re: [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[Joe Hattori]

On 12/17/24 18:31, Krzysztof Kozlowski wrote:
> On 17/12/2024 10:14, Joe Hattori wrote:
>> As of_find_node_by_name() release the reference of the given OF node,
> 
> No, it does not.

I see in the document of the of_find_node_by_name() says that it calls 
of_node_put(), or am I looking at the wrong code?
/**
  * of_find_node_by_name - Find a node by its "name" property
  * @from:	The node to start searching from or NULL; the node
  *		you pass will not be searched, only the next one
  *		will. Typically, you pass what the previous call
  *		returned. of_node_put() will be called on @from.
  * @name:	The name string to match against
  *
  * Return: A node pointer with refcount incremented, use
  * of_node_put() on it when done.
  */


> 
>> tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
>> use, resulting in possible UAFs. Given the DT structure, utilize the
>> for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.
>>
>> This bug was found by an experimental verification tool that I am
>> developing.
>>
>> Fixes: 96e5da7c8424 ("memory: tegra: Introduce Tegra20 EMC driver")
>> Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
>> ---
>>   drivers/memory/tegra/tegra20-emc.c | 8 ++++----
>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/memory/tegra/tegra20-emc.c b/drivers/memory/tegra/tegra20-emc.c
>> index 7193f848d17e..9b7d30a21a5b 100644
>> --- a/drivers/memory/tegra/tegra20-emc.c
>> +++ b/drivers/memory/tegra/tegra20-emc.c
>> @@ -474,14 +474,15 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>   
>>   	ram_code = tegra_read_ram_code();
>>   
>> -	for (np = of_find_node_by_name(dev->of_node, "emc-tables"); np;
>> -	     np = of_find_node_by_name(np, "emc-tables")) {
>> +	for_each_child_of_node(dev->of_node, np) {
> 
> I don't understand how this change is related to described problem.

As per the document, of_find_node_by_name() calls of_node_put(np), and 
the current code is calling of_node_put() before continuing the loop, so 
the np can be released twice.

> 
>> +		if (!of_node_name_eq(np, "emc-tables"))
>> +			continue;
>>   		err = of_property_read_u32(np, "nvidia,ram-code", &value);
>>   		if (err || value != ram_code) {
>>   			struct device_node *lpddr2_np;
>>   			bool cfg_mismatches = false;
>>   
>> -			lpddr2_np = of_find_node_by_name(np, "lpddr2");
>> +			lpddr2_np = of_get_child_by_name(np, "lpddr2");
> 
> Why?

Given the Devicetree structure, I understand that calling 
of_get_child_by_name() suffices here, which also does not release the 
reference of np.

> 
>>   			if (lpddr2_np) {
>>   				const struct lpddr2_info *info;
>>   
>> @@ -518,7 +519,6 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>   			}
>>   
>>   			if (cfg_mismatches) {
>> -				of_node_put(np);
> 
> If of_find_node_by_name() drops reference, why this was needed >
>>   				continue;
> 
> 
> 
> Best regards,
> Krzysztof

Best,
Joe

Re: [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[Krzysztof Kozlowski]

On 17/12/2024 12:07, Joe Hattori wrote:
> 
> 
> On 12/17/24 18:31, Krzysztof Kozlowski wrote:
>> On 17/12/2024 10:14, Joe Hattori wrote:
>>> As of_find_node_by_name() release the reference of the given OF node,
>>
>> No, it does not.
> 
> I see in the document of the of_find_node_by_name() says that it calls 
> of_node_put(), or am I looking at the wrong code?

Hm, that's true that reference is put, but on the input node, not
returned one. I don't get to which node you are referring here thus
which node has double release or use-after-release.

Maybe it is all about incorrect dropping of this device's device node,
which should never happen in driver's probe path?


> /**
>   * of_find_node_by_name - Find a node by its "name" property
>   * @from:	The node to start searching from or NULL; the node
>   *		you pass will not be searched, only the next one
>   *		will. Typically, you pass what the previous call
>   *		returned. of_node_put() will be called on @from.
>   * @name:	The name string to match against
>   *
>   * Return: A node pointer with refcount incremented, use
>   * of_node_put() on it when done.
>   */
> 
> 
>>
>>> tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
>>> use, resulting in possible UAFs. Given the DT structure, utilize the
>>> for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.
>>>
>>> This bug was found by an experimental verification tool that I am
>>> developing.
>>>
>>> Fixes: 96e5da7c8424 ("memory: tegra: Introduce Tegra20 EMC driver")
>>> Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
>>> ---
>>>   drivers/memory/tegra/tegra20-emc.c | 8 ++++----
>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/memory/tegra/tegra20-emc.c b/drivers/memory/tegra/tegra20-emc.c
>>> index 7193f848d17e..9b7d30a21a5b 100644
>>> --- a/drivers/memory/tegra/tegra20-emc.c
>>> +++ b/drivers/memory/tegra/tegra20-emc.c
>>> @@ -474,14 +474,15 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>>   
>>>   	ram_code = tegra_read_ram_code();
>>>   
>>> -	for (np = of_find_node_by_name(dev->of_node, "emc-tables"); np;
>>> -	     np = of_find_node_by_name(np, "emc-tables")) {
>>> +	for_each_child_of_node(dev->of_node, np) {
>>
>> I don't understand how this change is related to described problem.
> 
> As per the document, of_find_node_by_name() calls of_node_put(np), and 

In the first call no, it will of_node_put(from), not 'np'.
'from' != 'np'.


> the current code is calling of_node_put() before continuing the loop, so 
> the np can be released twice.

By the second release, you mean in the "if (cfg_mismatches)" path?
Otherwise there is no second release in the for loop.

> 
>>
>>> +		if (!of_node_name_eq(np, "emc-tables"))
>>> +			continue;
>>>   		err = of_property_read_u32(np, "nvidia,ram-code", &value);
>>>   		if (err || value != ram_code) {
>>>   			struct device_node *lpddr2_np;
>>>   			bool cfg_mismatches = false;
>>>   
>>> -			lpddr2_np = of_find_node_by_name(np, "lpddr2");
>>> +			lpddr2_np = of_get_child_by_name(np, "lpddr2");
>>
>> Why?
> 
> Given the Devicetree structure, I understand that calling 
> of_get_child_by_name() suffices here, which also does not release the 
> reference of np.

So you assume these have to be children. Is it tested with bindings?
With actual device?

> 
>>
>>>   			if (lpddr2_np) {
>>>   				const struct lpddr2_info *info;
>>>   
>>> @@ -518,7 +519,6 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>>   			}
>>>   
>>>   			if (cfg_mismatches) {
>>> -				of_node_put(np);
>>
>> If of_find_node_by_name() drops reference, why this was needed >
>>>   				continue;
>>


Best regards,
Krzysztof

Re: [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[Dan Carpenter]

On Tue, Dec 17, 2024 at 10:31:23AM +0100, Krzysztof Kozlowski wrote:
> On 17/12/2024 10:14, Joe Hattori wrote:
> > As of_find_node_by_name() release the reference of the given OF node,
> 
> No, it does not.
> 

Yeah, it does.

drivers/of/base.c
   927  /**
   928   * of_find_node_by_name - Find a node by its "name" property
   929   * @from:       The node to start searching from or NULL; the node
   930   *              you pass will not be searched, only the next one
   931   *              will. Typically, you pass what the previous call
   932   *              returned. of_node_put() will be called on @from.
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   933   * @name:       The name string to match against
   934   *
   935   * Return: A node pointer with refcount incremented, use
   936   * of_node_put() on it when done.
   937   */
   938  struct device_node *of_find_node_by_name(struct device_node *from,
   939          const char *name)
   940  {
   941          struct device_node *np;
   942          unsigned long flags;
   943  
   944          raw_spin_lock_irqsave(&devtree_lock, flags);
   945          for_each_of_allnodes_from(from, np)
   946                  if (of_node_name_eq(np, name) && of_node_get(np))
   947                          break;
   948          of_node_put(from);
                            ^^^^^

   949          raw_spin_unlock_irqrestore(&devtree_lock, flags);
   950          return np;
   951  }

> > tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
> > use, resulting in possible UAFs. Given the DT structure, utilize the
> > for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.
> > 
> > This bug was found by an experimental verification tool that I am
> > developing.
> > 
> > Fixes: 96e5da7c8424 ("memory: tegra: Introduce Tegra20 EMC driver")
> > Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
> > ---
> >  drivers/memory/tegra/tegra20-emc.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/memory/tegra/tegra20-emc.c b/drivers/memory/tegra/tegra20-emc.c
> > index 7193f848d17e..9b7d30a21a5b 100644
> > --- a/drivers/memory/tegra/tegra20-emc.c
> > +++ b/drivers/memory/tegra/tegra20-emc.c
> > @@ -474,14 +474,15 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
> >  
> >  	ram_code = tegra_read_ram_code();
> >  
> > -	for (np = of_find_node_by_name(dev->of_node, "emc-tables"); np;
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This original code is wrong.

> > -	     np = of_find_node_by_name(np, "emc-tables")) {
> > +	for_each_child_of_node(dev->of_node, np) {
> 
> I don't understand how this change is related to described problem.
> 
> > +		if (!of_node_name_eq(np, "emc-tables"))
> > +			continue;
> >  		err = of_property_read_u32(np, "nvidia,ram-code", &value);
> >  		if (err || value != ram_code) {
> >  			struct device_node *lpddr2_np;
> >  			bool cfg_mismatches = false;
> >  
> > -			lpddr2_np = of_find_node_by_name(np, "lpddr2");
> > +			lpddr2_np = of_get_child_by_name(np, "lpddr2");
> 
> Why?

This drops the reference on "np"

> 
> >  			if (lpddr2_np) {
> >  				const struct lpddr2_info *info;
> >  
> > @@ -518,7 +519,6 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
> >  			}
> >  
> >  			if (cfg_mismatches) {
> > -				of_node_put(np);
> 
> If of_find_node_by_name() drops reference, why this was needed?

The continue statement also drops the reference.  So this code as an
accidental of_node_put(dev->of_node) and two accidental extra calls to
of_node_put(np).

I can't say if the fix is correct, but the bug is real.

regards,
dan carpenter

Re: [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[Krzysztof Kozlowski]

On 17/12/2024 12:49, Dan Carpenter wrote:
> On Tue, Dec 17, 2024 at 10:31:23AM +0100, Krzysztof Kozlowski wrote:
>> On 17/12/2024 10:14, Joe Hattori wrote:
>>> As of_find_node_by_name() release the reference of the given OF node,
>>
>> No, it does not.
>>
> 
> Yeah, it does.

Yeah, I focused on returned 'np', but it is about input argument.

> 
> drivers/of/base.c
>    927  /**
>    928   * of_find_node_by_name - Find a node by its "name" property
>    929   * @from:       The node to start searching from or NULL; the node
>    930   *              you pass will not be searched, only the next one
>    931   *              will. Typically, you pass what the previous call
>    932   *              returned. of_node_put() will be called on @from.
>                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    933   * @name:       The name string to match against
>    934   *
>    935   * Return: A node pointer with refcount incremented, use
>    936   * of_node_put() on it when done.
>    937   */
>    938  struct device_node *of_find_node_by_name(struct device_node *from,
>    939          const char *name)
>    940  {
>    941          struct device_node *np;
>    942          unsigned long flags;
>    943  
>    944          raw_spin_lock_irqsave(&devtree_lock, flags);
>    945          for_each_of_allnodes_from(from, np)
>    946                  if (of_node_name_eq(np, name) && of_node_get(np))
>    947                          break;
>    948          of_node_put(from);
>                             ^^^^^
> 
>    949          raw_spin_unlock_irqrestore(&devtree_lock, flags);
>    950          return np;
>    951  }
> 
>>> tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
>>> use, resulting in possible UAFs. Given the DT structure, utilize the
>>> for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.
>>>
>>> This bug was found by an experimental verification tool that I am
>>> developing.
>>>
>>> Fixes: 96e5da7c8424 ("memory: tegra: Introduce Tegra20 EMC driver")
>>> Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
>>> ---
>>>  drivers/memory/tegra/tegra20-emc.c | 8 ++++----
>>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/memory/tegra/tegra20-emc.c b/drivers/memory/tegra/tegra20-emc.c
>>> index 7193f848d17e..9b7d30a21a5b 100644
>>> --- a/drivers/memory/tegra/tegra20-emc.c
>>> +++ b/drivers/memory/tegra/tegra20-emc.c
>>> @@ -474,14 +474,15 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>>  
>>>  	ram_code = tegra_read_ram_code();
>>>  
>>> -	for (np = of_find_node_by_name(dev->of_node, "emc-tables"); np;
>             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This original code is wrong.
> 
>>> -	     np = of_find_node_by_name(np, "emc-tables")) {
>>> +	for_each_child_of_node(dev->of_node, np) {
>>
>> I don't understand how this change is related to described problem.
>>
>>> +		if (!of_node_name_eq(np, "emc-tables"))
>>> +			continue;
>>>  		err = of_property_read_u32(np, "nvidia,ram-code", &value);
>>>  		if (err || value != ram_code) {
>>>  			struct device_node *lpddr2_np;
>>>  			bool cfg_mismatches = false;
>>>  
>>> -			lpddr2_np = of_find_node_by_name(np, "lpddr2");
>>> +			lpddr2_np = of_get_child_by_name(np, "lpddr2");
>>
>> Why?
> 
> This drops the reference on "np"
> 
>>
>>>  			if (lpddr2_np) {
>>>  				const struct lpddr2_info *info;
>>>  
>>> @@ -518,7 +519,6 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>>  			}
>>>  
>>>  			if (cfg_mismatches) {
>>> -				of_node_put(np);
>>
>> If of_find_node_by_name() drops reference, why this was needed?
> 
> The continue statement also drops the reference.  So this code as an
> accidental of_node_put(dev->of_node) and two accidental extra calls to
> of_node_put(np).

True, I just thought we talk here about looping and there are actually
more issues in the code.

> 
> I can't say if the fix is correct, but the bug is real.

Probably this can be nicely split into two patches. One handling too
many puts within the loop, without breaking it (so the in-loop
of_find_node_by_name() and unnecessary of_node_put()). Second of using
of_find_node_by_name() in the loop itself, leading to drop of device
of_node reference.

Assuming of course that all the switch to parsing children is correct.

Best regards,
Krzysztof

Re: [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[Joe Hattori]

On 12/17/24 20:57, Krzysztof Kozlowski wrote:
> On 17/12/2024 12:49, Dan Carpenter wrote:
>> On Tue, Dec 17, 2024 at 10:31:23AM +0100, Krzysztof Kozlowski wrote:
>>> On 17/12/2024 10:14, Joe Hattori wrote:
>>>> As of_find_node_by_name() release the reference of the given OF node,
>>>
>>> No, it does not.
>>>
>>
>> Yeah, it does.
> 
> Yeah, I focused on returned 'np', but it is about input argument.
> 
>>
>> drivers/of/base.c
>>     927  /**
>>     928   * of_find_node_by_name - Find a node by its "name" property
>>     929   * @from:       The node to start searching from or NULL; the node
>>     930   *              you pass will not be searched, only the next one
>>     931   *              will. Typically, you pass what the previous call
>>     932   *              returned. of_node_put() will be called on @from.
>>                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>     933   * @name:       The name string to match against
>>     934   *
>>     935   * Return: A node pointer with refcount incremented, use
>>     936   * of_node_put() on it when done.
>>     937   */
>>     938  struct device_node *of_find_node_by_name(struct device_node *from,
>>     939          const char *name)
>>     940  {
>>     941          struct device_node *np;
>>     942          unsigned long flags;
>>     943
>>     944          raw_spin_lock_irqsave(&devtree_lock, flags);
>>     945          for_each_of_allnodes_from(from, np)
>>     946                  if (of_node_name_eq(np, name) && of_node_get(np))
>>     947                          break;
>>     948          of_node_put(from);
>>                              ^^^^^
>>
>>     949          raw_spin_unlock_irqrestore(&devtree_lock, flags);
>>     950          return np;
>>     951  }
>>
>>>> tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
>>>> use, resulting in possible UAFs. Given the DT structure, utilize the
>>>> for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.
>>>>
>>>> This bug was found by an experimental verification tool that I am
>>>> developing.
>>>>
>>>> Fixes: 96e5da7c8424 ("memory: tegra: Introduce Tegra20 EMC driver")
>>>> Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
>>>> ---
>>>>   drivers/memory/tegra/tegra20-emc.c | 8 ++++----
>>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/memory/tegra/tegra20-emc.c b/drivers/memory/tegra/tegra20-emc.c
>>>> index 7193f848d17e..9b7d30a21a5b 100644
>>>> --- a/drivers/memory/tegra/tegra20-emc.c
>>>> +++ b/drivers/memory/tegra/tegra20-emc.c
>>>> @@ -474,14 +474,15 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>>>   
>>>>   	ram_code = tegra_read_ram_code();
>>>>   
>>>> -	for (np = of_find_node_by_name(dev->of_node, "emc-tables"); np;
>>              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> This original code is wrong.
>>
>>>> -	     np = of_find_node_by_name(np, "emc-tables")) {
>>>> +	for_each_child_of_node(dev->of_node, np) {
>>>
>>> I don't understand how this change is related to described problem.
>>>
>>>> +		if (!of_node_name_eq(np, "emc-tables"))
>>>> +			continue;
>>>>   		err = of_property_read_u32(np, "nvidia,ram-code", &value);
>>>>   		if (err || value != ram_code) {
>>>>   			struct device_node *lpddr2_np;
>>>>   			bool cfg_mismatches = false;
>>>>   
>>>> -			lpddr2_np = of_find_node_by_name(np, "lpddr2");
>>>> +			lpddr2_np = of_get_child_by_name(np, "lpddr2");
>>>
>>> Why?
>>
>> This drops the reference on "np"
>>
>>>
>>>>   			if (lpddr2_np) {
>>>>   				const struct lpddr2_info *info;
>>>>   
>>>> @@ -518,7 +519,6 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>>>   			}
>>>>   
>>>>   			if (cfg_mismatches) {
>>>> -				of_node_put(np);
>>>
>>> If of_find_node_by_name() drops reference, why this was needed?
>>
>> The continue statement also drops the reference.  So this code as an
>> accidental of_node_put(dev->of_node) and two accidental extra calls to
>> of_node_put(np).
> 
> True, I just thought we talk here about looping and there are actually
> more issues in the code.
> 
>>
>> I can't say if the fix is correct, but the bug is real.
> 
> Probably this can be nicely split into two patches. One handling too
> many puts within the loop, without breaking it (so the in-loop
> of_find_node_by_name() and unnecessary of_node_put()). Second of using
> of_find_node_by_name() in the loop itself, leading to drop of device
> of_node reference.

Addressed in the v2 patch series.

> 
> Assuming of course that all the switch to parsing children is correct.

I'll paste my commit message on the v2 2/2 patch here. Unfortunately I 
do not have access to the actual device, but I think we can assume the 
parent-children relationship between the nodes.

According to the yaml file [1] and the dts files [2-4], the "emc-tables"
node is a child of a node with the property "nvidia,use-ram-code", and
the "lpddr2" node is a child of the "emc-tables" node. Thus utilize the
for_each_child_of_node() macro and of_get_child_by_name() instead of
of_find_node_by_name() to simplify the code.

[1]: 
Documentation/devicetree/bindings/memory-controllers/nvidia,tegra20-emc.yaml
[2]: arch/arm/boot/dts/nvidia/tegra20-acer-a500-picasso.dts
[3]: arch/arm/boot/dts/nvidia/tegra20-asus-tf101.dts
[4]: arch/arm/boot/dts/nvidia/tegra20-paz00.dts

> 
> Best regards,
> Krzysztof

Best,
Joe

Re: [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

[Krzysztof Kozlowski]

On Tue, 17 Dec 2024 18:14:34 +0900, Joe Hattori wrote:
> As of_find_node_by_name() release the reference of the given OF node,
> tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
> use, resulting in possible UAFs. Given the DT structure, utilize the
> for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.
> 
> This bug was found by an experimental verification tool that I am
> developing.
> 
> [...]

Applied, thanks!

[1/1] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()
      https://git.kernel.org/krzk/linux-mem-ctrl/c/b9784e5cde1f9fb83661a70e580e381ae1264d12

Best regards,
-- 
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>