From: Krzysztof Kozlowski <krzk@kernel.org>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>,
thierry.reding@gmail.com, jonathanh@nvidia.com,
linux-tegra@vger.kernel.org
Subject: Re: [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()
Date: Tue, 17 Dec 2024 12:57:33 +0100 [thread overview]
Message-ID: <c79f0cec-a2b4-4b73-9ee6-f432d4529df1@kernel.org> (raw)
In-Reply-To: <fc0b53bf-029d-4505-a50b-8108b0788eca@stanley.mountain>
On 17/12/2024 12:49, Dan Carpenter wrote:
> On Tue, Dec 17, 2024 at 10:31:23AM +0100, Krzysztof Kozlowski wrote:
>> On 17/12/2024 10:14, Joe Hattori wrote:
>>> As of_find_node_by_name() release the reference of the given OF node,
>>
>> No, it does not.
>>
>
> Yeah, it does.
Yeah, I focused on returned 'np', but it is about input argument.
>
> drivers/of/base.c
> 927 /**
> 928 * of_find_node_by_name - Find a node by its "name" property
> 929 * @from: The node to start searching from or NULL; the node
> 930 * you pass will not be searched, only the next one
> 931 * will. Typically, you pass what the previous call
> 932 * returned. of_node_put() will be called on @from.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 933 * @name: The name string to match against
> 934 *
> 935 * Return: A node pointer with refcount incremented, use
> 936 * of_node_put() on it when done.
> 937 */
> 938 struct device_node *of_find_node_by_name(struct device_node *from,
> 939 const char *name)
> 940 {
> 941 struct device_node *np;
> 942 unsigned long flags;
> 943
> 944 raw_spin_lock_irqsave(&devtree_lock, flags);
> 945 for_each_of_allnodes_from(from, np)
> 946 if (of_node_name_eq(np, name) && of_node_get(np))
> 947 break;
> 948 of_node_put(from);
> ^^^^^
>
> 949 raw_spin_unlock_irqrestore(&devtree_lock, flags);
> 950 return np;
> 951 }
>
>>> tegra_emc_find_node_by_ram_code() releases some OF nodes while still in
>>> use, resulting in possible UAFs. Given the DT structure, utilize the
>>> for_each_child_of_node macro and of_get_child_by_name() to avoid the bug.
>>>
>>> This bug was found by an experimental verification tool that I am
>>> developing.
>>>
>>> Fixes: 96e5da7c8424 ("memory: tegra: Introduce Tegra20 EMC driver")
>>> Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
>>> ---
>>> drivers/memory/tegra/tegra20-emc.c | 8 ++++----
>>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/memory/tegra/tegra20-emc.c b/drivers/memory/tegra/tegra20-emc.c
>>> index 7193f848d17e..9b7d30a21a5b 100644
>>> --- a/drivers/memory/tegra/tegra20-emc.c
>>> +++ b/drivers/memory/tegra/tegra20-emc.c
>>> @@ -474,14 +474,15 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>>
>>> ram_code = tegra_read_ram_code();
>>>
>>> - for (np = of_find_node_by_name(dev->of_node, "emc-tables"); np;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This original code is wrong.
>
>>> - np = of_find_node_by_name(np, "emc-tables")) {
>>> + for_each_child_of_node(dev->of_node, np) {
>>
>> I don't understand how this change is related to described problem.
>>
>>> + if (!of_node_name_eq(np, "emc-tables"))
>>> + continue;
>>> err = of_property_read_u32(np, "nvidia,ram-code", &value);
>>> if (err || value != ram_code) {
>>> struct device_node *lpddr2_np;
>>> bool cfg_mismatches = false;
>>>
>>> - lpddr2_np = of_find_node_by_name(np, "lpddr2");
>>> + lpddr2_np = of_get_child_by_name(np, "lpddr2");
>>
>> Why?
>
> This drops the reference on "np"
>
>>
>>> if (lpddr2_np) {
>>> const struct lpddr2_info *info;
>>>
>>> @@ -518,7 +519,6 @@ tegra_emc_find_node_by_ram_code(struct tegra_emc *emc)
>>> }
>>>
>>> if (cfg_mismatches) {
>>> - of_node_put(np);
>>
>> If of_find_node_by_name() drops reference, why this was needed?
>
> The continue statement also drops the reference. So this code as an
> accidental of_node_put(dev->of_node) and two accidental extra calls to
> of_node_put(np).
True, I just thought we talk here about looping and there are actually
more issues in the code.
>
> I can't say if the fix is correct, but the bug is real.
Probably this can be nicely split into two patches. One handling too
many puts within the loop, without breaking it (so the in-loop
of_find_node_by_name() and unnecessary of_node_put()). Second of using
of_find_node_by_name() in the loop itself, leading to drop of device
of_node reference.
Assuming of course that all the switch to parsing children is correct.
Best regards,
Krzysztof
next prev parent reply other threads:[~2024-12-17 11:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-17 9:14 [PATCH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() Joe Hattori
2024-12-17 9:31 ` Krzysztof Kozlowski
2024-12-17 11:07 ` Joe Hattori
2024-12-17 11:42 ` Krzysztof Kozlowski
2024-12-17 11:49 ` Dan Carpenter
2024-12-17 11:57 ` Krzysztof Kozlowski [this message]
2024-12-18 2:48 ` Joe Hattori
2024-12-22 10:08 ` Krzysztof Kozlowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c79f0cec-a2b4-4b73-9ee6-f432d4529df1@kernel.org \
--to=krzk@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=joe@pf.is.s.u-tokyo.ac.jp \
--cc=jonathanh@nvidia.com \
--cc=linux-tegra@vger.kernel.org \
--cc=thierry.reding@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox