[PATCH v3] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

[PATCH v3] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

[Christian Zigotzky]

Hello Wen,

Thanks for your patch!

Did you test your patch with a P.A. Semi board?

Cheers,
Christian

Re:[PATCH v3] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init()

[wen.yang99]

[-- Attachment #1.1: Type: text/plain, Size: 279 bytes --]

> Hello Wen,
> 
> Thanks for your patch!
> 
> Did you test your patch with a P.A. Semi board?
> 

Hello Christian, thank you.
We don't have a P.A. Semi board yet, so we didn't test it.
If you have such a board, could you please kindly help to test it?

--
Thanks and regards,
Wen

[PATCH v3] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init()

[Christian Zigotzky]

Is a final patch available for testing? Please do not release it without 
testing.

- Christian

On 09-07-19, 16:04, Wen Yang wrote:
 > The cpu variable is still being used in the of_get_property() call
 > after the of_node_put() call, which may result in use-after-free.
 >
 > Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
 > Signed-off-by: Wen Yang <wen.yang99 at zte.com.cn>
 > Cc: "Rafael J. Wysocki" <rjw at rjwysocki.net>
 > Cc: Viresh Kumar <viresh.kumar at linaro.org>
 > Cc: Michael Ellerman <mpe at ellerman.id.au>
 > Cc: linuxppc-dev at lists.ozlabs.org
 > Cc: linux-pm at vger.kernel.org
 > Cc: linux-kernel at vger.kernel.org
 > ---
 > v5: put together the code to get, use, and release cpu device_node.
 > v4: restore the blank line.
 > v3: fix a leaked reference.
 > v2: clean up the code according to the advice of viresh.
 >
 >  drivers/cpufreq/pasemi-cpufreq.c | 21 +++++++++------------
 >  1 file changed, 9 insertions(+), 12 deletions(-)
 >
 > diff --git a/drivers/cpufreq/pasemi-cpufreq.c 
b/drivers/cpufreq/pasemi-cpufreq.c
 > index 6b1e4ab..1f0beb7 100644
 > --- a/drivers/cpufreq/pasemi-cpufreq.c
 > +++ b/drivers/cpufreq/pasemi-cpufreq.c
 > @@ -131,10 +131,17 @@ static int pas_cpufreq_cpu_init(struct 
cpufreq_policy *policy)
 >      int err = -ENODEV;
 >
 >      cpu = of_get_cpu_node(policy->cpu, NULL);
 > -
 > -    of_node_put(cpu);
 >      if (!cpu)
 >          goto out;

I would have loved a blank line here :)

 > +    max_freqp = of_get_property(cpu, "clock-frequency", NULL);
 > +    of_node_put(cpu);
 > +    if (!max_freqp) {
 > +        err = -EINVAL;
 > +        goto out;
 > +    }
 > +
 > +    /* we need the freq in kHz */
 > +    max_freq = *max_freqp / 1000;
 >
 >      dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
 >      if (!dn)
 > @@ -171,16 +178,6 @@ static int pas_cpufreq_cpu_init(struct 
cpufreq_policy *policy)
 >      }
 >
 >      pr_debug("init cpufreq on CPU %d\n", policy->cpu);
 > -
 > -    max_freqp = of_get_property(cpu, "clock-frequency", NULL);
 > -    if (!max_freqp) {
 > -        err = -EINVAL;
 > -        goto out_unmap_sdcpwr;
 > -    }
 > -
 > -    /* we need the freq in kHz */
 > -    max_freq = *max_freqp / 1000;
 > -
 >      pr_debug("max clock-frequency is at %u kHz\n", max_freq);
 >      pr_debug("initializing frequency table\n");

Though, enough versions have happened now.

Acked-by: Viresh Kumar <viresh.kumar at linaro.org>

-- 
viresh

[PATCH v7] cpufreq/pasemi: fix an use-after-free inpas_cpufreq_cpu_init()

[Christian Zigotzky]

On 09.07.2019 at 03:39am, wen.yang99@zte.com.cn wrote:
>> Hello Wen,
>>
>> Thanks for your patch!
>>
>> Did you test your patch with a P.A. Semi board?
>>
> Hello Christian, thank you.
> We don't have a P.A. Semi board yet, so we didn't test it.
> If you have such a board, could you please kindly help to test it?
>
> --
> Thanks and regards,
> Wen

Hello Wen,

I successfully tested your pasemi cpufreq modifications with my P.A. 
Semi board [1] today.

First I patched the latest Git kernel with Viresh Kumar's patch [2]. 
After that I was able to patch the latest Git kernel with your v7 patch [3].

Then the kernel compiled without any errors.

Afterwards I successfully tested the new Git kernel with some cpufreq 
governors on openSUSE Tumbleweed 20190521 PowerPC64 [4] and on ubuntu 
MATE 16.04.6 LTS PowerPC32.

Thanks a lot for your work!

Tested-by: Christian Zigotzky <chzigotzky@xenosoft.de>

Cheers,
Christian

[1] https://en.wikipedia.org/wiki/AmigaOne_X1000
[2] 
https://lore.kernel.org/lkml/ee8cf5fb4b4a01fdf9199037ff6d835b935cfd13.1562902877.git.viresh.kumar@linaro.org/#Z30drivers:cpufreq:pasemi-cpufreq.c
[3] https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-July/193735.html
[4] Screenshots: 
https://i.pinimg.com/originals/37/66/93/37669306cbc909a9d79270a849d18aa6.png 
and 
https://i.pinimg.com/originals/fe/f8/bf/fef8bfc90d95b5ae9cf31e175e8ba2da.png

Re:[PATCH v7] cpufreq/pasemi: fix an use-after-freeinpas_cpufreq_cpu_init()

[wen.yang99]

[-- Attachment #1.1: Type: text/plain, Size: 1421 bytes --]

>>> Hello Wen,
>>>
>>> Thanks for your patch!
>>>
>>> Did you test your patch with a P.A. Semi board?
>>>
>> Hello Christian, thank you.
>> We don't have a P.A. Semi board yet, so we didn't test it.
>> If you have such a board, could you please kindly help to test it?
>>
>> --
>> Thanks and regards,
>> Wen
> 
> Hello Wen,
> 
> I successfully tested your pasemi cpufreq modifications with my P.A.
> Semi board [1] today.
> 
> First I patched the latest Git kernel with Viresh Kumar's patch [2].
> After that I was able to patch the latest Git kernel with your v7 patch [3].
> 
> Then the kernel compiled without any errors.
> 
> Afterwards I successfully tested the new Git kernel with some cpufreq
> governors on openSUSE Tumbleweed 20190521 PowerPC64 [4] and on ubuntu
> MATE 16.04.6 LTS PowerPC32.
> 
> Thanks a lot for your work!
> 
> Tested-by: Christian Zigotzky <chzigotzky@xenosoft.de>
> 
> Cheers,
> Christian

Thank you very much!
--
Cheers,
Wen

> [1] https://en.wikipedia.org/wiki/AmigaOne_X1000
> [2]
> https://lore.kernel.org/lkml/ee8cf5fb4b4a01fdf9199037ff6d835b935cfd13.1562902877.git.viresh.kumar@linaro.org/#Z30drivers:cpufreq:pasemi-cpufreq.c
> [3] https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-July/193735.html
> [4] Screenshots:
> https://i.pinimg.com/originals/37/66/93/37669306cbc909a9d79270a849d18aa6.png
> and
> https://i.pinimg.com/originals/fe/f8/bf/fef8bfc90d95b5ae9cf31e175e8ba2da.png

[PATCH v3] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

[Wen Yang]

The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Viresh Kumar <viresh.kumar@linaro.org>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-pm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
v3: fix a leaked reference.
v2: clean up the code according to the advice of viresh.

 drivers/cpufreq/pasemi-cpufreq.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4ab..9dc5163 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -128,20 +128,20 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
 	int cur_astate, idx;
 	struct resource res;
 	struct device_node *cpu, *dn;
-	int err = -ENODEV;
+	int err;
 
 	cpu = of_get_cpu_node(policy->cpu, NULL);
-
-	of_node_put(cpu);
 	if (!cpu)
-		goto out;
+		return -ENODEV;
 
 	dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
 	if (!dn)
 		dn = of_find_compatible_node(NULL, NULL,
 					     "pasemi,pwrficient-sdc");
-	if (!dn)
+	if (!dn) {
+		err = -ENODEV;
 		goto out;
+	}
 	err = of_address_to_resource(dn, 0, &res);
 	of_node_put(dn);
 	if (err)
@@ -196,6 +196,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
 	policy->cur = pas_freqs[cur_astate].frequency;
 	ppc_proc_freq = policy->cur * 1000ul;
 
+	of_node_put(cpu);
 	return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
 
 out_unmap_sdcpwr:
@@ -204,6 +205,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
 out_unmap_sdcasr:
 	iounmap(sdcasr_mapbase);
 out:
+	of_node_put(cpu);
 	return err;
 }
 
-- 
2.9.5

Re: [PATCH v3] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

[Viresh Kumar]

On 08-07-19, 16:48, Wen Yang wrote:
> The cpu variable is still being used in the of_get_property() call
> after the of_node_put() call, which may result in use-after-free.
> 
> Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
> Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
> Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
> Cc: Viresh Kumar <viresh.kumar@linaro.org>
> Cc: linuxppc-dev@lists.ozlabs.org
> Cc: linux-pm@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> ---
> v3: fix a leaked reference.
> v2: clean up the code according to the advice of viresh.
> 
>  drivers/cpufreq/pasemi-cpufreq.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
> index 6b1e4ab..9dc5163 100644
> --- a/drivers/cpufreq/pasemi-cpufreq.c
> +++ b/drivers/cpufreq/pasemi-cpufreq.c
> @@ -128,20 +128,20 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
>  	int cur_astate, idx;
>  	struct resource res;
>  	struct device_node *cpu, *dn;
> -	int err = -ENODEV;
> +	int err;
>  
>  	cpu = of_get_cpu_node(policy->cpu, NULL);
> -
> -	of_node_put(cpu);
>  	if (!cpu)
> -		goto out;
> +		return -ENODEV;
>  
>  	dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
>  	if (!dn)
>  		dn = of_find_compatible_node(NULL, NULL,
>  					     "pasemi,pwrficient-sdc");
> -	if (!dn)
> +	if (!dn) {
> +		err = -ENODEV;
>  		goto out;
> +	}

Please restore the blank line here.

>  	err = of_address_to_resource(dn, 0, &res);
>  	of_node_put(dn);
>  	if (err)
> @@ -196,6 +196,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
>  	policy->cur = pas_freqs[cur_astate].frequency;
>  	ppc_proc_freq = policy->cur * 1000ul;
>  
> +	of_node_put(cpu);
>  	return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
>  
>  out_unmap_sdcpwr:
> @@ -204,6 +205,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
>  out_unmap_sdcasr:
>  	iounmap(sdcasr_mapbase);
>  out:
> +	of_node_put(cpu);
>  	return err;
>  }
>  
> -- 
> 2.9.5

-- 
viresh

Re: [PATCH v3] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

[Markus Elfring]

> @@ -204,6 +205,7 @@  static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)

>  out_unmap_sdcasr:

>  	iounmap(sdcasr_mapbase);

>  out:

> +	of_node_put(cpu);


I would find the usage of a jump label like “put_node” nicer at such
a source code place.

Regards,
Markus

Re: [PATCH v3] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

[Michael Ellerman]

Wen Yang <wen.yang99@zte.com.cn> writes:

> The cpu variable is still being used in the of_get_property() call
> after the of_node_put() call, which may result in use-after-free.
>
> Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
> Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
> Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
> Cc: Viresh Kumar <viresh.kumar@linaro.org>
> Cc: linuxppc-dev@lists.ozlabs.org
> Cc: linux-pm@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> ---
> v3: fix a leaked reference.
> v2: clean up the code according to the advice of viresh.
>
>  drivers/cpufreq/pasemi-cpufreq.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
> index 6b1e4ab..9dc5163 100644
> --- a/drivers/cpufreq/pasemi-cpufreq.c
> +++ b/drivers/cpufreq/pasemi-cpufreq.c
> @@ -128,20 +128,20 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
>  	int cur_astate, idx;
>  	struct resource res;
>  	struct device_node *cpu, *dn;
> -	int err = -ENODEV;
> +	int err;
>  
>  	cpu = of_get_cpu_node(policy->cpu, NULL);
> -
> -	of_node_put(cpu);
>  	if (!cpu)
> -		goto out;
> +		return -ENODEV;

I don't think introducing another exit path is an improvement.

>  	dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
>  	if (!dn)
>  		dn = of_find_compatible_node(NULL, NULL,
>  					     "pasemi,pwrficient-sdc");
> -	if (!dn)
> +	if (!dn) {
> +		err = -ENODEV;
>  		goto out;
> +	}
>  	err = of_address_to_resource(dn, 0, &res);
>  	of_node_put(dn);
>  	if (err)
> @@ -196,6 +196,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
>  	policy->cur = pas_freqs[cur_astate].frequency;
>  	ppc_proc_freq = policy->cur * 1000ul;
>  
> +	of_node_put(cpu);
>  	return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
>  
>  out_unmap_sdcpwr:
> @@ -204,6 +205,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
>  out_unmap_sdcasr:
>  	iounmap(sdcasr_mapbase);
>  out:
> +	of_node_put(cpu);
>  	return err;
>  }

Notice that cpu is only used for the max_freq calculation, so we could
instead do:

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4abe3248..42a0a4b8e87d 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -131,11 +131,20 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
 	int err = -ENODEV;
 
 	cpu = of_get_cpu_node(policy->cpu, NULL);
-
-	of_node_put(cpu);
 	if (!cpu)
 		goto out;
 
+	max_freqp = of_get_property(cpu, "clock-frequency", NULL);
+	if (!max_freqp) {
+		of_node_put(cpu);
+		err = -EINVAL;
+		goto out;
+	}
+
+	/* we need the freq in kHz */
+	max_freq = *max_freqp / 1000;
+	of_node_put(cpu);
+
 	dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
 	if (!dn)
 		dn = of_find_compatible_node(NULL, NULL,
@@ -172,15 +181,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
 
 	pr_debug("init cpufreq on CPU %d\n", policy->cpu);
 
-	max_freqp = of_get_property(cpu, "clock-frequency", NULL);
-	if (!max_freqp) {
-		err = -EINVAL;
-		goto out_unmap_sdcpwr;
-	}
-
-	/* we need the freq in kHz */
-	max_freq = *max_freqp / 1000;
-
 	pr_debug("max clock-frequency is at %u kHz\n", max_freq);
 	pr_debug("initializing frequency table\n");
 

Though arguably this function should hold a reference to cpu anyway,
because it doesn't want the CPU to removed out from under it. It's a
CPUfreq driver after all.

cheers