* [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
@ 2024-05-17 14:49 Harshit Mogalapalli
2024-05-17 15:15 ` srinivas pandruvada
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Harshit Mogalapalli @ 2024-05-17 14:49 UTC (permalink / raw)
To: Srinivas Pandruvada, Hans de Goede, Ilpo Järvinen, Zhang Rui,
platform-driver-x86, linux-kernel
Cc: dan.carpenter, kernel-janitors, error27, harshit.m.mogalapalli
In tpmi_sst_dev_remove(), tpmi_sst is dereferenced after being freed.
Fix this by reordering the kfree() post the dereference.
Fixes: 9d1d36268f3d ("platform/x86: ISST: Support partitioned systems")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
---
v1->v2: Add R.B from Hans and fix commit message wrapping to 75 chars.
This is found by smatch and only compile tested.
---
drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
index 7bac7841ff0a..7fa360073f6e 100644
--- a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
@@ -1610,8 +1610,8 @@ void tpmi_sst_dev_remove(struct auxiliary_device *auxdev)
tpmi_sst->partition_mask_current &= ~BIT(plat_info->partition);
/* Free the package instance when the all partitions are removed */
if (!tpmi_sst->partition_mask_current) {
- kfree(tpmi_sst);
isst_common.sst_inst[tpmi_sst->package_id] = NULL;
+ kfree(tpmi_sst);
}
mutex_unlock(&isst_tpmi_dev_lock);
}
--
2.39.3
^ permalink raw reply related [flat|nested] 12+ messages in thread* Re: [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-17 14:49 [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove() Harshit Mogalapalli
@ 2024-05-17 15:15 ` srinivas pandruvada
2024-05-18 17:30 ` Markus Elfring
2024-05-27 9:29 ` [PATCH v2] " Hans de Goede
2 siblings, 0 replies; 12+ messages in thread
From: srinivas pandruvada @ 2024-05-17 15:15 UTC (permalink / raw)
To: Harshit Mogalapalli, Hans de Goede, Ilpo Järvinen, Zhang Rui,
platform-driver-x86, linux-kernel
Cc: dan.carpenter, kernel-janitors, error27
On Fri, 2024-05-17 at 07:49 -0700, Harshit Mogalapalli wrote:
> In tpmi_sst_dev_remove(), tpmi_sst is dereferenced after being freed.
> Fix this by reordering the kfree() post the dereference.
>
> Fixes: 9d1d36268f3d ("platform/x86: ISST: Support partitioned
> systems")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
> Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
> ---
> v1->v2: Add R.B from Hans and fix commit message wrapping to 75
> chars.
> This is found by smatch and only compile tested.
> ---
> drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
> a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
> b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
> index 7bac7841ff0a..7fa360073f6e 100644
> --- a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
> +++ b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
> @@ -1610,8 +1610,8 @@ void tpmi_sst_dev_remove(struct
> auxiliary_device *auxdev)
> tpmi_sst->partition_mask_current &= ~BIT(plat_info-
> >partition);
> /* Free the package instance when the all partitions are
> removed */
> if (!tpmi_sst->partition_mask_current) {
> - kfree(tpmi_sst);
> isst_common.sst_inst[tpmi_sst->package_id] = NULL;
> + kfree(tpmi_sst);
> }
> mutex_unlock(&isst_tpmi_dev_lock);
> }
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-17 14:49 [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove() Harshit Mogalapalli
2024-05-17 15:15 ` srinivas pandruvada
@ 2024-05-18 17:30 ` Markus Elfring
2024-05-20 9:38 ` Ilpo Järvinen
2024-05-27 9:29 ` [PATCH v2] " Hans de Goede
2 siblings, 1 reply; 12+ messages in thread
From: Markus Elfring @ 2024-05-18 17:30 UTC (permalink / raw)
To: Harshit Mogalapalli, platform-driver-x86, kernel-janitors,
Hans de Goede, Ilpo Järvinen, Srinivas Pandruvada, Zhang Rui
Cc: LKML, Dan Carpenter, Dan Carpenter
…
> Fix this by reordering the kfree() post the dereference.
Would a wording approach (like the following) be a bit nicer?
Move a kfree() call behind an assignment statement in the affected if branch.
…
> ---
> v1->v2: Add R.B from Hans and fix commit message wrapping to 75 chars.
> This is found by smatch and only compile tested.
* Can it occasionally be nicer to use an enumeration also for
version descriptions?
* Is it helpful to separate additional comments by blank lines?
> ---
> drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 2 +-
How do you think about to omit a repeated marker line here?
Regards,
Markus
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-18 17:30 ` Markus Elfring
@ 2024-05-20 9:38 ` Ilpo Järvinen
2024-05-20 10:56 ` [v2] " Markus Elfring
0 siblings, 1 reply; 12+ messages in thread
From: Ilpo Järvinen @ 2024-05-20 9:38 UTC (permalink / raw)
To: Markus Elfring
Cc: Harshit Mogalapalli, platform-driver-x86, kernel-janitors,
Hans de Goede, Srinivas Pandruvada, Zhang Rui, LKML,
Dan Carpenter, Dan Carpenter
[-- Attachment #1: Type: text/plain, Size: 988 bytes --]
On Sat, 18 May 2024, Markus Elfring wrote:
> …
> > Fix this by reordering the kfree() post the dereference.
>
> Would a wording approach (like the following) be a bit nicer?
>
> Move a kfree() call behind an assignment statement in the affected if branch.
No, the suggested wording would make it less precise ("post the
dereference" -> "behind an assignment") and also tries to tell pointless
things about the location in the codei that is visible in the patch itself.
--
i.
> > v1->v2: Add R.B from Hans and fix commit message wrapping to 75 chars.
> > This is found by smatch and only compile tested.
>
> * Can it occasionally be nicer to use an enumeration also for
> version descriptions?
>
> * Is it helpful to separate additional comments by blank lines?
>
>
> > ---
> > drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 2 +-
>
> How do you think about to omit a repeated marker line here?
>
> Regards,
> Markus
>
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-20 9:38 ` Ilpo Järvinen
@ 2024-05-20 10:56 ` Markus Elfring
2024-05-20 17:49 ` Hans de Goede
0 siblings, 1 reply; 12+ messages in thread
From: Markus Elfring @ 2024-05-20 10:56 UTC (permalink / raw)
To: Ilpo Järvinen, Harshit Mogalapalli, platform-driver-x86,
kernel-janitors, Hans de Goede, Srinivas Pandruvada, Zhang Rui
Cc: LKML, Dan Carpenter, Dan Carpenter
>> …
>>> Fix this by reordering the kfree() post the dereference.
>>
>> Would a wording approach (like the following) be a bit nicer?
>>
>> Move a kfree() call behind an assignment statement in the affected if branch.
>
> No, the suggested wording would make it less precise ("post the
> dereference" -> "behind an assignment") and also tries to tell pointless
> things about the location in the codei that is visible in the patch itself.
Would you eventually like another wording variant a bit more?
Thus move a kfree() call behind a dereference of an invalid pointer.
Regards,
Markus
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-20 10:56 ` [v2] " Markus Elfring
@ 2024-05-20 17:49 ` Hans de Goede
2024-05-21 5:15 ` Markus Elfring
0 siblings, 1 reply; 12+ messages in thread
From: Hans de Goede @ 2024-05-20 17:49 UTC (permalink / raw)
To: Markus Elfring, Ilpo Järvinen, Harshit Mogalapalli,
platform-driver-x86, kernel-janitors, Srinivas Pandruvada,
Zhang Rui
Cc: LKML, Dan Carpenter, Dan Carpenter
Hi Markus,
On 5/20/24 12:56 PM, Markus Elfring wrote:
>>> …
>>>> Fix this by reordering the kfree() post the dereference.
>>>
>>> Would a wording approach (like the following) be a bit nicer?
>>>
>>> Move a kfree() call behind an assignment statement in the affected if branch.
>>
>> No, the suggested wording would make it less precise ("post the
>> dereference" -> "behind an assignment") and also tries to tell pointless
>> things about the location in the codei that is visible in the patch itself.
>
> Would you eventually like another wording variant a bit more?
>
> Thus move a kfree() call behind a dereference of an invalid pointer.
The original wording of the commit message really is fine as is,
I see no need for Harshit to send a new version and I plan to
merge this as is.
Regards,
Hans
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-20 17:49 ` Hans de Goede
@ 2024-05-21 5:15 ` Markus Elfring
2024-05-21 10:06 ` Ilpo Järvinen
0 siblings, 1 reply; 12+ messages in thread
From: Markus Elfring @ 2024-05-21 5:15 UTC (permalink / raw)
To: Hans de Goede, Ilpo Järvinen, Harshit Mogalapalli,
platform-driver-x86, kernel-janitors, Srinivas Pandruvada,
Zhang Rui
Cc: LKML, Dan Carpenter, Dan Carpenter
>>>> …
>>>>> Fix this by reordering the kfree() post the dereference.
…
> The original wording of the commit message really is fine as is,
> I see no need for Harshit to send a new version and I plan to
> merge this as is.
Are there opportunities remaining to improve the discussed wording?
1. https://en.wiktionary.org/wiki/post#Etymology_1
2. https://en.wiktionary.org/wiki/reorder
3. Function call indication?
https://elixir.bootlin.com/linux/v6.9.1/source/mm/slub.c#L4371
4. Rephrasing of “Fix this by …”?
5. https://en.wikipedia.org/wiki/Dangling_pointer#Cause_of_dangling_pointers
6. https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory#MEM30C.Donotaccessfreedmemory-AutomatedDetection
7. https://en.wikipedia.org/wiki/Code_sanitizer#KernelAddressSanitizer
Regards,
Markus
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-21 5:15 ` Markus Elfring
@ 2024-05-21 10:06 ` Ilpo Järvinen
2024-05-21 10:42 ` Markus Elfring
0 siblings, 1 reply; 12+ messages in thread
From: Ilpo Järvinen @ 2024-05-21 10:06 UTC (permalink / raw)
To: Markus Elfring
Cc: Hans de Goede, Harshit Mogalapalli, platform-driver-x86,
kernel-janitors, Srinivas Pandruvada, Zhang Rui, LKML,
Dan Carpenter, Dan Carpenter
[-- Attachment #1: Type: text/plain, Size: 1076 bytes --]
On Tue, 21 May 2024, Markus Elfring wrote:
> >>>> …
> >>>>> Fix this by reordering the kfree() post the dereference.
> …
> > The original wording of the commit message really is fine as is,
> > I see no need for Harshit to send a new version and I plan to
> > merge this as is.
>
> Are there opportunities remaining to improve the discussed wording?
>
> 1. https://en.wiktionary.org/wiki/post#Etymology_1
>
> 2. https://en.wiktionary.org/wiki/reorder
>
> 3. Function call indication?
> https://elixir.bootlin.com/linux/v6.9.1/source/mm/slub.c#L4371
>
> 4. Rephrasing of “Fix this by …”?
>
> 5. https://en.wikipedia.org/wiki/Dangling_pointer#Cause_of_dangling_pointers
>
> 6. https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory#MEM30C.Donotaccessfreedmemory-AutomatedDetection
>
> 7. https://en.wikipedia.org/wiki/Code_sanitizer#KernelAddressSanitizer
We'll not waste our time in wordsmithing commit messages to perfection,
the current one is good enough as was stated to you already.
--
i.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-21 10:06 ` Ilpo Järvinen
@ 2024-05-21 10:42 ` Markus Elfring
2024-05-21 10:56 ` Ilpo Järvinen
0 siblings, 1 reply; 12+ messages in thread
From: Markus Elfring @ 2024-05-21 10:42 UTC (permalink / raw)
To: Ilpo Järvinen, Hans de Goede, Harshit Mogalapalli,
platform-driver-x86, kernel-janitors, Srinivas Pandruvada,
Zhang Rui
Cc: LKML, Dan Carpenter, Dan Carpenter
>>>>>> …
>>>>>>> Fix this by reordering the kfree() post the dereference.
…
> We'll not waste our time in wordsmithing commit messages to perfection,
I hope that you would also like to avoid typos in change descriptions.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9#n45
> the current one is good enough as was stated to you already.
I dared to present some wording concerns according to the running patch review.
Regards,
Markus
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-21 10:42 ` Markus Elfring
@ 2024-05-21 10:56 ` Ilpo Järvinen
2024-05-21 11:09 ` Markus Elfring
0 siblings, 1 reply; 12+ messages in thread
From: Ilpo Järvinen @ 2024-05-21 10:56 UTC (permalink / raw)
To: Markus Elfring
Cc: Hans de Goede, Harshit Mogalapalli, platform-driver-x86,
kernel-janitors, Srinivas Pandruvada, Zhang Rui, LKML,
Dan Carpenter, Dan Carpenter
[-- Attachment #1: Type: text/plain, Size: 865 bytes --]
On Tue, 21 May 2024, Markus Elfring wrote:
> >>>>>> …
> >>>>>>> Fix this by reordering the kfree() post the dereference.
> …
> > We'll not waste our time in wordsmithing commit messages to perfection,
>
> I hope that you would also like to avoid typos in change descriptions.
Now you start derailing this with off-topic references to hypothetical
"typos".
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9#n45
>
>
> > the current one is good enough as was stated to you already.
>
> I dared to present some wording concerns according to the running patch review.
No, your latest replies were not anymore about wording concerns but
complaining about process.
Your wording concerns were already replied but after that you kept on
arguing.
--
i.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-21 10:56 ` Ilpo Järvinen
@ 2024-05-21 11:09 ` Markus Elfring
0 siblings, 0 replies; 12+ messages in thread
From: Markus Elfring @ 2024-05-21 11:09 UTC (permalink / raw)
To: Ilpo Järvinen, Hans de Goede, Harshit Mogalapalli,
platform-driver-x86, kernel-janitors, Srinivas Pandruvada,
Zhang Rui
Cc: LKML, Dan Carpenter, Dan Carpenter
>>> We'll not waste our time in wordsmithing commit messages to perfection,
>>
>> I hope that you would also like to avoid typos in change descriptions.
>
> Now you start derailing this with off-topic references to hypothetical "typos".
Which alternative term would you prefer for the word combination “the kfree() post”
(for example) instead?
Regards,
Markus
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
2024-05-17 14:49 [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove() Harshit Mogalapalli
2024-05-17 15:15 ` srinivas pandruvada
2024-05-18 17:30 ` Markus Elfring
@ 2024-05-27 9:29 ` Hans de Goede
2 siblings, 0 replies; 12+ messages in thread
From: Hans de Goede @ 2024-05-27 9:29 UTC (permalink / raw)
To: Harshit Mogalapalli, Srinivas Pandruvada, Ilpo Järvinen,
Zhang Rui, platform-driver-x86, linux-kernel
Cc: dan.carpenter, kernel-janitors, error27
Hi,
On 5/17/24 4:49 PM, Harshit Mogalapalli wrote:
> In tpmi_sst_dev_remove(), tpmi_sst is dereferenced after being freed.
> Fix this by reordering the kfree() post the dereference.
>
> Fixes: 9d1d36268f3d ("platform/x86: ISST: Support partitioned systems")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
> Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Thank you for your patch, I've applied this patch to my review-hans
branch:
https://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86.git/log/?h=review-hans
Note it will show up in my review-hans branch once I've pushed my
local branch there, which might take a while.
I will include this patch in my next fixes pull-req to Linus
for the current kernel development cycle.
Regards,
Hans
> ---
> v1->v2: Add R.B from Hans and fix commit message wrapping to 75 chars.
> This is found by smatch and only compile tested.
> ---
> drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
> index 7bac7841ff0a..7fa360073f6e 100644
> --- a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
> +++ b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
> @@ -1610,8 +1610,8 @@ void tpmi_sst_dev_remove(struct auxiliary_device *auxdev)
> tpmi_sst->partition_mask_current &= ~BIT(plat_info->partition);
> /* Free the package instance when the all partitions are removed */
> if (!tpmi_sst->partition_mask_current) {
> - kfree(tpmi_sst);
> isst_common.sst_inst[tpmi_sst->package_id] = NULL;
> + kfree(tpmi_sst);
> }
> mutex_unlock(&isst_tpmi_dev_lock);
> }
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2024-05-27 9:29 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-17 14:49 [PATCH v2] platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove() Harshit Mogalapalli
2024-05-17 15:15 ` srinivas pandruvada
2024-05-18 17:30 ` Markus Elfring
2024-05-20 9:38 ` Ilpo Järvinen
2024-05-20 10:56 ` [v2] " Markus Elfring
2024-05-20 17:49 ` Hans de Goede
2024-05-21 5:15 ` Markus Elfring
2024-05-21 10:06 ` Ilpo Järvinen
2024-05-21 10:42 ` Markus Elfring
2024-05-21 10:56 ` Ilpo Järvinen
2024-05-21 11:09 ` Markus Elfring
2024-05-27 9:29 ` [PATCH v2] " Hans de Goede
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox