LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Joel Stanley <joel@jms.id.au>
To: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Eddie James <eajames@linux.vnet.ibm.com>,
linux-i2c@vger.kernel.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
devicetree <devicetree@vger.kernel.org>,
Wolfram Sang <wsa@the-dreams.de>,
Rob Herring <robh+dt@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Greg KH <gregkh@linuxfoundation.org>,
Randy Dunlap <rdunlap@infradead.org>,
Andy Shevchenko <andy.shevchenko@gmail.com>,
Peter Rosin <peda@axentia.se>
Subject: Re: [PATCH v10 3/7] i2c: fsi: Add port structures
Date: Wed, 20 Jun 2018 13:29:04 +0930 [thread overview]
Message-ID: <CACPK8XdQvRcS+n33BT=Fwm4OoMfck5B3NX=QKJc0HgoqMjwXTg@mail.gmail.com> (raw)
In-Reply-To: <5d1f980286e2bba566421ebb29721770303fcf09.camel@kernel.crashing.org>
On 20 June 2018 at 13:04, Benjamin Herrenschmidt
<benh@kernel.crashing.org> wrote:
> On Wed, 2018-06-13 at 14:36 -0500, Eddie James wrote:
>> }
>>
>> +static int fsi_i2c_remove(struct device *dev)
>> +{
>> + struct fsi_i2c_master *i2c = dev_get_drvdata(dev);
>> + struct fsi_i2c_port *port;
>> +
>> + list_for_each_entry(port, &i2c->ports, list) {
>> + i2c_del_adapter(&port->adapter);
>> + kfree(port);
>> + }
>> +
>> + return 0;
>> +}
>> +
>
> This is a use-after-free, the list linkage of the freed port is used to
> get to the next one. With memory poisoning, kbooom !
>
> You can fold that in:
>
> From f9d9092160897e7308f6990067a03e937339537f Mon Sep 17 00:00:00 2001
> From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> Date: Wed, 20 Jun 2018 13:27:32 +1000
> Subject: [PATCH] i2c: fsi: Fix use after free
This fixes the issue I was seeing. For the series:
Tested-by: Joel Stanley <joel@jms.id.au>
Thanks,
Joel
>
> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> ---
> drivers/i2c/busses/i2c-fsi.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/i2c/busses/i2c-fsi.c b/drivers/i2c/busses/i2c-fsi.c
> index 713959b44403..ff69ab6aa79a 100644
> --- a/drivers/i2c/busses/i2c-fsi.c
> +++ b/drivers/i2c/busses/i2c-fsi.c
> @@ -696,9 +696,10 @@ static int fsi_i2c_probe(struct device *dev)
> static int fsi_i2c_remove(struct device *dev)
> {
> struct fsi_i2c_master *i2c = dev_get_drvdata(dev);
> - struct fsi_i2c_port *port;
> + struct fsi_i2c_port *port, *tmp;
>
> - list_for_each_entry(port, &i2c->ports, list) {
> + list_for_each_entry_safe(port,tmp, &i2c->ports, list) {
> + list_del(&port->list);
> i2c_del_adapter(&port->adapter);
> kfree(port);
> }
>
next prev parent reply other threads:[~2018-06-20 3:59 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-13 19:36 [PATCH v10 0/7] i2c: Add FSI-attached I2C master algorithm Eddie James
2018-06-13 19:36 ` [PATCH v10 1/7] dt-bindings: i2c: Add FSI-attached I2C master dt binding documentation Eddie James
2018-06-26 2:39 ` Wolfram Sang
2018-06-13 19:36 ` [PATCH v10 2/7] i2c: Add FSI-attached I2C master algorithm Eddie James
2018-06-13 19:36 ` [PATCH v10 3/7] i2c: fsi: Add port structures Eddie James
2018-06-20 3:34 ` Benjamin Herrenschmidt
2018-06-20 3:59 ` Joel Stanley [this message]
2018-06-13 19:36 ` [PATCH v10 4/7] i2c: fsi: Add abort and hardware reset procedures Eddie James
2018-06-26 2:38 ` Wolfram Sang
2018-06-27 13:48 ` Eddie James
2018-07-02 18:15 ` Wolfram Sang
2018-07-05 18:50 ` Eddie James
2018-07-05 22:06 ` Wolfram Sang
2018-06-13 19:36 ` [PATCH v10 5/7] i2c: fsi: Add transfer implementation Eddie James
2018-06-26 2:38 ` Wolfram Sang
2018-06-27 13:21 ` Eddie James
2018-07-02 18:24 ` Wolfram Sang
2018-07-05 18:52 ` Eddie James
2018-07-05 21:59 ` Wolfram Sang
2018-06-13 19:36 ` [PATCH v10 6/7] i2c: fsi: Add I2C master locking Eddie James
2018-06-13 19:36 ` [PATCH v10 7/7] i2c: fsi: Add bus recovery Eddie James
2018-06-26 2:38 ` Wolfram Sang
2018-06-27 13:32 ` Eddie James
2018-07-02 18:16 ` Wolfram Sang
2018-06-14 9:05 ` [PATCH v10 0/7] i2c: Add FSI-attached I2C master algorithm Andy Shevchenko
2018-06-18 4:53 ` Joel Stanley
2018-06-26 2:39 ` Wolfram Sang
2018-06-27 13:53 ` Eddie James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACPK8XdQvRcS+n33BT=Fwm4OoMfck5B3NX=QKJc0HgoqMjwXTg@mail.gmail.com' \
--to=joel@jms.id.au \
--cc=andy.shevchenko@gmail.com \
--cc=benh@kernel.crashing.org \
--cc=devicetree@vger.kernel.org \
--cc=eajames@linux.vnet.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=peda@axentia.se \
--cc=rdunlap@infradead.org \
--cc=robh+dt@kernel.org \
--cc=wsa@the-dreams.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).