Re: [PATCH] drivers:of:property.c: fix a potential double put (release) bug

LKML Archive on lore.kernel.org
help / color / mirror / Atom feed

From: Saravana Kannan <saravanak@google.com>
To: Rob Herring <robh+dt@kernel.org>
Cc: Wentao_Liang <Wentao_Liang_g@163.com>,
	Frank Rowand <frowand.list@gmail.com>,
	devicetree@vger.kernel.org,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] drivers:of:property.c: fix a potential double put (release) bug
Date: Wed, 18 Aug 2021 18:11:57 -0700	[thread overview]
Message-ID: <CAGETcx-C1avGdGLS=X7pc-q3u_BZv7wJwMWEJ6KFbDYYafeP2A@mail.gmail.com> (raw)
In-Reply-To: <CAL_JsqLfvfi42QGkM_WqKUm0GPZ6z=ybBz9kaR5UakKd0mzGEw@mail.gmail.com>

On Wed, Aug 18, 2021 at 7:07 AM Rob Herring <robh+dt@kernel.org> wrote:
>
> +Saravana
>
> On Wed, Aug 18, 2021 at 8:26 AM Wentao_Liang <Wentao_Liang_g@163.com> wrote:
> >
> > In line 1423 (#1), of_link_to_phandle() is called. In the function
> > (line 1140, #2), "of_node_put(sup_np);" drops the reference to phandle
> > and may cause phandle to be released. However, after the function
> > returns, the phandle is subsequently dropped again (line 1424, #3) by
> > the same put function. Double putting the phandle can lead to an
> > incorrect reference count.
> >
> > We believe that the first put of the phandle is unnecessary (#3). We
> > can fix the above bug by removing the redundant "of_node_put()" in line
> > 1423.
> >
> > 1401 static int of_link_property(struct device_node *con_np,
> >                                 const char *prop_name)
> > 1402 {
> > ...
> > 1409     while (!matched && s->parse_prop) {
> > ...
> > 1414
> > 1415         while ((phandle = s->parse_prop(con_np, prop_name, i))) {
> > ...
> >                  //#1 phandle is dropped in this function
> > 1423             of_link_to_phandle(con_dev_np, phandle);
> >
> > 1424             //#3 the second drop to phandle
> >                  of_node_put(phandle);
> >
> > 1425             of_node_put(con_dev_np);
> > 1426         }
> > ...
> > 1428     }
> > 1429     return 0;
> > 1430 }
> >
> > 1095 static int of_link_to_phandle(struct device_node *con_np,
> > 1096                   struct device_node *sup_np)
> > 1097 {
> > 1098     struct device *sup_dev;
> > 1099     struct device_node *tmp_np = sup_np;
> > ...
> > 1140     of_node_put(sup_np);  //#2 the first drop to phandle
> >                                //   (unnecessary)
> > 1141
> > 1142     return 0;
> > 1143 }
> >
> > Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
> > ---
> >  drivers/of/property.c | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/drivers/of/property.c b/drivers/of/property.c
> > index 6c028632f425..408fdde1a20c 100644
> > --- a/drivers/of/property.c
> > +++ b/drivers/of/property.c
> > @@ -1137,7 +1137,6 @@ static int of_link_to_phandle(struct device_node *con_np,
> >         put_device(sup_dev);
> >
> >         fwnode_link_add(of_fwnode_handle(con_np), of_fwnode_handle(sup_np));
> > -       of_node_put(sup_np);

Hi Wentao,

Thanks for noticing and reporting the bug! Your analysis is correct,
but the fix is definitely wrong. For one, the reference to the node
phandle is pointing to can be dropped in of_link_to_phandle() when it
calls of_get_compat_node(). It could also be dropped in one of the
error paths. So, now you'll be incorrectly dropping the reference for
the wrong node. Let me send out a fix and  mention you as the
reporter.

Thanks,
Saravana

next prev parent reply	other threads:[~2021-08-19  1:12 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-18 13:09 Wentao_Liang
2021-08-18 14:07 ` Rob Herring
2021-08-19  1:11   ` Saravana Kannan [this message]
2021-08-19  1:20     ` Saravana Kannan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGETcx-C1avGdGLS=X7pc-q3u_BZv7wJwMWEJ6KFbDYYafeP2A@mail.gmail.com' \
    --to=saravanak@google.com \
    --cc=Wentao_Liang_g@163.com \
    --cc=devicetree@vger.kernel.org \
    --cc=frowand.list@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=robh+dt@kernel.org \
    --subject='Re: [PATCH] drivers:of:property.c: fix a potential double put (release) bug' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).