| Message ID | 1545033396-24485-1-git-send-email-frowand.list@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | of: phandle_cache, fix refcounts, remove stale entry | expand |
On Mon, Dec 17, 2018 at 1:56 AM <frowand.list@gmail.com> wrote: > > From: Frank Rowand <frank.rowand@sony.com> > > Non-overlay dynamic devicetree node removal may leave the node in > the phandle cache. Subsequent calls to of_find_node_by_phandle() > will incorrectly find the stale entry. This bug exposed the foloowing > phandle cache refcount bug. > > The refcount of phandle_cache entries is not incremented while in > the cache, allowing use after free error after kfree() of the > cached entry. > > Changes since v1: > - make __of_free_phandle_cache() static > - add WARN_ON(1) for unexpected condition in of_find_node_by_phandle() > > Frank Rowand (2): > of: of_node_get()/of_node_put() nodes held in phandle cache > of: __of_detach_node() - remove node from phandle cache I'll send this to Linus this week if I get a tested by. Otherwise, it will go in for 4.21. Rob
Rob Herring <robh+dt@kernel.org> writes: > On Mon, Dec 17, 2018 at 1:56 AM <frowand.list@gmail.com> wrote: >> >> From: Frank Rowand <frank.rowand@sony.com> >> >> Non-overlay dynamic devicetree node removal may leave the node in >> the phandle cache. Subsequent calls to of_find_node_by_phandle() >> will incorrectly find the stale entry. This bug exposed the foloowing >> phandle cache refcount bug. >> >> The refcount of phandle_cache entries is not incremented while in >> the cache, allowing use after free error after kfree() of the >> cached entry. >> >> Changes since v1: >> - make __of_free_phandle_cache() static >> - add WARN_ON(1) for unexpected condition in of_find_node_by_phandle() >> >> Frank Rowand (2): >> of: of_node_get()/of_node_put() nodes held in phandle cache >> of: __of_detach_node() - remove node from phandle cache > > I'll send this to Linus this week if I get a tested by. Otherwise, it > will go in for 4.21. I think it can wait to go into 4.21, it's not super critical and it's not a regression since 4.19. cheers
From: Frank Rowand <frank.rowand@sony.com> Non-overlay dynamic devicetree node removal may leave the node in the phandle cache. Subsequent calls to of_find_node_by_phandle() will incorrectly find the stale entry. This bug exposed the foloowing phandle cache refcount bug. The refcount of phandle_cache entries is not incremented while in the cache, allowing use after free error after kfree() of the cached entry. Changes since v1: - make __of_free_phandle_cache() static - add WARN_ON(1) for unexpected condition in of_find_node_by_phandle() Frank Rowand (2): of: of_node_get()/of_node_put() nodes held in phandle cache of: __of_detach_node() - remove node from phandle cache drivers/of/base.c | 100 ++++++++++++++++++++++++++++++++++++------------ drivers/of/dynamic.c | 3 ++ drivers/of/of_private.h | 4 ++ 3 files changed, 82 insertions(+), 25 deletions(-)