From: "Schmid, Carsten" <Carsten_Schmid@mentor.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Wei Yang <richard.weiyang@gmail.com>
Cc: "bp@suse.de" <bp@suse.de>,
"dan.j.williams@intel.com" <dan.j.williams@intel.com>,
"mingo@kernel.org" <mingo@kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"bhelgaas@google.com" <bhelgaas@google.com>,
"osalvador@suse.de" <osalvador@suse.de>,
"rdunlap@infradead.org" <rdunlap@infradead.org>,
"richardw.yang@linux.intel.com" <richardw.yang@linux.intel.com>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: [PATCH v2] kernel/resource.c: invalidate parent when freed resource has childs
Date: Wed, 14 Aug 2019 14:48:24 +0000 [thread overview]
Message-ID: <1565794104204.54092@mentor.com> (raw)
In-Reply-To: <CAHk-=wi_9sdMxurjZ1MbNnxt-pA=dqoyf8Fdn9aYc8xvjjnTBg@mail.gmail.com>
When a resource is freed and has children, the childrens are
left without any hint that their parent is no more valid.
This caused at least one use-after-free in the xhci-hcd using
ext-caps driver when platform code released platform devices.
In such case, warn and release all resources beyond.
Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com>
---
v2:
- release everything below the released resource, not only
one child; re-using __release_child_resources
(Inspired by Linus Torvalds outline)
- warn only once
(According to Linus Torvalds outline)
- Keep parent and child name in warning message
(eases hunting for the involved parties)
---
kernel/resource.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index c3cc6d85ec52..eb48d793aa74 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -239,7 +239,7 @@ static int __release_resource(struct resource *old, bool release_child)
return -EINVAL;
}
-static void __release_child_resources(struct resource *r)
+static void __release_child_resources(struct resource *r, bool warn)
{
struct resource *tmp, *p;
resource_size_t size;
@@ -252,9 +252,10 @@ static void __release_child_resources(struct resource *r)
tmp->parent = NULL;
tmp->sibling = NULL;
- __release_child_resources(tmp);
+ __release_child_resources(tmp, warn);
- printk(KERN_DEBUG "release child resource %pR\n", tmp);
+ if (warn)
+ printk(KERN_DEBUG "release child resource %pR\n", tmp);
/* need to restore size, and keep flags */
size = resource_size(tmp);
tmp->start = 0;
@@ -265,7 +266,7 @@ static void __release_child_resources(struct resource *r)
void release_child_resources(struct resource *r)
{
write_lock(&resource_lock);
- __release_child_resources(r);
+ __release_child_resources(r, true);
write_unlock(&resource_lock);
}
@@ -1172,7 +1173,20 @@ EXPORT_SYMBOL(__request_region);
* @n: resource region size
*
* The described resource region must match a currently busy region.
+ * If the region has children they are released too.
*/
+static void check_children(struct resource *parent)
+{
+ if (parent->child) {
+ /* warn and release all children */
+ WARN_ONCE(1, "%s: %s has child %s, release all children\n",
+ __func__, parent->name, parent->child->name);
+ write_lock(&resource_lock);
+ __release_child_resources(parent, false);
+ write_unlock(&resource_lock);
+ }
+}
+
void __release_region(struct resource *parent, resource_size_t start,
resource_size_t n)
{
@@ -1200,6 +1214,10 @@ void __release_region(struct resource *parent, resource_size_t start,
write_unlock(&resource_lock);
if (res->flags & IORESOURCE_MUXED)
wake_up(&muxed_resource_wait);
+
+ /* You should'nt release a resource that has children */
+ check_children(res);
+
free_resource(res);
return;
}
--
2.17.1
next prev parent reply other threads:[~2019-08-14 14:48 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 15:40 [PATCH] kernel/resource.c: invalidate parent when freed resource has childs Schmid, Carsten
2019-08-09 13:50 ` Resend " Schmid, Carsten
2019-08-09 16:59 ` Dan Williams
2019-08-09 18:37 ` Joe Perches
2019-08-09 18:54 ` [PATCH] kernel/resource.c: Convert printks to pr_<level> Joe Perches
2019-08-09 20:09 ` Resend [PATCH] kernel/resource.c: invalidate parent when freed resource has childs Linus Torvalds
2019-08-09 22:38 ` Wei Yang
2019-08-09 22:45 ` Linus Torvalds
2019-08-10 0:44 ` Wei Yang
2019-08-12 8:39 ` AW: " Schmid, Carsten
2019-08-13 8:09 ` Schmid, Carsten
2019-08-14 14:48 ` Schmid, Carsten [this message]
2019-08-14 16:29 ` [PATCH v2] " Wei Yang
2019-08-15 8:18 ` AW: " Schmid, Carsten
2019-08-15 13:03 ` Wei Yang
2019-08-15 13:17 ` AW: " Schmid, Carsten
2019-08-16 10:18 ` [PATCH] kernel/resource.c: warn if released region has children Schmid, Carsten
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1565794104204.54092@mentor.com \
--to=carsten_schmid@mentor.com \
--cc=bhelgaas@google.com \
--cc=bp@suse.de \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=osalvador@suse.de \
--cc=rdunlap@infradead.org \
--cc=richard.weiyang@gmail.com \
--cc=richardw.yang@linux.intel.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.