[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Johan Hovold]

Fix child-node lookup during initialisation which was using the wrong
OF-helper and ended up searching the whole device tree depth-first
starting at the parent rather than just matching on its children.

To make things worse, the parent pci node could end up being prematurely
freed as of_find_node_by_name() drops a reference to its first argument.
Any matching child interrupt-controller node was also leaked.

Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
Cc: stable <stable@vger.kernel.org>     # 3.18
Acked-by: Murali Karicheri <m-karicheri2@ti.com>
Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---

v2
 - amend commit message and mention explicitly that of_find_node_by_name()
   drops a reference to the start node
 - add Murali's and Lorenzo's acks


 drivers/pci/dwc/pci-keystone.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/dwc/pci-keystone.c b/drivers/pci/dwc/pci-keystone.c
index 5bee3af47588..39405598b22d 100644
--- a/drivers/pci/dwc/pci-keystone.c
+++ b/drivers/pci/dwc/pci-keystone.c
@@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 	}
 
 	/* interrupt controller is in a child node */
-	*np_temp = of_find_node_by_name(np_pcie, controller);
+	*np_temp = of_get_child_by_name(np_pcie, controller);
 	if (!(*np_temp)) {
 		dev_err(dev, "Node for %s is absent\n", controller);
 		return -EINVAL;
@@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 	temp = of_irq_count(*np_temp);
 	if (!temp) {
 		dev_err(dev, "No IRQ entries in %s\n", controller);
+		of_node_put(*np_temp);
 		return -EINVAL;
 	}
 
@@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 			break;
 	}
 
+	of_node_put(*np_temp);
+
 	if (temp) {
 		*num_irqs = temp;
 		return 0;
-- 
2.15.0

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Johan Hovold]

Fix child-node lookup during initialisation which was using the wrong
OF-helper and ended up searching the whole device tree depth-first
starting at the parent rather than just matching on its children.

To make things worse, the parent pci node could end up being prematurely
freed as of_find_node_by_name() drops a reference to its first argument.
Any matching child interrupt-controller node was also leaked.

Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
Cc: stable <stable@vger.kernel.org>     # 3.18
Acked-by: Murali Karicheri <m-karicheri2@ti.com>
Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---

v2
 - amend commit message and mention explicitly that of_find_node_by_name()
   drops a reference to the start node
 - add Murali's and Lorenzo's acks


 drivers/pci/dwc/pci-keystone.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/dwc/pci-keystone.c b/drivers/pci/dwc/pci-keystone.c
index 5bee3af47588..39405598b22d 100644
--- a/drivers/pci/dwc/pci-keystone.c
+++ b/drivers/pci/dwc/pci-keystone.c
@@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 	}
 
 	/* interrupt controller is in a child node */
-	*np_temp = of_find_node_by_name(np_pcie, controller);
+	*np_temp = of_get_child_by_name(np_pcie, controller);
 	if (!(*np_temp)) {
 		dev_err(dev, "Node for %s is absent\n", controller);
 		return -EINVAL;
@@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 	temp = of_irq_count(*np_temp);
 	if (!temp) {
 		dev_err(dev, "No IRQ entries in %s\n", controller);
+		of_node_put(*np_temp);
 		return -EINVAL;
 	}
 
@@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 			break;
 	}
 
+	of_node_put(*np_temp);
+
 	if (temp) {
 		*num_irqs = temp;
 		return 0;
-- 
2.15.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Johan Hovold]

Fix child-node lookup during initialisation which was using the wrong
OF-helper and ended up searching the whole device tree depth-first
starting at the parent rather than just matching on its children.

To make things worse, the parent pci node could end up being prematurely
freed as of_find_node_by_name() drops a reference to its first argument.
Any matching child interrupt-controller node was also leaked.

Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
Cc: stable <stable@vger.kernel.org>     # 3.18
Acked-by: Murali Karicheri <m-karicheri2@ti.com>
Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---

v2
 - amend commit message and mention explicitly that of_find_node_by_name()
   drops a reference to the start node
 - add Murali's and Lorenzo's acks


 drivers/pci/dwc/pci-keystone.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/dwc/pci-keystone.c b/drivers/pci/dwc/pci-keystone.c
index 5bee3af47588..39405598b22d 100644
--- a/drivers/pci/dwc/pci-keystone.c
+++ b/drivers/pci/dwc/pci-keystone.c
@@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 	}
 
 	/* interrupt controller is in a child node */
-	*np_temp = of_find_node_by_name(np_pcie, controller);
+	*np_temp = of_get_child_by_name(np_pcie, controller);
 	if (!(*np_temp)) {
 		dev_err(dev, "Node for %s is absent\n", controller);
 		return -EINVAL;
@@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 	temp = of_irq_count(*np_temp);
 	if (!temp) {
 		dev_err(dev, "No IRQ entries in %s\n", controller);
+		of_node_put(*np_temp);
 		return -EINVAL;
 	}
 
@@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
 			break;
 	}
 
+	of_node_put(*np_temp);
+
 	if (temp) {
 		*num_irqs = temp;
 		return 0;
-- 
2.15.0

Re: [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Johan Hovold]

On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> Fix child-node lookup during initialisation which was using the wrong
> OF-helper and ended up searching the whole device tree depth-first
> starting at the parent rather than just matching on its children.
> 
> To make things worse, the parent pci node could end up being prematurely
> freed as of_find_node_by_name() drops a reference to its first argument.
> Any matching child interrupt-controller node was also leaked.
> 
> Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> Cc: stable <stable@vger.kernel.org>     # 3.18
> Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> 
> v2
>  - amend commit message and mention explicitly that of_find_node_by_name()
>    drops a reference to the start node
>  - add Murali's and Lorenzo's acks

This one hasn't shown up in linux-next, so sending a reminder to make
sure it doesn't fall between the cracks.

Thanks,
Johan

Re: [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Johan Hovold]

On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> Fix child-node lookup during initialisation which was using the wrong
> OF-helper and ended up searching the whole device tree depth-first
> starting at the parent rather than just matching on its children.
> 
> To make things worse, the parent pci node could end up being prematurely
> freed as of_find_node_by_name() drops a reference to its first argument.
> Any matching child interrupt-controller node was also leaked.
> 
> Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> Cc: stable <stable@vger.kernel.org>     # 3.18
> Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> 
> v2
>  - amend commit message and mention explicitly that of_find_node_by_name()
>    drops a reference to the start node
>  - add Murali's and Lorenzo's acks

This one hasn't shown up in linux-next, so sending a reminder to make
sure it doesn't fall between the cracks.

Thanks,
Johan

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Johan Hovold]

On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> Fix child-node lookup during initialisation which was using the wrong
> OF-helper and ended up searching the whole device tree depth-first
> starting at the parent rather than just matching on its children.
> 
> To make things worse, the parent pci node could end up being prematurely
> freed as of_find_node_by_name() drops a reference to its first argument.
> Any matching child interrupt-controller node was also leaked.
> 
> Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> Cc: stable <stable@vger.kernel.org>     # 3.18
> Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> 
> v2
>  - amend commit message and mention explicitly that of_find_node_by_name()
>    drops a reference to the start node
>  - add Murali's and Lorenzo's acks

This one hasn't shown up in linux-next, so sending a reminder to make
sure it doesn't fall between the cracks.

Thanks,
Johan

Re: [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Lorenzo Pieralisi]

On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > Fix child-node lookup during initialisation which was using the wrong
> > OF-helper and ended up searching the whole device tree depth-first
> > starting at the parent rather than just matching on its children.
> > 
> > To make things worse, the parent pci node could end up being prematurely
> > freed as of_find_node_by_name() drops a reference to its first argument.
> > Any matching child interrupt-controller node was also leaked.
> > 
> > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > Cc: stable <stable@vger.kernel.org>     # 3.18
> > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > Signed-off-by: Johan Hovold <johan@kernel.org>
> > ---
> > 
> > v2
> >  - amend commit message and mention explicitly that of_find_node_by_name()
> >    drops a reference to the start node
> >  - add Murali's and Lorenzo's acks
> 
> This one hasn't shown up in linux-next, so sending a reminder to make
> sure it doesn't fall between the cracks.

Hi Johan,

yes it is in the list of fixes to be sent upstream - I was about to
ask Bjorn to apply it.

Thanks,
Lorenzo

Re: [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Lorenzo Pieralisi]

On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > Fix child-node lookup during initialisation which was using the wrong
> > OF-helper and ended up searching the whole device tree depth-first
> > starting at the parent rather than just matching on its children.
> > 
> > To make things worse, the parent pci node could end up being prematurely
> > freed as of_find_node_by_name() drops a reference to its first argument.
> > Any matching child interrupt-controller node was also leaked.
> > 
> > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > Cc: stable <stable@vger.kernel.org>     # 3.18
> > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > Signed-off-by: Johan Hovold <johan@kernel.org>
> > ---
> > 
> > v2
> >  - amend commit message and mention explicitly that of_find_node_by_name()
> >    drops a reference to the start node
> >  - add Murali's and Lorenzo's acks
> 
> This one hasn't shown up in linux-next, so sending a reminder to make
> sure it doesn't fall between the cracks.

Hi Johan,

yes it is in the list of fixes to be sent upstream - I was about to
ask Bjorn to apply it.

Thanks,
Lorenzo

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Lorenzo Pieralisi]

On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > Fix child-node lookup during initialisation which was using the wrong
> > OF-helper and ended up searching the whole device tree depth-first
> > starting at the parent rather than just matching on its children.
> > 
> > To make things worse, the parent pci node could end up being prematurely
> > freed as of_find_node_by_name() drops a reference to its first argument.
> > Any matching child interrupt-controller node was also leaked.
> > 
> > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > Cc: stable <stable@vger.kernel.org>     # 3.18
> > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > Signed-off-by: Johan Hovold <johan@kernel.org>
> > ---
> > 
> > v2
> >  - amend commit message and mention explicitly that of_find_node_by_name()
> >    drops a reference to the start node
> >  - add Murali's and Lorenzo's acks
> 
> This one hasn't shown up in linux-next, so sending a reminder to make
> sure it doesn't fall between the cracks.

Hi Johan,

yes it is in the list of fixes to be sent upstream - I was about to
ask Bjorn to apply it.

Thanks,
Lorenzo

Re: [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Bjorn Helgaas]

On Mon, Dec 11, 2017 at 10:42:33AM +0000, Lorenzo Pieralisi wrote:
> On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> > On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > > Fix child-node lookup during initialisation which was using the wrong
> > > OF-helper and ended up searching the whole device tree depth-first
> > > starting at the parent rather than just matching on its children.
> > > 
> > > To make things worse, the parent pci node could end up being prematurely
> > > freed as of_find_node_by_name() drops a reference to its first argument.
> > > Any matching child interrupt-controller node was also leaked.
> > > 
> > > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > > Cc: stable <stable@vger.kernel.org>     # 3.18
> > > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > > Signed-off-by: Johan Hovold <johan@kernel.org>
> > > ---
> > > 
> > > v2
> > >  - amend commit message and mention explicitly that of_find_node_by_name()
> > >    drops a reference to the start node
> > >  - add Murali's and Lorenzo's acks
> > 
> > This one hasn't shown up in linux-next, so sending a reminder to make
> > sure it doesn't fall between the cracks.
> 
> Hi Johan,
> 
> yes it is in the list of fixes to be sent upstream - I was about to
> ask Bjorn to apply it.

Is this something that needs to be merged for v4.15?  If so, I need to
be able to defend it to Linus as being a critical fix.  If the issue
been around for 3 years (v3.18 was tagged Dec 7 2014), that requires
pretty "clear and present danger."

>From the commit log, I see a sub-optimal search (not critical), a
possible use-after-free (could conceivably be critical if people are
tripping over this, but would need more specifics about that), and a
leak (not critical).

Given what I can see now, my inclination would be for Lorenzo to queue
it for v4.16, which would still get in linux-next soonish.

Bjorn

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Bjorn Helgaas]

On Mon, Dec 11, 2017 at 10:42:33AM +0000, Lorenzo Pieralisi wrote:
> On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> > On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > > Fix child-node lookup during initialisation which was using the wrong
> > > OF-helper and ended up searching the whole device tree depth-first
> > > starting at the parent rather than just matching on its children.
> > > 
> > > To make things worse, the parent pci node could end up being prematurely
> > > freed as of_find_node_by_name() drops a reference to its first argument.
> > > Any matching child interrupt-controller node was also leaked.
> > > 
> > > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > > Cc: stable <stable@vger.kernel.org>     # 3.18
> > > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > > Signed-off-by: Johan Hovold <johan@kernel.org>
> > > ---
> > > 
> > > v2
> > >  - amend commit message and mention explicitly that of_find_node_by_name()
> > >    drops a reference to the start node
> > >  - add Murali's and Lorenzo's acks
> > 
> > This one hasn't shown up in linux-next, so sending a reminder to make
> > sure it doesn't fall between the cracks.
> 
> Hi Johan,
> 
> yes it is in the list of fixes to be sent upstream - I was about to
> ask Bjorn to apply it.

Is this something that needs to be merged for v4.15?  If so, I need to
be able to defend it to Linus as being a critical fix.  If the issue
been around for 3 years (v3.18 was tagged Dec 7 2014), that requires
pretty "clear and present danger."

>From the commit log, I see a sub-optimal search (not critical), a
possible use-after-free (could conceivably be critical if people are
tripping over this, but would need more specifics about that), and a
leak (not critical).

Given what I can see now, my inclination would be for Lorenzo to queue
it for v4.16, which would still get in linux-next soonish.

Bjorn

Re: [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Lorenzo Pieralisi]

On Tue, Dec 12, 2017 at 11:25:37AM -0600, Bjorn Helgaas wrote:
> On Mon, Dec 11, 2017 at 10:42:33AM +0000, Lorenzo Pieralisi wrote:
> > On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> > > On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > > > Fix child-node lookup during initialisation which was using the wrong
> > > > OF-helper and ended up searching the whole device tree depth-first
> > > > starting at the parent rather than just matching on its children.
> > > > 
> > > > To make things worse, the parent pci node could end up being prematurely
> > > > freed as of_find_node_by_name() drops a reference to its first argument.
> > > > Any matching child interrupt-controller node was also leaked.
> > > > 
> > > > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > > > Cc: stable <stable@vger.kernel.org>     # 3.18
> > > > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > > > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > > > Signed-off-by: Johan Hovold <johan@kernel.org>
> > > > ---
> > > > 
> > > > v2
> > > >  - amend commit message and mention explicitly that of_find_node_by_name()
> > > >    drops a reference to the start node
> > > >  - add Murali's and Lorenzo's acks
> > > 
> > > This one hasn't shown up in linux-next, so sending a reminder to make
> > > sure it doesn't fall between the cracks.
> > 
> > Hi Johan,
> > 
> > yes it is in the list of fixes to be sent upstream - I was about to
> > ask Bjorn to apply it.
> 
> Is this something that needs to be merged for v4.15?  If so, I need to
> be able to defend it to Linus as being a critical fix.  If the issue
> been around for 3 years (v3.18 was tagged Dec 7 2014), that requires
> pretty "clear and present danger."
> 
> From the commit log, I see a sub-optimal search (not critical), a
> possible use-after-free (could conceivably be critical if people are
> tripping over this, but would need more specifics about that), and a
> leak (not critical).
> 
> Given what I can see now, my inclination would be for Lorenzo to queue
> it for v4.16, which would still get in linux-next soonish.

It is fine by me and I think, as already mentioned, that the stable
tag is dubious so I will probably drop it.

Lorenzo

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Lorenzo Pieralisi]

On Tue, Dec 12, 2017 at 11:25:37AM -0600, Bjorn Helgaas wrote:
> On Mon, Dec 11, 2017 at 10:42:33AM +0000, Lorenzo Pieralisi wrote:
> > On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> > > On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > > > Fix child-node lookup during initialisation which was using the wrong
> > > > OF-helper and ended up searching the whole device tree depth-first
> > > > starting at the parent rather than just matching on its children.
> > > > 
> > > > To make things worse, the parent pci node could end up being prematurely
> > > > freed as of_find_node_by_name() drops a reference to its first argument.
> > > > Any matching child interrupt-controller node was also leaked.
> > > > 
> > > > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > > > Cc: stable <stable@vger.kernel.org>     # 3.18
> > > > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > > > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > > > Signed-off-by: Johan Hovold <johan@kernel.org>
> > > > ---
> > > > 
> > > > v2
> > > >  - amend commit message and mention explicitly that of_find_node_by_name()
> > > >    drops a reference to the start node
> > > >  - add Murali's and Lorenzo's acks
> > > 
> > > This one hasn't shown up in linux-next, so sending a reminder to make
> > > sure it doesn't fall between the cracks.
> > 
> > Hi Johan,
> > 
> > yes it is in the list of fixes to be sent upstream - I was about to
> > ask Bjorn to apply it.
> 
> Is this something that needs to be merged for v4.15?  If so, I need to
> be able to defend it to Linus as being a critical fix.  If the issue
> been around for 3 years (v3.18 was tagged Dec 7 2014), that requires
> pretty "clear and present danger."
> 
> From the commit log, I see a sub-optimal search (not critical), a
> possible use-after-free (could conceivably be critical if people are
> tripping over this, but would need more specifics about that), and a
> leak (not critical).
> 
> Given what I can see now, my inclination would be for Lorenzo to queue
> it for v4.16, which would still get in linux-next soonish.

It is fine by me and I think, as already mentioned, that the stable
tag is dubious so I will probably drop it.

Lorenzo

Re: [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Johan Hovold]

On Tue, Dec 12, 2017 at 06:07:31PM +0000, Lorenzo Pieralisi wrote:
> On Tue, Dec 12, 2017 at 11:25:37AM -0600, Bjorn Helgaas wrote:
> > On Mon, Dec 11, 2017 at 10:42:33AM +0000, Lorenzo Pieralisi wrote:
> > > On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> > > > On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > > > > Fix child-node lookup during initialisation which was using the wrong
> > > > > OF-helper and ended up searching the whole device tree depth-first
> > > > > starting at the parent rather than just matching on its children.
> > > > > 
> > > > > To make things worse, the parent pci node could end up being prematurely
> > > > > freed as of_find_node_by_name() drops a reference to its first argument.
> > > > > Any matching child interrupt-controller node was also leaked.
> > > > > 
> > > > > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > > > > Cc: stable <stable@vger.kernel.org>     # 3.18
> > > > > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > > > > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > > > > Signed-off-by: Johan Hovold <johan@kernel.org>
> > > > > ---
> > > > > 
> > > > > v2
> > > > >  - amend commit message and mention explicitly that of_find_node_by_name()
> > > > >    drops a reference to the start node
> > > > >  - add Murali's and Lorenzo's acks
> > > > 
> > > > This one hasn't shown up in linux-next, so sending a reminder to make
> > > > sure it doesn't fall between the cracks.
> > > 
> > > Hi Johan,
> > > 
> > > yes it is in the list of fixes to be sent upstream - I was about to
> > > ask Bjorn to apply it.
> > 
> > Is this something that needs to be merged for v4.15?  If so, I need to
> > be able to defend it to Linus as being a critical fix.  If the issue
> > been around for 3 years (v3.18 was tagged Dec 7 2014), that requires
> > pretty "clear and present danger."
> > 
> > From the commit log, I see a sub-optimal search (not critical), a
> > possible use-after-free (could conceivably be critical if people are
> > tripping over this, but would need more specifics about that), and a
> > leak (not critical).
> > 
> > Given what I can see now, my inclination would be for Lorenzo to queue
> > it for v4.16, which would still get in linux-next soonish.
> 
> It is fine by me and I think, as already mentioned, that the stable
> tag is dubious so I will probably drop it.

The unbalanced put can indeed cause serious problems, for example, after
probe deferrals. Crashes after probe deferrals has been reported for
other drivers with the same type of bug, and I have reproduced it
locally (using yet another driver).

I'm also fine with holding this one off for 4.16 (as we're at -rc3), but
I do think the stable tag is still warranted.

Johan

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Johan Hovold]

On Tue, Dec 12, 2017 at 06:07:31PM +0000, Lorenzo Pieralisi wrote:
> On Tue, Dec 12, 2017 at 11:25:37AM -0600, Bjorn Helgaas wrote:
> > On Mon, Dec 11, 2017 at 10:42:33AM +0000, Lorenzo Pieralisi wrote:
> > > On Mon, Dec 11, 2017 at 11:29:55AM +0100, Johan Hovold wrote:
> > > > On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> > > > > Fix child-node lookup during initialisation which was using the wrong
> > > > > OF-helper and ended up searching the whole device tree depth-first
> > > > > starting at the parent rather than just matching on its children.
> > > > > 
> > > > > To make things worse, the parent pci node could end up being prematurely
> > > > > freed as of_find_node_by_name() drops a reference to its first argument.
> > > > > Any matching child interrupt-controller node was also leaked.
> > > > > 
> > > > > Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> > > > > Cc: stable <stable@vger.kernel.org>     # 3.18
> > > > > Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> > > > > Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> > > > > Signed-off-by: Johan Hovold <johan@kernel.org>
> > > > > ---
> > > > > 
> > > > > v2
> > > > >  - amend commit message and mention explicitly that of_find_node_by_name()
> > > > >    drops a reference to the start node
> > > > >  - add Murali's and Lorenzo's acks
> > > > 
> > > > This one hasn't shown up in linux-next, so sending a reminder to make
> > > > sure it doesn't fall between the cracks.
> > > 
> > > Hi Johan,
> > > 
> > > yes it is in the list of fixes to be sent upstream - I was about to
> > > ask Bjorn to apply it.
> > 
> > Is this something that needs to be merged for v4.15?  If so, I need to
> > be able to defend it to Linus as being a critical fix.  If the issue
> > been around for 3 years (v3.18 was tagged Dec 7 2014), that requires
> > pretty "clear and present danger."
> > 
> > From the commit log, I see a sub-optimal search (not critical), a
> > possible use-after-free (could conceivably be critical if people are
> > tripping over this, but would need more specifics about that), and a
> > leak (not critical).
> > 
> > Given what I can see now, my inclination would be for Lorenzo to queue
> > it for v4.16, which would still get in linux-next soonish.
> 
> It is fine by me and I think, as already mentioned, that the stable
> tag is dubious so I will probably drop it.

The unbalanced put can indeed cause serious problems, for example, after
probe deferrals. Crashes after probe deferrals has been reported for
other drivers with the same type of bug, and I have reproduced it
locally (using yet another driver).

I'm also fine with holding this one off for 4.16 (as we're at -rc3), but
I do think the stable tag is still warranted.

Johan

Re: [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Lorenzo Pieralisi]

On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> Fix child-node lookup during initialisation which was using the wrong
> OF-helper and ended up searching the whole device tree depth-first
> starting at the parent rather than just matching on its children.
> 
> To make things worse, the parent pci node could end up being prematurely
> freed as of_find_node_by_name() drops a reference to its first argument.
> Any matching child interrupt-controller node was also leaked.
> 
> Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> Cc: stable <stable@vger.kernel.org>     # 3.18
> Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---

Applied to pci/keystone for v4.16.

Thanks,
Lorenzo

> v2
>  - amend commit message and mention explicitly that of_find_node_by_name()
>    drops a reference to the start node
>  - add Murali's and Lorenzo's acks
> 
> 
>  drivers/pci/dwc/pci-keystone.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/dwc/pci-keystone.c b/drivers/pci/dwc/pci-keystone.c
> index 5bee3af47588..39405598b22d 100644
> --- a/drivers/pci/dwc/pci-keystone.c
> +++ b/drivers/pci/dwc/pci-keystone.c
> @@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
>  	}
>  
>  	/* interrupt controller is in a child node */
> -	*np_temp = of_find_node_by_name(np_pcie, controller);
> +	*np_temp = of_get_child_by_name(np_pcie, controller);
>  	if (!(*np_temp)) {
>  		dev_err(dev, "Node for %s is absent\n", controller);
>  		return -EINVAL;
> @@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
>  	temp = of_irq_count(*np_temp);
>  	if (!temp) {
>  		dev_err(dev, "No IRQ entries in %s\n", controller);
> +		of_node_put(*np_temp);
>  		return -EINVAL;
>  	}
>  
> @@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
>  			break;
>  	}
>  
> +	of_node_put(*np_temp);
> +
>  	if (temp) {
>  		*num_irqs = temp;
>  		return 0;
> -- 
> 2.15.0
> 

[PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

[Lorenzo Pieralisi]

On Fri, Nov 17, 2017 at 02:38:31PM +0100, Johan Hovold wrote:
> Fix child-node lookup during initialisation which was using the wrong
> OF-helper and ended up searching the whole device tree depth-first
> starting at the parent rather than just matching on its children.
> 
> To make things worse, the parent pci node could end up being prematurely
> freed as of_find_node_by_name() drops a reference to its first argument.
> Any matching child interrupt-controller node was also leaked.
> 
> Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
> Cc: stable <stable@vger.kernel.org>     # 3.18
> Acked-by: Murali Karicheri <m-karicheri2@ti.com>
> Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---

Applied to pci/keystone for v4.16.

Thanks,
Lorenzo

> v2
>  - amend commit message and mention explicitly that of_find_node_by_name()
>    drops a reference to the start node
>  - add Murali's and Lorenzo's acks
> 
> 
>  drivers/pci/dwc/pci-keystone.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/dwc/pci-keystone.c b/drivers/pci/dwc/pci-keystone.c
> index 5bee3af47588..39405598b22d 100644
> --- a/drivers/pci/dwc/pci-keystone.c
> +++ b/drivers/pci/dwc/pci-keystone.c
> @@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
>  	}
>  
>  	/* interrupt controller is in a child node */
> -	*np_temp = of_find_node_by_name(np_pcie, controller);
> +	*np_temp = of_get_child_by_name(np_pcie, controller);
>  	if (!(*np_temp)) {
>  		dev_err(dev, "Node for %s is absent\n", controller);
>  		return -EINVAL;
> @@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
>  	temp = of_irq_count(*np_temp);
>  	if (!temp) {
>  		dev_err(dev, "No IRQ entries in %s\n", controller);
> +		of_node_put(*np_temp);
>  		return -EINVAL;
>  	}
>  
> @@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
>  			break;
>  	}
>  
> +	of_node_put(*np_temp);
> +
>  	if (temp) {
>  		*num_irqs = temp;
>  		return 0;
> -- 
> 2.15.0
>