[PATCH 1/2] nfit: fix _FIT evaluation memory leak

[PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Dan Williams]

acpi_evaluate_object() allocates memory. Free the buffer allocated
during acpi_nfit_add().

Cc: <stable@vger.kernel.org>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 drivers/acpi/nfit.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
index 0497175ee6cb..008dbaaa2b75 100644
--- a/drivers/acpi/nfit.c
+++ b/drivers/acpi/nfit.c
@@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
 			acpi_desc->nfit =
 				(struct acpi_nfit_header *)obj->buffer.pointer;
 			sz = obj->buffer.length;
+			rc = acpi_nfit_init(acpi_desc, sz);
 		} else
 			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
 				 __func__, (int) obj->type);
-	}
+		kfree(buf.pointer);
+		acpi_desc->nfit = NULL;
+	} else
+		rc = acpi_nfit_init(acpi_desc, sz);
 
-	rc = acpi_nfit_init(acpi_desc, sz);
 	if (rc) {
 		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
 		return rc;

_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

[PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Dan Williams]

acpi_evaluate_object() allocates memory. Free the buffer allocated
during acpi_nfit_add().

Cc: <stable@vger.kernel.org>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 drivers/acpi/nfit.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
index 0497175ee6cb..008dbaaa2b75 100644
--- a/drivers/acpi/nfit.c
+++ b/drivers/acpi/nfit.c
@@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
 			acpi_desc->nfit =
 				(struct acpi_nfit_header *)obj->buffer.pointer;
 			sz = obj->buffer.length;
+			rc = acpi_nfit_init(acpi_desc, sz);
 		} else
 			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
 				 __func__, (int) obj->type);
-	}
+		kfree(buf.pointer);
+		acpi_desc->nfit = NULL;
+	} else
+		rc = acpi_nfit_init(acpi_desc, sz);
 
-	rc = acpi_nfit_init(acpi_desc, sz);
 	if (rc) {
 		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
 		return rc;

[PATCH 2/2] nfit: cleanup acpi_nfit_init calling convention

[Dan Williams]

Pass the nfit buffer as a parameter rather than hanging it off of
acpi_desc.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 drivers/acpi/nfit.c              |   56 +++++++++++++-------------------------
 drivers/acpi/nfit.h              |    3 +-
 tools/testing/nvdimm/test/nfit.c |    7 +++--
 3 files changed, 24 insertions(+), 42 deletions(-)

diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
index 008dbaaa2b75..a04f2486e1ca 100644
--- a/drivers/acpi/nfit.c
+++ b/drivers/acpi/nfit.c
@@ -2224,12 +2224,11 @@ static int acpi_nfit_check_deletions(struct acpi_nfit_desc *acpi_desc,
 	return 0;
 }
 
-int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, acpi_size sz)
+int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *data, acpi_size sz)
 {
 	struct device *dev = acpi_desc->dev;
 	struct nfit_table_prev prev;
 	const void *end;
-	u8 *data;
 	int rc;
 
 	mutex_lock(&acpi_desc->init_mutex);
@@ -2254,7 +2253,6 @@ int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, acpi_size sz)
 	list_cut_position(&prev.flushes, &acpi_desc->flushes,
 				acpi_desc->flushes.prev);
 
-	data = (u8 *) acpi_desc->nfit;
 	end = data + sz;
 	while (!IS_ERR_OR_NULL(data))
 		data = add_table(acpi_desc, &prev, data, end);
@@ -2377,7 +2375,7 @@ static int acpi_nfit_add(struct acpi_device *adev)
 	struct acpi_table_header *tbl;
 	acpi_status status = AE_OK;
 	acpi_size sz;
-	int rc;
+	int rc = 0;
 
 	status = acpi_get_table_with_size(ACPI_SIG_NFIT, 0, &tbl, &sz);
 	if (ACPI_FAILURE(status)) {
@@ -2394,40 +2392,30 @@ static int acpi_nfit_add(struct acpi_device *adev)
 	if (!acpi_desc->nvdimm_bus)
 		return -ENOMEM;
 
-	/*
-	 * Save the acpi header for later and then skip it,
-	 * making nfit point to the first nfit table header.
-	 */
+	/* Save the acpi header for exporting the revision via sysfs */
 	acpi_desc->acpi_header = *tbl;
-	acpi_desc->nfit = (void *) tbl + sizeof(struct acpi_table_nfit);
-	sz -= sizeof(struct acpi_table_nfit);
 
 	/* Evaluate _FIT and override with that if present */
 	status = acpi_evaluate_object(adev->handle, "_FIT", NULL, &buf);
 	if (ACPI_SUCCESS(status) && buf.length > 0) {
-		union acpi_object *obj;
-		/*
-		 * Adjust for the acpi_object header of the _FIT
-		 */
-		obj = buf.pointer;
-		if (obj->type == ACPI_TYPE_BUFFER) {
-			acpi_desc->nfit =
-				(struct acpi_nfit_header *)obj->buffer.pointer;
-			sz = obj->buffer.length;
-			rc = acpi_nfit_init(acpi_desc, sz);
-		} else
+		union acpi_object *obj = buf.pointer;
+
+		if (obj->type == ACPI_TYPE_BUFFER)
+			rc = acpi_nfit_init(acpi_desc, obj->buffer.pointer,
+					obj->buffer.length);
+		else
 			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
 				 __func__, (int) obj->type);
 		kfree(buf.pointer);
-		acpi_desc->nfit = NULL;
 	} else
-		rc = acpi_nfit_init(acpi_desc, sz);
+		/* skip over the lead-in header table */
+		rc = acpi_nfit_init(acpi_desc, (void *) tbl
+				+ sizeof(struct acpi_table_nfit),
+				sz - sizeof(struct acpi_table_nfit));
 
-	if (rc) {
+	if (rc)
 		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
-		return rc;
-	}
-	return 0;
+	return rc;
 }
 
 static int acpi_nfit_remove(struct acpi_device *adev)
@@ -2444,9 +2432,8 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
 {
 	struct acpi_nfit_desc *acpi_desc = dev_get_drvdata(&adev->dev);
 	struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER, NULL };
-	struct acpi_nfit_header *nfit_saved;
-	union acpi_object *obj;
 	struct device *dev = &adev->dev;
+	union acpi_object *obj;
 	acpi_status status;
 	int ret;
 
@@ -2482,17 +2469,12 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
 		goto out_unlock;
 	}
 
-	nfit_saved = acpi_desc->nfit;
 	obj = buf.pointer;
 	if (obj->type == ACPI_TYPE_BUFFER) {
-		acpi_desc->nfit =
-			(struct acpi_nfit_header *)obj->buffer.pointer;
-		ret = acpi_nfit_init(acpi_desc, obj->buffer.length);
-		if (ret) {
-			/* Merge failed, restore old nfit, and exit */
-			acpi_desc->nfit = nfit_saved;
+		ret = acpi_nfit_init(acpi_desc, obj->buffer.pointer,
+				obj->buffer.length);
+		if (ret)
 			dev_err(dev, "failed to merge updated NFIT\n");
-		}
 	} else {
 		/* Bad _FIT, restore old nfit */
 		dev_err(dev, "Invalid _FIT\n");
diff --git a/drivers/acpi/nfit.h b/drivers/acpi/nfit.h
index 80fb2c0ac8bf..5179eba97a47 100644
--- a/drivers/acpi/nfit.h
+++ b/drivers/acpi/nfit.h
@@ -135,7 +135,6 @@ struct nfit_mem {
 struct acpi_nfit_desc {
 	struct nvdimm_bus_descriptor nd_desc;
 	struct acpi_table_header acpi_header;
-	struct acpi_nfit_header *nfit;
 	struct mutex init_mutex;
 	struct list_head memdevs;
 	struct list_head flushes;
@@ -201,6 +200,6 @@ static inline struct acpi_nfit_desc *to_acpi_desc(
 }
 
 const u8 *to_nfit_uuid(enum nfit_uuids id);
-int acpi_nfit_init(struct acpi_nfit_desc *nfit, acpi_size sz);
+int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *nfit, acpi_size sz);
 void acpi_nfit_desc_init(struct acpi_nfit_desc *acpi_desc, struct device *dev);
 #endif /* __NFIT_H__ */
diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
index ff09a28890ed..52df3c20231d 100644
--- a/tools/testing/nvdimm/test/nfit.c
+++ b/tools/testing/nvdimm/test/nfit.c
@@ -1458,7 +1458,6 @@ static int nfit_test_probe(struct platform_device *pdev)
 	nfit_test->setup(nfit_test);
 	acpi_desc = &nfit_test->acpi_desc;
 	acpi_nfit_desc_init(acpi_desc, &pdev->dev);
-	acpi_desc->nfit = nfit_test->nfit_buf;
 	acpi_desc->blk_do_io = nfit_test_blk_do_io;
 	nd_desc = &acpi_desc->nd_desc;
 	nd_desc->provider_name = NULL;
@@ -1467,7 +1466,8 @@ static int nfit_test_probe(struct platform_device *pdev)
 	if (!acpi_desc->nvdimm_bus)
 		return -ENXIO;
 
-	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_size);
+	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_buf,
+			nfit_test->nfit_size);
 	if (rc) {
 		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
 		return rc;
@@ -1479,7 +1479,8 @@ static int nfit_test_probe(struct platform_device *pdev)
 	nfit_test->setup_hotplug = 1;
 	nfit_test->setup(nfit_test);
 
-	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_size);
+	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_buf,
+			nfit_test->nfit_size);
 	if (rc) {
 		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
 		return rc;

_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

[PATCH 2/2] nfit: cleanup acpi_nfit_init calling convention

[Dan Williams]

Pass the nfit buffer as a parameter rather than hanging it off of
acpi_desc.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 drivers/acpi/nfit.c              |   56 +++++++++++++-------------------------
 drivers/acpi/nfit.h              |    3 +-
 tools/testing/nvdimm/test/nfit.c |    7 +++--
 3 files changed, 24 insertions(+), 42 deletions(-)

diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
index 008dbaaa2b75..a04f2486e1ca 100644
--- a/drivers/acpi/nfit.c
+++ b/drivers/acpi/nfit.c
@@ -2224,12 +2224,11 @@ static int acpi_nfit_check_deletions(struct acpi_nfit_desc *acpi_desc,
 	return 0;
 }
 
-int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, acpi_size sz)
+int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *data, acpi_size sz)
 {
 	struct device *dev = acpi_desc->dev;
 	struct nfit_table_prev prev;
 	const void *end;
-	u8 *data;
 	int rc;
 
 	mutex_lock(&acpi_desc->init_mutex);
@@ -2254,7 +2253,6 @@ int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, acpi_size sz)
 	list_cut_position(&prev.flushes, &acpi_desc->flushes,
 				acpi_desc->flushes.prev);
 
-	data = (u8 *) acpi_desc->nfit;
 	end = data + sz;
 	while (!IS_ERR_OR_NULL(data))
 		data = add_table(acpi_desc, &prev, data, end);
@@ -2377,7 +2375,7 @@ static int acpi_nfit_add(struct acpi_device *adev)
 	struct acpi_table_header *tbl;
 	acpi_status status = AE_OK;
 	acpi_size sz;
-	int rc;
+	int rc = 0;
 
 	status = acpi_get_table_with_size(ACPI_SIG_NFIT, 0, &tbl, &sz);
 	if (ACPI_FAILURE(status)) {
@@ -2394,40 +2392,30 @@ static int acpi_nfit_add(struct acpi_device *adev)
 	if (!acpi_desc->nvdimm_bus)
 		return -ENOMEM;
 
-	/*
-	 * Save the acpi header for later and then skip it,
-	 * making nfit point to the first nfit table header.
-	 */
+	/* Save the acpi header for exporting the revision via sysfs */
 	acpi_desc->acpi_header = *tbl;
-	acpi_desc->nfit = (void *) tbl + sizeof(struct acpi_table_nfit);
-	sz -= sizeof(struct acpi_table_nfit);
 
 	/* Evaluate _FIT and override with that if present */
 	status = acpi_evaluate_object(adev->handle, "_FIT", NULL, &buf);
 	if (ACPI_SUCCESS(status) && buf.length > 0) {
-		union acpi_object *obj;
-		/*
-		 * Adjust for the acpi_object header of the _FIT
-		 */
-		obj = buf.pointer;
-		if (obj->type == ACPI_TYPE_BUFFER) {
-			acpi_desc->nfit =
-				(struct acpi_nfit_header *)obj->buffer.pointer;
-			sz = obj->buffer.length;
-			rc = acpi_nfit_init(acpi_desc, sz);
-		} else
+		union acpi_object *obj = buf.pointer;
+
+		if (obj->type == ACPI_TYPE_BUFFER)
+			rc = acpi_nfit_init(acpi_desc, obj->buffer.pointer,
+					obj->buffer.length);
+		else
 			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
 				 __func__, (int) obj->type);
 		kfree(buf.pointer);
-		acpi_desc->nfit = NULL;
 	} else
-		rc = acpi_nfit_init(acpi_desc, sz);
+		/* skip over the lead-in header table */
+		rc = acpi_nfit_init(acpi_desc, (void *) tbl
+				+ sizeof(struct acpi_table_nfit),
+				sz - sizeof(struct acpi_table_nfit));
 
-	if (rc) {
+	if (rc)
 		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
-		return rc;
-	}
-	return 0;
+	return rc;
 }
 
 static int acpi_nfit_remove(struct acpi_device *adev)
@@ -2444,9 +2432,8 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
 {
 	struct acpi_nfit_desc *acpi_desc = dev_get_drvdata(&adev->dev);
 	struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER, NULL };
-	struct acpi_nfit_header *nfit_saved;
-	union acpi_object *obj;
 	struct device *dev = &adev->dev;
+	union acpi_object *obj;
 	acpi_status status;
 	int ret;
 
@@ -2482,17 +2469,12 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
 		goto out_unlock;
 	}
 
-	nfit_saved = acpi_desc->nfit;
 	obj = buf.pointer;
 	if (obj->type == ACPI_TYPE_BUFFER) {
-		acpi_desc->nfit =
-			(struct acpi_nfit_header *)obj->buffer.pointer;
-		ret = acpi_nfit_init(acpi_desc, obj->buffer.length);
-		if (ret) {
-			/* Merge failed, restore old nfit, and exit */
-			acpi_desc->nfit = nfit_saved;
+		ret = acpi_nfit_init(acpi_desc, obj->buffer.pointer,
+				obj->buffer.length);
+		if (ret)
 			dev_err(dev, "failed to merge updated NFIT\n");
-		}
 	} else {
 		/* Bad _FIT, restore old nfit */
 		dev_err(dev, "Invalid _FIT\n");
diff --git a/drivers/acpi/nfit.h b/drivers/acpi/nfit.h
index 80fb2c0ac8bf..5179eba97a47 100644
--- a/drivers/acpi/nfit.h
+++ b/drivers/acpi/nfit.h
@@ -135,7 +135,6 @@ struct nfit_mem {
 struct acpi_nfit_desc {
 	struct nvdimm_bus_descriptor nd_desc;
 	struct acpi_table_header acpi_header;
-	struct acpi_nfit_header *nfit;
 	struct mutex init_mutex;
 	struct list_head memdevs;
 	struct list_head flushes;
@@ -201,6 +200,6 @@ static inline struct acpi_nfit_desc *to_acpi_desc(
 }
 
 const u8 *to_nfit_uuid(enum nfit_uuids id);
-int acpi_nfit_init(struct acpi_nfit_desc *nfit, acpi_size sz);
+int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *nfit, acpi_size sz);
 void acpi_nfit_desc_init(struct acpi_nfit_desc *acpi_desc, struct device *dev);
 #endif /* __NFIT_H__ */
diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
index ff09a28890ed..52df3c20231d 100644
--- a/tools/testing/nvdimm/test/nfit.c
+++ b/tools/testing/nvdimm/test/nfit.c
@@ -1458,7 +1458,6 @@ static int nfit_test_probe(struct platform_device *pdev)
 	nfit_test->setup(nfit_test);
 	acpi_desc = &nfit_test->acpi_desc;
 	acpi_nfit_desc_init(acpi_desc, &pdev->dev);
-	acpi_desc->nfit = nfit_test->nfit_buf;
 	acpi_desc->blk_do_io = nfit_test_blk_do_io;
 	nd_desc = &acpi_desc->nd_desc;
 	nd_desc->provider_name = NULL;
@@ -1467,7 +1466,8 @@ static int nfit_test_probe(struct platform_device *pdev)
 	if (!acpi_desc->nvdimm_bus)
 		return -ENXIO;
 
-	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_size);
+	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_buf,
+			nfit_test->nfit_size);
 	if (rc) {
 		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
 		return rc;
@@ -1479,7 +1479,8 @@ static int nfit_test_probe(struct platform_device *pdev)
 	nfit_test->setup_hotplug = 1;
 	nfit_test->setup(nfit_test);
 
-	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_size);
+	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_buf,
+			nfit_test->nfit_size);
 	if (rc) {
 		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
 		return rc;

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[joeyli]

Hi Dan,

On Thu, Jul 14, 2016 at 08:28:57PM -0700, Dan Williams wrote:
> acpi_evaluate_object() allocates memory. Free the buffer allocated
> during acpi_nfit_add().
> 
> Cc: <stable@vger.kernel.org>
> Cc: Vishal Verma <vishal.l.verma@intel.com>
> Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
> Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  drivers/acpi/nfit.c |    7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> index 0497175ee6cb..008dbaaa2b75 100644
> --- a/drivers/acpi/nfit.c
> +++ b/drivers/acpi/nfit.c
> @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  			acpi_desc->nfit =
>  				(struct acpi_nfit_header *)obj->buffer.pointer;
>  			sz = obj->buffer.length;
> +			rc = acpi_nfit_init(acpi_desc, sz);
>  		} else
>  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>  				 __func__, (int) obj->type);
> -	}
> +		kfree(buf.pointer);
> +		acpi_desc->nfit = NULL;

Looks "acpi_desc->nfit = NULL" statement will be removed in [PATCH 2/2]
immediately. Why add it in PATCH 1?

> +	} else
> +		rc = acpi_nfit_init(acpi_desc, sz);
>  
> -	rc = acpi_nfit_init(acpi_desc, sz);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
>

Other parts are no problem to me.


Thanks a lot! 
Joey Lee
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[joeyli]

Hi Dan,

On Thu, Jul 14, 2016 at 08:28:57PM -0700, Dan Williams wrote:
> acpi_evaluate_object() allocates memory. Free the buffer allocated
> during acpi_nfit_add().
> 
> Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
> Cc: Vishal Verma <vishal.l.verma-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> Reported-by: Xiao Guangrong <guangrong.xiao-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> Reported-by: Haozhong Zhang <haozhong.zhang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> Signed-off-by: Dan Williams <dan.j.williams-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> ---
>  drivers/acpi/nfit.c |    7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> index 0497175ee6cb..008dbaaa2b75 100644
> --- a/drivers/acpi/nfit.c
> +++ b/drivers/acpi/nfit.c
> @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  			acpi_desc->nfit =
>  				(struct acpi_nfit_header *)obj->buffer.pointer;
>  			sz = obj->buffer.length;
> +			rc = acpi_nfit_init(acpi_desc, sz);
>  		} else
>  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>  				 __func__, (int) obj->type);
> -	}
> +		kfree(buf.pointer);
> +		acpi_desc->nfit = NULL;

Looks "acpi_desc->nfit = NULL" statement will be removed in [PATCH 2/2]
immediately. Why add it in PATCH 1?

> +	} else
> +		rc = acpi_nfit_init(acpi_desc, sz);
>  
> -	rc = acpi_nfit_init(acpi_desc, sz);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
>

Other parts are no problem to me.


Thanks a lot! 
Joey Lee

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[joeyli]

Hi Dan,

On Thu, Jul 14, 2016 at 08:28:57PM -0700, Dan Williams wrote:
> acpi_evaluate_object() allocates memory. Free the buffer allocated
> during acpi_nfit_add().
> 
> Cc: <stable@vger.kernel.org>
> Cc: Vishal Verma <vishal.l.verma@intel.com>
> Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
> Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  drivers/acpi/nfit.c |    7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> index 0497175ee6cb..008dbaaa2b75 100644
> --- a/drivers/acpi/nfit.c
> +++ b/drivers/acpi/nfit.c
> @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  			acpi_desc->nfit =
>  				(struct acpi_nfit_header *)obj->buffer.pointer;
>  			sz = obj->buffer.length;
> +			rc = acpi_nfit_init(acpi_desc, sz);
>  		} else
>  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>  				 __func__, (int) obj->type);
> -	}
> +		kfree(buf.pointer);
> +		acpi_desc->nfit = NULL;

Looks "acpi_desc->nfit = NULL" statement will be removed in [PATCH 2/2]
immediately. Why add it in PATCH 1?

> +	} else
> +		rc = acpi_nfit_init(acpi_desc, sz);
>  
> -	rc = acpi_nfit_init(acpi_desc, sz);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
>

Other parts are no problem to me.


Thanks a lot! 
Joey Lee

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Dan Williams]

On Thu, Jul 14, 2016 at 10:15 PM, joeyli <jlee@suse.com> wrote:
> Hi Dan,
>
> On Thu, Jul 14, 2016 at 08:28:57PM -0700, Dan Williams wrote:
>> acpi_evaluate_object() allocates memory. Free the buffer allocated
>> during acpi_nfit_add().
>>
>> Cc: <stable@vger.kernel.org>
>> Cc: Vishal Verma <vishal.l.verma@intel.com>
>> Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
>> Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  drivers/acpi/nfit.c |    7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
>> index 0497175ee6cb..008dbaaa2b75 100644
>> --- a/drivers/acpi/nfit.c
>> +++ b/drivers/acpi/nfit.c
>> @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>>                       acpi_desc->nfit =
>>                               (struct acpi_nfit_header *)obj->buffer.pointer;
>>                       sz = obj->buffer.length;
>> +                     rc = acpi_nfit_init(acpi_desc, sz);
>>               } else
>>                       dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>>                                __func__, (int) obj->type);
>> -     }
>> +             kfree(buf.pointer);
>> +             acpi_desc->nfit = NULL;
>
> Looks "acpi_desc->nfit = NULL" statement will be removed in [PATCH 2/2]
> immediately. Why add it in PATCH 1?

I was debating it, but for code readability of -stable kernels (where
patch2 will not be included) I want to make it clear that nothing uses
the value of ->nfit outside of acpi_nfit_init().

>
>> +     } else
>> +             rc = acpi_nfit_init(acpi_desc, sz);
>>
>> -     rc = acpi_nfit_init(acpi_desc, sz);
>>       if (rc) {
>>               nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>>               return rc;
>>
>
> Other parts are no problem to me.

Thanks.
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Dan Williams]

On Thu, Jul 14, 2016 at 10:15 PM, joeyli <jlee@suse.com> wrote:
> Hi Dan,
>
> On Thu, Jul 14, 2016 at 08:28:57PM -0700, Dan Williams wrote:
>> acpi_evaluate_object() allocates memory. Free the buffer allocated
>> during acpi_nfit_add().
>>
>> Cc: <stable@vger.kernel.org>
>> Cc: Vishal Verma <vishal.l.verma@intel.com>
>> Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
>> Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  drivers/acpi/nfit.c |    7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
>> index 0497175ee6cb..008dbaaa2b75 100644
>> --- a/drivers/acpi/nfit.c
>> +++ b/drivers/acpi/nfit.c
>> @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>>                       acpi_desc->nfit =
>>                               (struct acpi_nfit_header *)obj->buffer.pointer;
>>                       sz = obj->buffer.length;
>> +                     rc = acpi_nfit_init(acpi_desc, sz);
>>               } else
>>                       dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>>                                __func__, (int) obj->type);
>> -     }
>> +             kfree(buf.pointer);
>> +             acpi_desc->nfit = NULL;
>
> Looks "acpi_desc->nfit = NULL" statement will be removed in [PATCH 2/2]
> immediately. Why add it in PATCH 1?

I was debating it, but for code readability of -stable kernels (where
patch2 will not be included) I want to make it clear that nothing uses
the value of ->nfit outside of acpi_nfit_init().

>
>> +     } else
>> +             rc = acpi_nfit_init(acpi_desc, sz);
>>
>> -     rc = acpi_nfit_init(acpi_desc, sz);
>>       if (rc) {
>>               nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>>               return rc;
>>
>
> Other parts are no problem to me.

Thanks.

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Xiao Guangrong]

On 07/15/2016 11:28 AM, Dan Williams wrote:
> acpi_evaluate_object() allocates memory. Free the buffer allocated
> during acpi_nfit_add().
>

Dan, thanks for your fix.

Another one is the use-after-free issue in acpi_nfit_notify():

	/* Evaluate _FIT */
	status = acpi_evaluate_object(adev->handle, "_FIT", NULL, &buf);
         ...
  		acpi_desc->nfit =
			(struct acpi_nfit_header *)obj->buffer.pointer;
         ...
         kfree(buf.pointer);

_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Xiao Guangrong]

On 07/15/2016 11:28 AM, Dan Williams wrote:
> acpi_evaluate_object() allocates memory. Free the buffer allocated
> during acpi_nfit_add().
>

Dan, thanks for your fix.

Another one is the use-after-free issue in acpi_nfit_notify():

	/* Evaluate _FIT */
	status = acpi_evaluate_object(adev->handle, "_FIT", NULL, &buf);
         ...
  		acpi_desc->nfit =
			(struct acpi_nfit_header *)obj->buffer.pointer;
         ...
         kfree(buf.pointer);

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Haozhong Zhang]

On 07/14/16 20:28, Dan Williams wrote:
> acpi_evaluate_object() allocates memory. Free the buffer allocated
> during acpi_nfit_add().
> 
> Cc: <stable@vger.kernel.org>
> Cc: Vishal Verma <vishal.l.verma@intel.com>
> Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
> Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  drivers/acpi/nfit.c |    7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> index 0497175ee6cb..008dbaaa2b75 100644
> --- a/drivers/acpi/nfit.c
> +++ b/drivers/acpi/nfit.c
> @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  			acpi_desc->nfit =
>  				(struct acpi_nfit_header *)obj->buffer.pointer;
>  			sz = obj->buffer.length;
> +			rc = acpi_nfit_init(acpi_desc, sz);
>  		} else
>  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>  				 __func__, (int) obj->type);

'rc' is not set in this path, so it maybe used uninitialized by 'if (rc)' below.
Should we set it to a non-zero value in this path?

> -	}
> +		kfree(buf.pointer);
> +		acpi_desc->nfit = NULL;

I notice the following code in acpi_nfit_notify():
	nfit_saved = acpi_desc->nfit;
	obj = buf.pointer;
	if (obj->type == ACPI_TYPE_BUFFER) {
		acpi_desc->nfit =
			(struct acpi_nfit_header *)obj->buffer.pointer;
		ret = acpi_nfit_init(acpi_desc, obj->buffer.length);
		if (ret) {
			/* Merge failed, restore old nfit, and exit */
			acpi_desc->nfit = nfit_saved;
			dev_err(dev, "failed to merge updated NFIT\n");
		}
		...

If we set acpi_desc->nfit to NULL in acpi_nfit_add() and
acpi_nfit_init() in acpi_nfit_notify() fails, it will be impossible to
restore the old nfit, because nfit_saved is NULL.

Thanks,
Haozhong

> +	} else
> +		rc = acpi_nfit_init(acpi_desc, sz);
>  
> -	rc = acpi_nfit_init(acpi_desc, sz);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
> 
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Haozhong Zhang]

On 07/14/16 20:28, Dan Williams wrote:
> acpi_evaluate_object() allocates memory. Free the buffer allocated
> during acpi_nfit_add().
> 
> Cc: <stable@vger.kernel.org>
> Cc: Vishal Verma <vishal.l.verma@intel.com>
> Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
> Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  drivers/acpi/nfit.c |    7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> index 0497175ee6cb..008dbaaa2b75 100644
> --- a/drivers/acpi/nfit.c
> +++ b/drivers/acpi/nfit.c
> @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  			acpi_desc->nfit =
>  				(struct acpi_nfit_header *)obj->buffer.pointer;
>  			sz = obj->buffer.length;
> +			rc = acpi_nfit_init(acpi_desc, sz);
>  		} else
>  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>  				 __func__, (int) obj->type);

'rc' is not set in this path, so it maybe used uninitialized by 'if (rc)' below.
Should we set it to a non-zero value in this path?

> -	}
> +		kfree(buf.pointer);
> +		acpi_desc->nfit = NULL;

I notice the following code in acpi_nfit_notify():
	nfit_saved = acpi_desc->nfit;
	obj = buf.pointer;
	if (obj->type == ACPI_TYPE_BUFFER) {
		acpi_desc->nfit =
			(struct acpi_nfit_header *)obj->buffer.pointer;
		ret = acpi_nfit_init(acpi_desc, obj->buffer.length);
		if (ret) {
			/* Merge failed, restore old nfit, and exit */
			acpi_desc->nfit = nfit_saved;
			dev_err(dev, "failed to merge updated NFIT\n");
		}
		...

If we set acpi_desc->nfit to NULL in acpi_nfit_add() and
acpi_nfit_init() in acpi_nfit_notify() fails, it will be impossible to
restore the old nfit, because nfit_saved is NULL.

Thanks,
Haozhong

> +	} else
> +		rc = acpi_nfit_init(acpi_desc, sz);
>  
> -	rc = acpi_nfit_init(acpi_desc, sz);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
> 

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Haozhong Zhang]

On 07/15/16 15:55, Haozhong Zhang wrote:
> On 07/14/16 20:28, Dan Williams wrote:
> > acpi_evaluate_object() allocates memory. Free the buffer allocated
> > during acpi_nfit_add().
> > 
> > Cc: <stable@vger.kernel.org>
> > Cc: Vishal Verma <vishal.l.verma@intel.com>
> > Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
> > Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > ---
> >  drivers/acpi/nfit.c |    7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> > index 0497175ee6cb..008dbaaa2b75 100644
> > --- a/drivers/acpi/nfit.c
> > +++ b/drivers/acpi/nfit.c
> > @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
> >  			acpi_desc->nfit =
> >  				(struct acpi_nfit_header *)obj->buffer.pointer;
> >  			sz = obj->buffer.length;
> > +			rc = acpi_nfit_init(acpi_desc, sz);
> >  		} else
> >  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
> >  				 __func__, (int) obj->type);
> 
> 'rc' is not set in this path, so it maybe used uninitialized by 'if (rc)' below.
> Should we set it to a non-zero value in this path?

'rc' should be set to 0 here, as what patch 2 does. Sorry for my mistake.

Haozhong
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Haozhong Zhang]

On 07/15/16 15:55, Haozhong Zhang wrote:
> On 07/14/16 20:28, Dan Williams wrote:
> > acpi_evaluate_object() allocates memory. Free the buffer allocated
> > during acpi_nfit_add().
> > 
> > Cc: <stable@vger.kernel.org>
> > Cc: Vishal Verma <vishal.l.verma@intel.com>
> > Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
> > Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > ---
> >  drivers/acpi/nfit.c |    7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> > index 0497175ee6cb..008dbaaa2b75 100644
> > --- a/drivers/acpi/nfit.c
> > +++ b/drivers/acpi/nfit.c
> > @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
> >  			acpi_desc->nfit =
> >  				(struct acpi_nfit_header *)obj->buffer.pointer;
> >  			sz = obj->buffer.length;
> > +			rc = acpi_nfit_init(acpi_desc, sz);
> >  		} else
> >  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
> >  				 __func__, (int) obj->type);
> 
> 'rc' is not set in this path, so it maybe used uninitialized by 'if (rc)' below.
> Should we set it to a non-zero value in this path?

'rc' should be set to 0 here, as what patch 2 does. Sorry for my mistake.

Haozhong

Re: [PATCH 2/2] nfit: cleanup acpi_nfit_init calling convention

[joeyli]

On Thu, Jul 14, 2016 at 08:29:02PM -0700, Dan Williams wrote:
> Pass the nfit buffer as a parameter rather than hanging it off of
> acpi_desc.
> 
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Reviewed-by: Lee, Chun-Yi <jlee@suse.com>


Thanks a lot!
Joey Lee

> ---
>  drivers/acpi/nfit.c              |   56 +++++++++++++-------------------------
>  drivers/acpi/nfit.h              |    3 +-
>  tools/testing/nvdimm/test/nfit.c |    7 +++--
>  3 files changed, 24 insertions(+), 42 deletions(-)
> 
> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> index 008dbaaa2b75..a04f2486e1ca 100644
> --- a/drivers/acpi/nfit.c
> +++ b/drivers/acpi/nfit.c
> @@ -2224,12 +2224,11 @@ static int acpi_nfit_check_deletions(struct acpi_nfit_desc *acpi_desc,
>  	return 0;
>  }
>  
> -int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, acpi_size sz)
> +int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *data, acpi_size sz)
>  {
>  	struct device *dev = acpi_desc->dev;
>  	struct nfit_table_prev prev;
>  	const void *end;
> -	u8 *data;
>  	int rc;
>  
>  	mutex_lock(&acpi_desc->init_mutex);
> @@ -2254,7 +2253,6 @@ int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, acpi_size sz)
>  	list_cut_position(&prev.flushes, &acpi_desc->flushes,
>  				acpi_desc->flushes.prev);
>  
> -	data = (u8 *) acpi_desc->nfit;
>  	end = data + sz;
>  	while (!IS_ERR_OR_NULL(data))
>  		data = add_table(acpi_desc, &prev, data, end);
> @@ -2377,7 +2375,7 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  	struct acpi_table_header *tbl;
>  	acpi_status status = AE_OK;
>  	acpi_size sz;
> -	int rc;
> +	int rc = 0;
>  
>  	status = acpi_get_table_with_size(ACPI_SIG_NFIT, 0, &tbl, &sz);
>  	if (ACPI_FAILURE(status)) {
> @@ -2394,40 +2392,30 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  	if (!acpi_desc->nvdimm_bus)
>  		return -ENOMEM;
>  
> -	/*
> -	 * Save the acpi header for later and then skip it,
> -	 * making nfit point to the first nfit table header.
> -	 */
> +	/* Save the acpi header for exporting the revision via sysfs */
>  	acpi_desc->acpi_header = *tbl;
> -	acpi_desc->nfit = (void *) tbl + sizeof(struct acpi_table_nfit);
> -	sz -= sizeof(struct acpi_table_nfit);
>  
>  	/* Evaluate _FIT and override with that if present */
>  	status = acpi_evaluate_object(adev->handle, "_FIT", NULL, &buf);
>  	if (ACPI_SUCCESS(status) && buf.length > 0) {
> -		union acpi_object *obj;
> -		/*
> -		 * Adjust for the acpi_object header of the _FIT
> -		 */
> -		obj = buf.pointer;
> -		if (obj->type == ACPI_TYPE_BUFFER) {
> -			acpi_desc->nfit =
> -				(struct acpi_nfit_header *)obj->buffer.pointer;
> -			sz = obj->buffer.length;
> -			rc = acpi_nfit_init(acpi_desc, sz);
> -		} else
> +		union acpi_object *obj = buf.pointer;
> +
> +		if (obj->type == ACPI_TYPE_BUFFER)
> +			rc = acpi_nfit_init(acpi_desc, obj->buffer.pointer,
> +					obj->buffer.length);
> +		else
>  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>  				 __func__, (int) obj->type);
>  		kfree(buf.pointer);
> -		acpi_desc->nfit = NULL;
>  	} else
> -		rc = acpi_nfit_init(acpi_desc, sz);
> +		/* skip over the lead-in header table */
> +		rc = acpi_nfit_init(acpi_desc, (void *) tbl
> +				+ sizeof(struct acpi_table_nfit),
> +				sz - sizeof(struct acpi_table_nfit));
>  
> -	if (rc) {
> +	if (rc)
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
> -		return rc;
> -	}
> -	return 0;
> +	return rc;
>  }
>  
>  static int acpi_nfit_remove(struct acpi_device *adev)
> @@ -2444,9 +2432,8 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
>  {
>  	struct acpi_nfit_desc *acpi_desc = dev_get_drvdata(&adev->dev);
>  	struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER, NULL };
> -	struct acpi_nfit_header *nfit_saved;
> -	union acpi_object *obj;
>  	struct device *dev = &adev->dev;
> +	union acpi_object *obj;
>  	acpi_status status;
>  	int ret;
>  
> @@ -2482,17 +2469,12 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
>  		goto out_unlock;
>  	}
>  
> -	nfit_saved = acpi_desc->nfit;
>  	obj = buf.pointer;
>  	if (obj->type == ACPI_TYPE_BUFFER) {
> -		acpi_desc->nfit =
> -			(struct acpi_nfit_header *)obj->buffer.pointer;
> -		ret = acpi_nfit_init(acpi_desc, obj->buffer.length);
> -		if (ret) {
> -			/* Merge failed, restore old nfit, and exit */
> -			acpi_desc->nfit = nfit_saved;
> +		ret = acpi_nfit_init(acpi_desc, obj->buffer.pointer,
> +				obj->buffer.length);
> +		if (ret)
>  			dev_err(dev, "failed to merge updated NFIT\n");
> -		}
>  	} else {
>  		/* Bad _FIT, restore old nfit */
>  		dev_err(dev, "Invalid _FIT\n");
> diff --git a/drivers/acpi/nfit.h b/drivers/acpi/nfit.h
> index 80fb2c0ac8bf..5179eba97a47 100644
> --- a/drivers/acpi/nfit.h
> +++ b/drivers/acpi/nfit.h
> @@ -135,7 +135,6 @@ struct nfit_mem {
>  struct acpi_nfit_desc {
>  	struct nvdimm_bus_descriptor nd_desc;
>  	struct acpi_table_header acpi_header;
> -	struct acpi_nfit_header *nfit;
>  	struct mutex init_mutex;
>  	struct list_head memdevs;
>  	struct list_head flushes;
> @@ -201,6 +200,6 @@ static inline struct acpi_nfit_desc *to_acpi_desc(
>  }
>  
>  const u8 *to_nfit_uuid(enum nfit_uuids id);
> -int acpi_nfit_init(struct acpi_nfit_desc *nfit, acpi_size sz);
> +int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *nfit, acpi_size sz);
>  void acpi_nfit_desc_init(struct acpi_nfit_desc *acpi_desc, struct device *dev);
>  #endif /* __NFIT_H__ */
> diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
> index ff09a28890ed..52df3c20231d 100644
> --- a/tools/testing/nvdimm/test/nfit.c
> +++ b/tools/testing/nvdimm/test/nfit.c
> @@ -1458,7 +1458,6 @@ static int nfit_test_probe(struct platform_device *pdev)
>  	nfit_test->setup(nfit_test);
>  	acpi_desc = &nfit_test->acpi_desc;
>  	acpi_nfit_desc_init(acpi_desc, &pdev->dev);
> -	acpi_desc->nfit = nfit_test->nfit_buf;
>  	acpi_desc->blk_do_io = nfit_test_blk_do_io;
>  	nd_desc = &acpi_desc->nd_desc;
>  	nd_desc->provider_name = NULL;
> @@ -1467,7 +1466,8 @@ static int nfit_test_probe(struct platform_device *pdev)
>  	if (!acpi_desc->nvdimm_bus)
>  		return -ENXIO;
>  
> -	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_size);
> +	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_buf,
> +			nfit_test->nfit_size);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
> @@ -1479,7 +1479,8 @@ static int nfit_test_probe(struct platform_device *pdev)
>  	nfit_test->setup_hotplug = 1;
>  	nfit_test->setup(nfit_test);
>  
> -	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_size);
> +	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_buf,
> +			nfit_test->nfit_size);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Re: [PATCH 2/2] nfit: cleanup acpi_nfit_init calling convention

[joeyli]

On Thu, Jul 14, 2016 at 08:29:02PM -0700, Dan Williams wrote:
> Pass the nfit buffer as a parameter rather than hanging it off of
> acpi_desc.
> 
> Signed-off-by: Dan Williams <dan.j.williams-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>

Reviewed-by: Lee, Chun-Yi <jlee-IBi9RG/b67k@public.gmane.org>


Thanks a lot!
Joey Lee

> ---
>  drivers/acpi/nfit.c              |   56 +++++++++++++-------------------------
>  drivers/acpi/nfit.h              |    3 +-
>  tools/testing/nvdimm/test/nfit.c |    7 +++--
>  3 files changed, 24 insertions(+), 42 deletions(-)
> 
> diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
> index 008dbaaa2b75..a04f2486e1ca 100644
> --- a/drivers/acpi/nfit.c
> +++ b/drivers/acpi/nfit.c
> @@ -2224,12 +2224,11 @@ static int acpi_nfit_check_deletions(struct acpi_nfit_desc *acpi_desc,
>  	return 0;
>  }
>  
> -int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, acpi_size sz)
> +int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *data, acpi_size sz)
>  {
>  	struct device *dev = acpi_desc->dev;
>  	struct nfit_table_prev prev;
>  	const void *end;
> -	u8 *data;
>  	int rc;
>  
>  	mutex_lock(&acpi_desc->init_mutex);
> @@ -2254,7 +2253,6 @@ int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, acpi_size sz)
>  	list_cut_position(&prev.flushes, &acpi_desc->flushes,
>  				acpi_desc->flushes.prev);
>  
> -	data = (u8 *) acpi_desc->nfit;
>  	end = data + sz;
>  	while (!IS_ERR_OR_NULL(data))
>  		data = add_table(acpi_desc, &prev, data, end);
> @@ -2377,7 +2375,7 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  	struct acpi_table_header *tbl;
>  	acpi_status status = AE_OK;
>  	acpi_size sz;
> -	int rc;
> +	int rc = 0;
>  
>  	status = acpi_get_table_with_size(ACPI_SIG_NFIT, 0, &tbl, &sz);
>  	if (ACPI_FAILURE(status)) {
> @@ -2394,40 +2392,30 @@ static int acpi_nfit_add(struct acpi_device *adev)
>  	if (!acpi_desc->nvdimm_bus)
>  		return -ENOMEM;
>  
> -	/*
> -	 * Save the acpi header for later and then skip it,
> -	 * making nfit point to the first nfit table header.
> -	 */
> +	/* Save the acpi header for exporting the revision via sysfs */
>  	acpi_desc->acpi_header = *tbl;
> -	acpi_desc->nfit = (void *) tbl + sizeof(struct acpi_table_nfit);
> -	sz -= sizeof(struct acpi_table_nfit);
>  
>  	/* Evaluate _FIT and override with that if present */
>  	status = acpi_evaluate_object(adev->handle, "_FIT", NULL, &buf);
>  	if (ACPI_SUCCESS(status) && buf.length > 0) {
> -		union acpi_object *obj;
> -		/*
> -		 * Adjust for the acpi_object header of the _FIT
> -		 */
> -		obj = buf.pointer;
> -		if (obj->type == ACPI_TYPE_BUFFER) {
> -			acpi_desc->nfit =
> -				(struct acpi_nfit_header *)obj->buffer.pointer;
> -			sz = obj->buffer.length;
> -			rc = acpi_nfit_init(acpi_desc, sz);
> -		} else
> +		union acpi_object *obj = buf.pointer;
> +
> +		if (obj->type == ACPI_TYPE_BUFFER)
> +			rc = acpi_nfit_init(acpi_desc, obj->buffer.pointer,
> +					obj->buffer.length);
> +		else
>  			dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>  				 __func__, (int) obj->type);
>  		kfree(buf.pointer);
> -		acpi_desc->nfit = NULL;
>  	} else
> -		rc = acpi_nfit_init(acpi_desc, sz);
> +		/* skip over the lead-in header table */
> +		rc = acpi_nfit_init(acpi_desc, (void *) tbl
> +				+ sizeof(struct acpi_table_nfit),
> +				sz - sizeof(struct acpi_table_nfit));
>  
> -	if (rc) {
> +	if (rc)
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
> -		return rc;
> -	}
> -	return 0;
> +	return rc;
>  }
>  
>  static int acpi_nfit_remove(struct acpi_device *adev)
> @@ -2444,9 +2432,8 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
>  {
>  	struct acpi_nfit_desc *acpi_desc = dev_get_drvdata(&adev->dev);
>  	struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER, NULL };
> -	struct acpi_nfit_header *nfit_saved;
> -	union acpi_object *obj;
>  	struct device *dev = &adev->dev;
> +	union acpi_object *obj;
>  	acpi_status status;
>  	int ret;
>  
> @@ -2482,17 +2469,12 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
>  		goto out_unlock;
>  	}
>  
> -	nfit_saved = acpi_desc->nfit;
>  	obj = buf.pointer;
>  	if (obj->type == ACPI_TYPE_BUFFER) {
> -		acpi_desc->nfit =
> -			(struct acpi_nfit_header *)obj->buffer.pointer;
> -		ret = acpi_nfit_init(acpi_desc, obj->buffer.length);
> -		if (ret) {
> -			/* Merge failed, restore old nfit, and exit */
> -			acpi_desc->nfit = nfit_saved;
> +		ret = acpi_nfit_init(acpi_desc, obj->buffer.pointer,
> +				obj->buffer.length);
> +		if (ret)
>  			dev_err(dev, "failed to merge updated NFIT\n");
> -		}
>  	} else {
>  		/* Bad _FIT, restore old nfit */
>  		dev_err(dev, "Invalid _FIT\n");
> diff --git a/drivers/acpi/nfit.h b/drivers/acpi/nfit.h
> index 80fb2c0ac8bf..5179eba97a47 100644
> --- a/drivers/acpi/nfit.h
> +++ b/drivers/acpi/nfit.h
> @@ -135,7 +135,6 @@ struct nfit_mem {
>  struct acpi_nfit_desc {
>  	struct nvdimm_bus_descriptor nd_desc;
>  	struct acpi_table_header acpi_header;
> -	struct acpi_nfit_header *nfit;
>  	struct mutex init_mutex;
>  	struct list_head memdevs;
>  	struct list_head flushes;
> @@ -201,6 +200,6 @@ static inline struct acpi_nfit_desc *to_acpi_desc(
>  }
>  
>  const u8 *to_nfit_uuid(enum nfit_uuids id);
> -int acpi_nfit_init(struct acpi_nfit_desc *nfit, acpi_size sz);
> +int acpi_nfit_init(struct acpi_nfit_desc *acpi_desc, void *nfit, acpi_size sz);
>  void acpi_nfit_desc_init(struct acpi_nfit_desc *acpi_desc, struct device *dev);
>  #endif /* __NFIT_H__ */
> diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c
> index ff09a28890ed..52df3c20231d 100644
> --- a/tools/testing/nvdimm/test/nfit.c
> +++ b/tools/testing/nvdimm/test/nfit.c
> @@ -1458,7 +1458,6 @@ static int nfit_test_probe(struct platform_device *pdev)
>  	nfit_test->setup(nfit_test);
>  	acpi_desc = &nfit_test->acpi_desc;
>  	acpi_nfit_desc_init(acpi_desc, &pdev->dev);
> -	acpi_desc->nfit = nfit_test->nfit_buf;
>  	acpi_desc->blk_do_io = nfit_test_blk_do_io;
>  	nd_desc = &acpi_desc->nd_desc;
>  	nd_desc->provider_name = NULL;
> @@ -1467,7 +1466,8 @@ static int nfit_test_probe(struct platform_device *pdev)
>  	if (!acpi_desc->nvdimm_bus)
>  		return -ENXIO;
>  
> -	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_size);
> +	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_buf,
> +			nfit_test->nfit_size);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
> @@ -1479,7 +1479,8 @@ static int nfit_test_probe(struct platform_device *pdev)
>  	nfit_test->setup_hotplug = 1;
>  	nfit_test->setup(nfit_test);
>  
> -	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_size);
> +	rc = acpi_nfit_init(acpi_desc, nfit_test->nfit_buf,
> +			nfit_test->nfit_size);
>  	if (rc) {
>  		nvdimm_bus_unregister(acpi_desc->nvdimm_bus);
>  		return rc;
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Dan Williams]

On Thu, Jul 14, 2016 at 10:47 PM, Xiao Guangrong
<guangrong.xiao@intel.com> wrote:
>
>
> On 07/15/2016 11:28 AM, Dan Williams wrote:
>>
>> acpi_evaluate_object() allocates memory. Free the buffer allocated
>> during acpi_nfit_add().
>>
>
> Dan, thanks for your fix.
>
> Another one is the use-after-free issue in acpi_nfit_notify():
>
>         /* Evaluate _FIT */
>         status = acpi_evaluate_object(adev->handle, "_FIT", NULL, &buf);
>         ...
>                 acpi_desc->nfit =
>                         (struct acpi_nfit_header *)obj->buffer.pointer;
>         ...
>         kfree(buf.pointer);

grep for acpi_desc->nfit usages, there are no usages after
acpi_nfit_init(). We go through the hassle of setting up nfit_saved
for no reason.
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Dan Williams]

On Thu, Jul 14, 2016 at 10:47 PM, Xiao Guangrong
<guangrong.xiao@intel.com> wrote:
>
>
> On 07/15/2016 11:28 AM, Dan Williams wrote:
>>
>> acpi_evaluate_object() allocates memory. Free the buffer allocated
>> during acpi_nfit_add().
>>
>
> Dan, thanks for your fix.
>
> Another one is the use-after-free issue in acpi_nfit_notify():
>
>         /* Evaluate _FIT */
>         status = acpi_evaluate_object(adev->handle, "_FIT", NULL, &buf);
>         ...
>                 acpi_desc->nfit =
>                         (struct acpi_nfit_header *)obj->buffer.pointer;
>         ...
>         kfree(buf.pointer);

grep for acpi_desc->nfit usages, there are no usages after
acpi_nfit_init(). We go through the hassle of setting up nfit_saved
for no reason.

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Dan Williams]

On Fri, Jul 15, 2016 at 1:12 AM, Haozhong Zhang
<haozhong.zhang@intel.com> wrote:
> On 07/15/16 15:55, Haozhong Zhang wrote:
>> On 07/14/16 20:28, Dan Williams wrote:
>> > acpi_evaluate_object() allocates memory. Free the buffer allocated
>> > during acpi_nfit_add().
>> >
>> > Cc: <stable@vger.kernel.org>
>> > Cc: Vishal Verma <vishal.l.verma@intel.com>
>> > Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
>> > Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
>> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> > ---
>> >  drivers/acpi/nfit.c |    7 +++++--
>> >  1 file changed, 5 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
>> > index 0497175ee6cb..008dbaaa2b75 100644
>> > --- a/drivers/acpi/nfit.c
>> > +++ b/drivers/acpi/nfit.c
>> > @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>> >                     acpi_desc->nfit =
>> >                             (struct acpi_nfit_header *)obj->buffer.pointer;
>> >                     sz = obj->buffer.length;
>> > +                   rc = acpi_nfit_init(acpi_desc, sz);
>> >             } else
>> >                     dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>> >                              __func__, (int) obj->type);
>>
>> 'rc' is not set in this path, so it maybe used uninitialized by 'if (rc)' below.
>> Should we set it to a non-zero value in this path?
>
> 'rc' should be set to 0 here, as what patch 2 does. Sorry for my mistake.

No, this is good feedback because patch1 is targeted for -stable. Will
fix, thanks!
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm

Re: [PATCH 1/2] nfit: fix _FIT evaluation memory leak

[Dan Williams]

On Fri, Jul 15, 2016 at 1:12 AM, Haozhong Zhang
<haozhong.zhang@intel.com> wrote:
> On 07/15/16 15:55, Haozhong Zhang wrote:
>> On 07/14/16 20:28, Dan Williams wrote:
>> > acpi_evaluate_object() allocates memory. Free the buffer allocated
>> > during acpi_nfit_add().
>> >
>> > Cc: <stable@vger.kernel.org>
>> > Cc: Vishal Verma <vishal.l.verma@intel.com>
>> > Reported-by: Xiao Guangrong <guangrong.xiao@intel.com>
>> > Reported-by: Haozhong Zhang <haozhong.zhang@intel.com>
>> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> > ---
>> >  drivers/acpi/nfit.c |    7 +++++--
>> >  1 file changed, 5 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
>> > index 0497175ee6cb..008dbaaa2b75 100644
>> > --- a/drivers/acpi/nfit.c
>> > +++ b/drivers/acpi/nfit.c
>> > @@ -2414,12 +2414,15 @@ static int acpi_nfit_add(struct acpi_device *adev)
>> >                     acpi_desc->nfit =
>> >                             (struct acpi_nfit_header *)obj->buffer.pointer;
>> >                     sz = obj->buffer.length;
>> > +                   rc = acpi_nfit_init(acpi_desc, sz);
>> >             } else
>> >                     dev_dbg(dev, "%s invalid type %d, ignoring _FIT\n",
>> >                              __func__, (int) obj->type);
>>
>> 'rc' is not set in this path, so it maybe used uninitialized by 'if (rc)' below.
>> Should we set it to a non-zero value in this path?
>
> 'rc' should be set to 0 here, as what patch 2 does. Sorry for my mistake.

No, this is good feedback because patch1 is targeted for -stable. Will
fix, thanks!