From: Rob Herring <robh+dt@kernel.org>
To: Johan Hovold <johan@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Frank Rowand <frowand.list@gmail.com>,
devicetree@vger.kernel.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
CK Hu <ck.hu@mediatek.com>,
Philipp Zabel <p.zabel@pengutronix.de>,
Rob Clark <robdclark@gmail.com>, David Airlie <airlied@linux.ie>,
Ulf Hansson <ulf.hansson@linaro.org>,
Josh Wu <rainyfeeling@outlook.com>,
Boris Brezillon <boris.brezillon@bootlin.com>,
Doug Berger <opendmb@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
David Miller <davem@davemloft.net>,
Giuseppe CAVALLARO <peppe.cavallaro@st.com>,
Alexandre Torgue <alexandre.torgue@st.com>,
joabreu@synopsys.com, Samuel Ortiz <sameo@linux.intel.com>,
Sebastian Reichel <sre@kernel.org>,
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Subject: Re: [PATCH v2 0/9] of: fix compatible-child-node lookups
Date: Tue, 23 Oct 2018 13:32:56 -0500 [thread overview]
Message-ID: <CAL_Jsq+eX0Zr46UT6_+OKhfxLhc315Un5MZkHHAWhK0tt4OvzA@mail.gmail.com> (raw)
In-Reply-To: <20181023091951.GC20058@localhost>
On Tue, Oct 23, 2018 at 4:21 AM Johan Hovold <johan@kernel.org> wrote:
>
> Hi Rob,
>
> On Tue, Sep 04, 2018 at 03:05:57PM +0200, Johan Hovold wrote:
> > Hi all,
> >
> > On Mon, Aug 27, 2018 at 10:21:44AM +0200, Johan Hovold wrote:
> > > Several drivers currently use of_find_compatible_node() to lookup child
> > > nodes while failing to notice that the of_find_ functions search the
> > > entire tree depth-first (from a given start node) and therefore can
> > > match unrelated nodes.
> > >
> > > The fact that these functions also drop a reference to the node they
> > > start searching from (e.g. the parent node) is typically also
> > > overlooked, something which can lead to use-after-free bugs (e.g. after
> > > probe deferrals).
> > >
> > > This series adds a new helper, similar to of_get_child_by_name(),
> > > that can be used to lookup compatible child nodes, and uses the new
> > > helper to fix child-node lookups throughout the tree.
> > >
> > > This is related to the fixes I posted about a year ago, which addressed
> > > a similar anti-pattern when looking up child nodes by name. Since it
> > > took me more than a year to get all those fixes into Linus' tree (one
> > > fix is still pending), and as these fixes depend on the new helper, I'm
> > > suggesting that these all go in through Rob's or Greg's trees.
> > >
> > > Alternatively, the helper could go into to -rc2, and I'll be pinging
> > > submaintainers for the coming year as well. ;)
> >
> > Rob has gotten the helper into -rc2 now:
> >
> > 36156f9241cb of: add helper to lookup compatible child node
> >
> > so feel free to pick these fixes up directly for 4.19-rc or -next,
> > whichever you prefer. I've been able to trigger crashes after probe
> > deferrals due to the use-after-free, but this seems unlikely to be
> > exploitable.
> >
> > I think Rob will be picking up any patches that remain by the end of the
> > release cycle for 4.20.
>
> So far only Ulf has picked up the mmc patch below directly, so if you
> could take the rest through your tree for -rc1 that would be great.
Thanks for the reminder, though before the merge window opened would
have been better. I've applied all but the mtd patch.
Rob
WARNING: multiple messages have this Message-ID (diff)
From: Rob Herring <robh+dt@kernel.org>
To: Johan Hovold <johan@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Frank Rowand <frowand.list@gmail.com>,
devicetree@vger.kernel.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
CK Hu <ck.hu@mediatek.com>,
Philipp Zabel <p.zabel@pengutronix.de>,
Rob Clark <robdclark@gmail.com>, David Airlie <airlied@linux.ie>,
Ulf Hansson <ulf.hansson@linaro.org>,
Josh Wu <rainyfeeling@outlook.com>,
Boris Brezillon <boris.brezillon@bootlin.com>,
Doug Berger <opendmb@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
David Miller <davem@davemloft.net>,
Giuseppe CAVALLARO <peppe.cavallaro@st.com>,
Alexandre Torgue <alexandre.torgue@st.com>,
joabreu@synopsys.com, Samuel Ortiz <sameo@linux.intel.com>,
Sebastian Reichel <sre@kernel.org>Martin Blumenstingl <ma>
Subject: Re: [PATCH v2 0/9] of: fix compatible-child-node lookups
Date: Tue, 23 Oct 2018 13:32:56 -0500 [thread overview]
Message-ID: <CAL_Jsq+eX0Zr46UT6_+OKhfxLhc315Un5MZkHHAWhK0tt4OvzA@mail.gmail.com> (raw)
In-Reply-To: <20181023091951.GC20058@localhost>
On Tue, Oct 23, 2018 at 4:21 AM Johan Hovold <johan@kernel.org> wrote:
>
> Hi Rob,
>
> On Tue, Sep 04, 2018 at 03:05:57PM +0200, Johan Hovold wrote:
> > Hi all,
> >
> > On Mon, Aug 27, 2018 at 10:21:44AM +0200, Johan Hovold wrote:
> > > Several drivers currently use of_find_compatible_node() to lookup child
> > > nodes while failing to notice that the of_find_ functions search the
> > > entire tree depth-first (from a given start node) and therefore can
> > > match unrelated nodes.
> > >
> > > The fact that these functions also drop a reference to the node they
> > > start searching from (e.g. the parent node) is typically also
> > > overlooked, something which can lead to use-after-free bugs (e.g. after
> > > probe deferrals).
> > >
> > > This series adds a new helper, similar to of_get_child_by_name(),
> > > that can be used to lookup compatible child nodes, and uses the new
> > > helper to fix child-node lookups throughout the tree.
> > >
> > > This is related to the fixes I posted about a year ago, which addressed
> > > a similar anti-pattern when looking up child nodes by name. Since it
> > > took me more than a year to get all those fixes into Linus' tree (one
> > > fix is still pending), and as these fixes depend on the new helper, I'm
> > > suggesting that these all go in through Rob's or Greg's trees.
> > >
> > > Alternatively, the helper could go into to -rc2, and I'll be pinging
> > > submaintainers for the coming year as well. ;)
> >
> > Rob has gotten the helper into -rc2 now:
> >
> > 36156f9241cb of: add helper to lookup compatible child node
> >
> > so feel free to pick these fixes up directly for 4.19-rc or -next,
> > whichever you prefer. I've been able to trigger crashes after probe
> > deferrals due to the use-after-free, but this seems unlikely to be
> > exploitable.
> >
> > I think Rob will be picking up any patches that remain by the end of the
> > release cycle for 4.20.
>
> So far only Ulf has picked up the mmc patch below directly, so if you
> could take the rest through your tree for -rc1 that would be great.
Thanks for the reminder, though before the merge window opened would
have been better. I've applied all but the mtd patch.
Rob
next prev parent reply other threads:[~2018-10-23 18:33 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-27 8:21 [PATCH v2 0/9] of: fix compatible-child-node lookups Johan Hovold
2018-08-27 8:21 ` [PATCH v2 1/9] of: add helper to lookup compatible child node Johan Hovold
2018-08-30 15:51 ` Rob Herring
2018-08-27 8:21 ` [PATCH v2 2/9] drm/mediatek: fix OF sibling-node lookup Johan Hovold
2018-08-27 8:21 ` [PATCH v2 3/9] drm/msm: fix OF child-node lookup Johan Hovold
2018-08-27 8:21 ` [PATCH v2 4/9] mmc: meson-mx-sdio: " Johan Hovold
2018-08-27 14:44 ` Ulf Hansson
2018-09-04 12:54 ` Johan Hovold
2018-09-05 6:30 ` Ulf Hansson
2018-08-27 8:21 ` [PATCH v2 5/9] mtd: nand: atmel: " Johan Hovold
2018-08-27 8:28 ` Boris Brezillon
2018-08-27 8:44 ` Johan Hovold
2018-08-27 8:48 ` Boris Brezillon
2018-08-27 9:44 ` Johan Hovold
2018-10-23 18:28 ` Rob Herring
2018-10-23 18:51 ` Boris Brezillon
2018-11-15 14:26 ` Johan Hovold
2018-11-18 10:45 ` Boris Brezillon
2018-08-27 8:21 ` [PATCH v2 6/9] net: bcmgenet: " Johan Hovold
2018-08-31 0:47 ` Florian Fainelli
2018-09-04 12:56 ` Johan Hovold
2018-08-27 8:21 ` [PATCH v2 7/9] net: stmmac: dwmac-sun8i: " Johan Hovold
2018-08-28 8:06 ` Corentin Labbe
2018-08-29 7:54 ` Johan Hovold
2018-09-06 20:03 ` Corentin Labbe
2018-09-07 7:48 ` Johan Hovold
2018-08-27 8:21 ` [PATCH v2 8/9] NFC: nfcmrvl_uart: " Johan Hovold
2018-08-27 8:21 ` [PATCH v2 9/9] power: supply: twl4030-charger: fix OF sibling-node lookup Johan Hovold
2018-09-04 13:05 ` [PATCH v2 0/9] of: fix compatible-child-node lookups Johan Hovold
2018-10-23 9:19 ` Johan Hovold
2018-10-23 18:32 ` Rob Herring [this message]
2018-10-23 18:32 ` Rob Herring
2018-10-24 7:32 ` Johan Hovold
2018-10-24 7:32 ` Johan Hovold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAL_Jsq+eX0Zr46UT6_+OKhfxLhc315Un5MZkHHAWhK0tt4OvzA@mail.gmail.com \
--to=robh+dt@kernel.org \
--cc=airlied@linux.ie \
--cc=alexandre.torgue@st.com \
--cc=boris.brezillon@bootlin.com \
--cc=ck.hu@mediatek.com \
--cc=davem@davemloft.net \
--cc=devicetree@vger.kernel.org \
--cc=f.fainelli@gmail.com \
--cc=frowand.list@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=joabreu@synopsys.com \
--cc=johan@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.blumenstingl@googlemail.com \
--cc=opendmb@gmail.com \
--cc=p.zabel@pengutronix.de \
--cc=peppe.cavallaro@st.com \
--cc=rainyfeeling@outlook.com \
--cc=robdclark@gmail.com \
--cc=sameo@linux.intel.com \
--cc=sre@kernel.org \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.