From: Biju Das <biju.das.jz@bp.renesas.com>
To: Steven Price <steven.price@arm.com>,
Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@linux.ie>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>
Cc: "dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Pavel Machek <pavel@denx.de>
Subject: RE: [PATCH] drm/of: free the iterator object on failure
Date: Mon, 12 Jul 2021 16:03:55 +0000 [thread overview]
Message-ID: <OS0PR01MB592294867B449F855496337186159@OS0PR01MB5922.jpnprd01.prod.outlook.com> (raw)
In-Reply-To: <20210712155758.48286-1-steven.price@arm.com>
+ Pavel
> -----Original Message-----
> From: Steven Price <steven.price@arm.com>
> Sent: 12 July 2021 16:58
> To: Daniel Vetter <daniel@ffwll.ch>; David Airlie <airlied@linux.ie>;
> Maarten Lankhorst <maarten.lankhorst@linux.intel.com>; Maxime Ripard
> <mripard@kernel.org>; Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Steven Price <steven.price@arm.com>; dri-devel@lists.freedesktop.org;
> linux-kernel@vger.kernel.org; Biju Das <biju.das.jz@bp.renesas.com>;
> Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Subject: [PATCH] drm/of: free the iterator object on failure
>
> When bailing out due to the sanity check the iterator value needs to be
> freed because the early return prevents for_each_child_of_node() from
> doing the dereference itself.
>
> Fixes: 4ee48cc5586b ("drm: of: Fix double-free bug")
> Signed-off-by: Steven Price <steven.price@arm.com>
> ---
> drivers/gpu/drm/drm_of.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> Daniel's email[1] made me take a look at this function and it appears that
> for_each_child_of_node()'s interface had caused a bad bug fix due to the
> hidden reference counting in the iterator.
>
> [1]
> https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.ker
> nel.org%2Fr%2FYOxQ5TbkNrqCGBDJ%2540phenom.ffwll.local&data=04%7C01%7Cb
> iju.das.jz%40bp.renesas.com%7Cb0570b66e03a43fb8fa008d9454dddaa%7C53d82571d
> a1947e49cb4625a166a4a2a%7C0%7C0%7C637617023006562683%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C10
> 00&sdata=cQICPYJzmgNkFsNw1wMH9Or73rohnCCGH1DrUg3hvhw%3D&reserved=0
>
> diff --git a/drivers/gpu/drm/drm_of.c b/drivers/gpu/drm/drm_of.c index
> 197c57477344..997b8827fed2 100644
> --- a/drivers/gpu/drm/drm_of.c
> +++ b/drivers/gpu/drm/drm_of.c
> @@ -331,8 +331,10 @@ static int drm_of_lvds_get_remote_pixels_type(
> * configurations by passing the endpoints explicitly to
> * drm_of_lvds_get_dual_link_pixel_order().
> */
> - if (!current_pt || pixels_type != current_pt)
> + if (!current_pt || pixels_type != current_pt) {
> + of_node_put(endpoint);
> return -EINVAL;
> + }
> }
>
> return pixels_type;
> --
> 2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: Biju Das <biju.das.jz@bp.renesas.com>
To: Steven Price <steven.price@arm.com>,
Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@linux.ie>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>
Cc: Pavel Machek <pavel@denx.de>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Subject: RE: [PATCH] drm/of: free the iterator object on failure
Date: Mon, 12 Jul 2021 16:03:55 +0000 [thread overview]
Message-ID: <OS0PR01MB592294867B449F855496337186159@OS0PR01MB5922.jpnprd01.prod.outlook.com> (raw)
In-Reply-To: <20210712155758.48286-1-steven.price@arm.com>
+ Pavel
> -----Original Message-----
> From: Steven Price <steven.price@arm.com>
> Sent: 12 July 2021 16:58
> To: Daniel Vetter <daniel@ffwll.ch>; David Airlie <airlied@linux.ie>;
> Maarten Lankhorst <maarten.lankhorst@linux.intel.com>; Maxime Ripard
> <mripard@kernel.org>; Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Steven Price <steven.price@arm.com>; dri-devel@lists.freedesktop.org;
> linux-kernel@vger.kernel.org; Biju Das <biju.das.jz@bp.renesas.com>;
> Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Subject: [PATCH] drm/of: free the iterator object on failure
>
> When bailing out due to the sanity check the iterator value needs to be
> freed because the early return prevents for_each_child_of_node() from
> doing the dereference itself.
>
> Fixes: 4ee48cc5586b ("drm: of: Fix double-free bug")
> Signed-off-by: Steven Price <steven.price@arm.com>
> ---
> drivers/gpu/drm/drm_of.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> Daniel's email[1] made me take a look at this function and it appears that
> for_each_child_of_node()'s interface had caused a bad bug fix due to the
> hidden reference counting in the iterator.
>
> [1]
> https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.ker
> nel.org%2Fr%2FYOxQ5TbkNrqCGBDJ%2540phenom.ffwll.local&data=04%7C01%7Cb
> iju.das.jz%40bp.renesas.com%7Cb0570b66e03a43fb8fa008d9454dddaa%7C53d82571d
> a1947e49cb4625a166a4a2a%7C0%7C0%7C637617023006562683%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C10
> 00&sdata=cQICPYJzmgNkFsNw1wMH9Or73rohnCCGH1DrUg3hvhw%3D&reserved=0
>
> diff --git a/drivers/gpu/drm/drm_of.c b/drivers/gpu/drm/drm_of.c index
> 197c57477344..997b8827fed2 100644
> --- a/drivers/gpu/drm/drm_of.c
> +++ b/drivers/gpu/drm/drm_of.c
> @@ -331,8 +331,10 @@ static int drm_of_lvds_get_remote_pixels_type(
> * configurations by passing the endpoints explicitly to
> * drm_of_lvds_get_dual_link_pixel_order().
> */
> - if (!current_pt || pixels_type != current_pt)
> + if (!current_pt || pixels_type != current_pt) {
> + of_node_put(endpoint);
> return -EINVAL;
> + }
> }
>
> return pixels_type;
> --
> 2.20.1
next prev parent reply other threads:[~2021-07-12 16:04 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-12 15:57 [PATCH] drm/of: free the iterator object on failure Steven Price
2021-07-12 15:57 ` Steven Price
2021-07-12 16:03 ` Biju Das [this message]
2021-07-12 16:03 ` Biju Das
2021-07-12 16:50 ` Laurent Pinchart
2021-07-12 16:50 ` Laurent Pinchart
2021-07-12 21:31 ` Steven Price
2021-07-12 21:31 ` Steven Price
2021-07-12 21:55 ` Laurent Pinchart
2021-07-12 21:55 ` Laurent Pinchart
2021-07-13 16:16 ` Steven Price
2021-07-13 16:16 ` Steven Price
2021-07-14 8:35 ` Laurent Pinchart
2021-07-14 8:35 ` Laurent Pinchart
2021-07-14 14:33 ` [PATCH v2] " Steven Price
2021-07-14 14:33 ` Steven Price
2021-07-14 15:26 ` Laurent Pinchart
2021-07-14 15:26 ` Laurent Pinchart
2021-07-15 10:32 ` Steven Price
2021-07-15 10:32 ` Steven Price
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=OS0PR01MB592294867B449F855496337186159@OS0PR01MB5922.jpnprd01.prod.outlook.com \
--to=biju.das.jz@bp.renesas.com \
--cc=airlied@linux.ie \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=pavel@denx.de \
--cc=steven.price@arm.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.