* [PATCH -next V4 0/2] fix two bugs when trying rmmod sata_fsl @ 2021-11-23 1:41 Baokun Li 2021-11-23 1:41 ` [PATCH -next V4 1/2] sata_fsl: fix UAF in sata_fsl_port_stop when " Baokun Li 2021-11-23 1:41 ` [PATCH -next V4 2/2] sata_fsl: fix warning in remove_proc_entry " Baokun Li 0 siblings, 2 replies; 5+ messages in thread From: Baokun Li @ 2021-11-23 1:41 UTC (permalink / raw) To: damien.lemoal, axboe, tj, linux-ide, linux-kernel Cc: sergei.shtylyov, yebin10, libaokun1, yukuai3 V1->V2: Fixed the check on the return value of platform_get_irq(). And propagate errors up to sata_fsl_probe()'s callers. V2->V3: Add fixed and CC stable and modified the patch description. V3->V4: Use a single structure. Baokun Li (2): sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl drivers/ata/sata_fsl.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) -- 2.31.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH -next V4 1/2] sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl 2021-11-23 1:41 [PATCH -next V4 0/2] fix two bugs when trying rmmod sata_fsl Baokun Li @ 2021-11-23 1:41 ` Baokun Li 2021-11-23 1:41 ` [PATCH -next V4 2/2] sata_fsl: fix warning in remove_proc_entry " Baokun Li 1 sibling, 0 replies; 5+ messages in thread From: Baokun Li @ 2021-11-23 1:41 UTC (permalink / raw) To: damien.lemoal, axboe, tj, linux-ide, linux-kernel Cc: sergei.shtylyov, yebin10, libaokun1, yukuai3, stable, Hulk Robot When the `rmmod sata_fsl.ko` command is executed in the PPC64 GNU/Linux, a bug is reported: ================================================================== BUG: Unable to handle kernel data access on read at 0x80000800805b502c Oops: Kernel access of bad area, sig: 11 [#1] NIP [c0000000000388a4] .ioread32+0x4/0x20 LR [80000000000c6034] .sata_fsl_port_stop+0x44/0xe0 [sata_fsl] Call Trace: .free_irq+0x1c/0x4e0 (unreliable) .ata_host_stop+0x74/0xd0 [libata] .release_nodes+0x330/0x3f0 .device_release_driver_internal+0x178/0x2c0 .driver_detach+0x64/0xd0 .bus_remove_driver+0x70/0xf0 .driver_unregister+0x38/0x80 .platform_driver_unregister+0x14/0x30 .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl] .__se_sys_delete_module+0x1ec/0x2d0 .system_call_exception+0xfc/0x1f0 system_call_common+0xf8/0x200 ================================================================== The triggering of the BUG is shown in the following stack: driver_detach device_release_driver_internal __device_release_driver drv->remove(dev) --> platform_drv_remove/platform_remove drv->remove(dev) --> sata_fsl_remove iounmap(host_priv->hcr_base); <---- unmap kfree(host_priv); <---- free devres_release_all release_nodes dr->node.release(dev, dr->data) --> ata_host_stop ap->ops->port_stop(ap) --> sata_fsl_port_stop ioread32(hcr_base + HCONTROL) <---- UAF host->ops->host_stop(host) The iounmap(host_priv->hcr_base) and kfree(host_priv) functions should not be executed in drv->remove. These functions should be executed in host_stop after port_stop. Therefore, we move these functions to the new function sata_fsl_host_stop and bind the new function to host_stop. Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller") Cc: stable@vger.kernel.org Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Baokun Li <libaokun1@huawei.com> --- V2->V3: Add fixed and CC stable and modified the patch description. V3->V4: Use a single structure. drivers/ata/sata_fsl.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c index e5838b23c9e0..2eb216792695 100644 --- a/drivers/ata/sata_fsl.c +++ b/drivers/ata/sata_fsl.c @@ -1394,6 +1394,14 @@ static int sata_fsl_init_controller(struct ata_host *host) return 0; } +static void sata_fsl_host_stop(struct ata_host *host) +{ + struct sata_fsl_host_priv *host_priv = host->private_data; + + iounmap(host_priv->hcr_base); + kfree(host_priv); +} + /* * scsi mid-layer and libata interface structures */ @@ -1426,6 +1434,8 @@ static struct ata_port_operations sata_fsl_ops = { .port_start = sata_fsl_port_start, .port_stop = sata_fsl_port_stop, + .host_stop = sata_fsl_host_stop, + .pmp_attach = sata_fsl_pmp_attach, .pmp_detach = sata_fsl_pmp_detach, }; @@ -1558,8 +1568,6 @@ static int sata_fsl_remove(struct platform_device *ofdev) ata_host_detach(host); irq_dispose_mapping(host_priv->irq); - iounmap(host_priv->hcr_base); - kfree(host_priv); return 0; } -- 2.31.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH -next V4 2/2] sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl 2021-11-23 1:41 [PATCH -next V4 0/2] fix two bugs when trying rmmod sata_fsl Baokun Li 2021-11-23 1:41 ` [PATCH -next V4 1/2] sata_fsl: fix UAF in sata_fsl_port_stop when " Baokun Li @ 2021-11-23 1:41 ` Baokun Li 2021-11-25 23:47 ` Damien Le Moal 1 sibling, 1 reply; 5+ messages in thread From: Baokun Li @ 2021-11-23 1:41 UTC (permalink / raw) To: damien.lemoal, axboe, tj, linux-ide, linux-kernel Cc: sergei.shtylyov, yebin10, libaokun1, yukuai3, stable, Hulk Robot Trying to remove the fsl-sata module in the PPC64 GNU/Linux leads to the following warning: ------------[ cut here ]------------ remove_proc_entry: removing non-empty directory 'irq/69', leaking at least 'fsl-sata[ff0221000.sata]' WARNING: CPU: 3 PID: 1048 at fs/proc/generic.c:722 .remove_proc_entry+0x20c/0x220 IRQMASK: 0 NIP [c00000000033826c] .remove_proc_entry+0x20c/0x220 LR [c000000000338268] .remove_proc_entry+0x208/0x220 Call Trace: .remove_proc_entry+0x208/0x220 (unreliable) .unregister_irq_proc+0x104/0x140 .free_desc+0x44/0xb0 .irq_free_descs+0x9c/0xf0 .irq_dispose_mapping+0x64/0xa0 .sata_fsl_remove+0x58/0xa0 [sata_fsl] .platform_drv_remove+0x40/0x90 .device_release_driver_internal+0x160/0x2c0 .driver_detach+0x64/0xd0 .bus_remove_driver+0x70/0xf0 .driver_unregister+0x38/0x80 .platform_driver_unregister+0x14/0x30 .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl] ---[ end trace 0ea876d4076908f5 ]--- The driver creates the mapping by calling irq_of_parse_and_map(), so it also has to dispose the mapping. But the easy way out is to simply use platform_get_irq() instead of irq_of_parse_map(). Also we should adapt return value checking and propagate error values. In this case the mapping is not managed by the device but by the of core, so the device has not to dispose the mapping. Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller") Cc: stable@vger.kernel.org Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Baokun Li <libaokun1@huawei.com> --- V1->V2: Adapt return value checking and propagate error values. V2->V3: Add fixed and CC stable. drivers/ata/sata_fsl.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c index 2eb216792695..8e7c49793f91 100644 --- a/drivers/ata/sata_fsl.c +++ b/drivers/ata/sata_fsl.c @@ -1490,8 +1490,9 @@ static int sata_fsl_probe(struct platform_device *ofdev) host_priv->ssr_base = ssr_base; host_priv->csr_base = csr_base; - irq = irq_of_parse_and_map(ofdev->dev.of_node, 0); - if (!irq) { + irq = platform_get_irq(ofdev, 0); + if (irq < 0) { + retval = irq; dev_err(&ofdev->dev, "invalid irq from platform\n"); goto error_exit_with_cleanup; } @@ -1567,8 +1568,6 @@ static int sata_fsl_remove(struct platform_device *ofdev) ata_host_detach(host); - irq_dispose_mapping(host_priv->irq); - return 0; } -- 2.31.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH -next V4 2/2] sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl 2021-11-23 1:41 ` [PATCH -next V4 2/2] sata_fsl: fix warning in remove_proc_entry " Baokun Li @ 2021-11-25 23:47 ` Damien Le Moal 2021-11-26 1:36 ` libaokun (A) 0 siblings, 1 reply; 5+ messages in thread From: Damien Le Moal @ 2021-11-25 23:47 UTC (permalink / raw) To: Baokun Li, linux-ide, linux-kernel Cc: sergei.shtylyov, yebin10, yukuai3, Hulk Robot On 2021/11/23 10:41, Baokun Li wrote: > Trying to remove the fsl-sata module in the PPC64 GNU/Linux > leads to the following warning: > ------------[ cut here ]------------ > remove_proc_entry: removing non-empty directory 'irq/69', > leaking at least 'fsl-sata[ff0221000.sata]' > WARNING: CPU: 3 PID: 1048 at fs/proc/generic.c:722 > .remove_proc_entry+0x20c/0x220 > IRQMASK: 0 > NIP [c00000000033826c] .remove_proc_entry+0x20c/0x220 > LR [c000000000338268] .remove_proc_entry+0x208/0x220 > Call Trace: > .remove_proc_entry+0x208/0x220 (unreliable) > .unregister_irq_proc+0x104/0x140 > .free_desc+0x44/0xb0 > .irq_free_descs+0x9c/0xf0 > .irq_dispose_mapping+0x64/0xa0 > .sata_fsl_remove+0x58/0xa0 [sata_fsl] > .platform_drv_remove+0x40/0x90 > .device_release_driver_internal+0x160/0x2c0 > .driver_detach+0x64/0xd0 > .bus_remove_driver+0x70/0xf0 > .driver_unregister+0x38/0x80 > .platform_driver_unregister+0x14/0x30 > .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl] > ---[ end trace 0ea876d4076908f5 ]--- > > The driver creates the mapping by calling irq_of_parse_and_map(), > so it also has to dispose the mapping. But the easy way out is to > simply use platform_get_irq() instead of irq_of_parse_map(). Also > we should adapt return value checking and propagate error values. > > In this case the mapping is not managed by the device but by > the of core, so the device has not to dispose the mapping. > > Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller") > Cc: stable@vger.kernel.org > Reported-by: Hulk Robot <hulkci@huawei.com> > Signed-off-by: Baokun Li <libaokun1@huawei.com> > --- > V1->V2: > Adapt return value checking and propagate error values. > V2->V3: > Add fixed and CC stable. > > drivers/ata/sata_fsl.c | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) > > diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c > index 2eb216792695..8e7c49793f91 100644 > --- a/drivers/ata/sata_fsl.c > +++ b/drivers/ata/sata_fsl.c > @@ -1490,8 +1490,9 @@ static int sata_fsl_probe(struct platform_device *ofdev) > host_priv->ssr_base = ssr_base; > host_priv->csr_base = csr_base; > > - irq = irq_of_parse_and_map(ofdev->dev.of_node, 0); > - if (!irq) { > + irq = platform_get_irq(ofdev, 0); > + if (irq < 0) { > + retval = irq; > dev_err(&ofdev->dev, "invalid irq from platform\n"); Nit: platform_get_irq() already prints an error message in case of failure. So while at it, you could remove this one here. > goto error_exit_with_cleanup; > } > @@ -1567,8 +1568,6 @@ static int sata_fsl_remove(struct platform_device *ofdev) > > ata_host_detach(host); > > - irq_dispose_mapping(host_priv->irq); > - > return 0; > } > > -- Damien Le Moal Western Digital Research ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH -next V4 2/2] sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl 2021-11-25 23:47 ` Damien Le Moal @ 2021-11-26 1:36 ` libaokun (A) 0 siblings, 0 replies; 5+ messages in thread From: libaokun (A) @ 2021-11-26 1:36 UTC (permalink / raw) To: Damien Le Moal, linux-ide, linux-kernel Cc: sergei.shtylyov, yebin10, yukuai3, Hulk Robot 在 2021/11/26 7:47, Damien Le Moal 写道: > On 2021/11/23 10:41, Baokun Li wrote: >> Trying to remove the fsl-sata module in the PPC64 GNU/Linux >> leads to the following warning: >> ------------[ cut here ]------------ >> remove_proc_entry: removing non-empty directory 'irq/69', >> leaking at least 'fsl-sata[ff0221000.sata]' >> WARNING: CPU: 3 PID: 1048 at fs/proc/generic.c:722 >> .remove_proc_entry+0x20c/0x220 >> IRQMASK: 0 >> NIP [c00000000033826c] .remove_proc_entry+0x20c/0x220 >> LR [c000000000338268] .remove_proc_entry+0x208/0x220 >> Call Trace: >> .remove_proc_entry+0x208/0x220 (unreliable) >> .unregister_irq_proc+0x104/0x140 >> .free_desc+0x44/0xb0 >> .irq_free_descs+0x9c/0xf0 >> .irq_dispose_mapping+0x64/0xa0 >> .sata_fsl_remove+0x58/0xa0 [sata_fsl] >> .platform_drv_remove+0x40/0x90 >> .device_release_driver_internal+0x160/0x2c0 >> .driver_detach+0x64/0xd0 >> .bus_remove_driver+0x70/0xf0 >> .driver_unregister+0x38/0x80 >> .platform_driver_unregister+0x14/0x30 >> .fsl_sata_driver_exit+0x18/0xa20 [sata_fsl] >> ---[ end trace 0ea876d4076908f5 ]--- >> >> The driver creates the mapping by calling irq_of_parse_and_map(), >> so it also has to dispose the mapping. But the easy way out is to >> simply use platform_get_irq() instead of irq_of_parse_map(). Also >> we should adapt return value checking and propagate error values. >> >> In this case the mapping is not managed by the device but by >> the of core, so the device has not to dispose the mapping. >> >> Fixes: faf0b2e5afe7 ("drivers/ata: add support to Freescale 3.0Gbps SATA Controller") >> Cc: stable@vger.kernel.org >> Reported-by: Hulk Robot <hulkci@huawei.com> >> Signed-off-by: Baokun Li <libaokun1@huawei.com> >> --- >> V1->V2: >> Adapt return value checking and propagate error values. >> V2->V3: >> Add fixed and CC stable. >> >> drivers/ata/sata_fsl.c | 7 +++---- >> 1 file changed, 3 insertions(+), 4 deletions(-) >> >> diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c >> index 2eb216792695..8e7c49793f91 100644 >> --- a/drivers/ata/sata_fsl.c >> +++ b/drivers/ata/sata_fsl.c >> @@ -1490,8 +1490,9 @@ static int sata_fsl_probe(struct platform_device *ofdev) >> host_priv->ssr_base = ssr_base; >> host_priv->csr_base = csr_base; >> >> - irq = irq_of_parse_and_map(ofdev->dev.of_node, 0); >> - if (!irq) { >> + irq = platform_get_irq(ofdev, 0); >> + if (irq < 0) { >> + retval = irq; >> dev_err(&ofdev->dev, "invalid irq from platform\n"); > Nit: platform_get_irq() already prints an error message in case of failure. So > while at it, you could remove this one here. I've seen a similar change in cf9441adb1a3("ASoC: Remove dev_err() usage after platform_get_irq()"), but I'm not sure if it needs to be changed here. Now that you have pointed out the problem, I will send a patch V5 with the changes suggested by you. Thank you! > >> goto error_exit_with_cleanup; >> } >> @@ -1567,8 +1568,6 @@ static int sata_fsl_remove(struct platform_device *ofdev) >> >> ata_host_detach(host); >> >> - irq_dispose_mapping(host_priv->irq); >> - >> return 0; >> } >> >> > -- With Best Regards, Baokun Li . ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-11-26 1:38 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-11-23 1:41 [PATCH -next V4 0/2] fix two bugs when trying rmmod sata_fsl Baokun Li 2021-11-23 1:41 ` [PATCH -next V4 1/2] sata_fsl: fix UAF in sata_fsl_port_stop when " Baokun Li 2021-11-23 1:41 ` [PATCH -next V4 2/2] sata_fsl: fix warning in remove_proc_entry " Baokun Li 2021-11-25 23:47 ` Damien Le Moal 2021-11-26 1:36 ` libaokun (A)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).