From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lukasz Majczak <lma@semihalf.com>,
Lukasz Bartosik <lb@semihalf.com>,
Stephen Boyd <sboyd@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 17/38] clk: fix invalid usage of list cursor in unregister
Date: Thu, 15 Apr 2021 16:47:11 +0200 [thread overview]
Message-ID: <20210415144413.898345104@linuxfoundation.org> (raw)
In-Reply-To: <20210415144413.352638802@linuxfoundation.org>
From: Lukasz Bartosik <lb@semihalf.com>
[ Upstream commit 7045465500e465b09f09d6e5bdc260a9f1aab97b ]
Fix invalid usage of a list_for_each_entry cursor in
clk_notifier_unregister(). When list is empty or if the list
is completely traversed (without breaking from the loop on one
of the entries) then the list cursor does not point to a valid
entry and therefore should not be used. The patch fixes a logical
bug that hasn't been seen in pratice however it is analogus
to the bug fixed in clk_notifier_register().
The issue was dicovered when running 5.12-rc1 kernel on x86_64
with KASAN enabled:
BUG: KASAN: global-out-of-bounds in clk_notifier_register+0xab/0x230
Read of size 8 at addr ffffffffa0d10588 by task swapper/0/1
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1 #1
Hardware name: Google Caroline/Caroline,
BIOS Google_Caroline.7820.430.0 07/20/2018
Call Trace:
dump_stack+0xee/0x15c
print_address_description+0x1e/0x2dc
kasan_report+0x188/0x1ce
? clk_notifier_register+0xab/0x230
? clk_prepare_lock+0x15/0x7b
? clk_notifier_register+0xab/0x230
clk_notifier_register+0xab/0x230
dw8250_probe+0xc01/0x10d4
...
Memory state around the buggy address:
ffffffffa0d10480: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
ffffffffa0d10500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
>ffffffffa0d10580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffffffa0d10600: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
ffffffffa0d10680: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
==================================================================
Fixes: b2476490ef11 ("clk: introduce the common clock framework")
Reported-by: Lukasz Majczak <lma@semihalf.com>
Signed-off-by: Lukasz Bartosik <lb@semihalf.com>
Link: https://lore.kernel.org/r/20210401225149.18826-2-lb@semihalf.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk.c | 30 +++++++++++++-----------------
1 file changed, 13 insertions(+), 17 deletions(-)
diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
index 53c068f90b37..c46fff3a32fe 100644
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -2870,32 +2870,28 @@ EXPORT_SYMBOL_GPL(clk_notifier_register);
*/
int clk_notifier_unregister(struct clk *clk, struct notifier_block *nb)
{
- struct clk_notifier *cn = NULL;
- int ret = -EINVAL;
+ struct clk_notifier *cn;
+ int ret = -ENOENT;
if (!clk || !nb)
return -EINVAL;
clk_prepare_lock();
- list_for_each_entry(cn, &clk_notifier_list, node)
- if (cn->clk == clk)
- break;
-
- if (cn->clk == clk) {
- ret = srcu_notifier_chain_unregister(&cn->notifier_head, nb);
+ list_for_each_entry(cn, &clk_notifier_list, node) {
+ if (cn->clk == clk) {
+ ret = srcu_notifier_chain_unregister(&cn->notifier_head, nb);
- clk->core->notifier_count--;
+ clk->core->notifier_count--;
- /* XXX the notifier code should handle this better */
- if (!cn->notifier_head.head) {
- srcu_cleanup_notifier_head(&cn->notifier_head);
- list_del(&cn->node);
- kfree(cn);
+ /* XXX the notifier code should handle this better */
+ if (!cn->notifier_head.head) {
+ srcu_cleanup_notifier_head(&cn->notifier_head);
+ list_del(&cn->node);
+ kfree(cn);
+ }
+ break;
}
-
- } else {
- ret = -ENOENT;
}
clk_prepare_unlock();
--
2.30.2
next prev parent reply other threads:[~2021-04-15 14:49 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-15 14:46 [PATCH 4.4 00/38] 4.4.267-rc1 review Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.4 01/38] iio: hid-sensor-prox: Fix scale not correct issue Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.4 02/38] ALSA: aloop: Fix initialization of controls Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.4 03/38] nfc: fix refcount leak in llcp_sock_bind() Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.4 04/38] nfc: fix refcount leak in llcp_sock_connect() Greg Kroah-Hartman
2021-04-15 14:46 ` [PATCH 4.4 05/38] nfc: fix memory " Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 06/38] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 07/38] xen/evtchn: Change irq_info lock to raw_spinlock_t Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 08/38] net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 09/38] ia64: fix user_stack_pointer() for ptrace() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 10/38] fs: direct-io: fix missing sdio->boundary Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 11/38] parisc: parisc-agp requires SBA IOMMU driver Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 12/38] batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 13/38] net: sched: sch_teql: fix null-pointer dereference Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 14/38] sch_red: fix off-by-one checks in red_check_params() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 15/38] gianfar: Handle error code at MAC address change Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 16/38] net:tipc: Fix a double free in tipc_sk_mcast_rcv Greg Kroah-Hartman
2021-04-15 14:47 ` Greg Kroah-Hartman [this message]
2021-04-15 14:47 ` [PATCH 4.4 18/38] workqueue: Move the position of debug_work_activate() in __queue_work() Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 19/38] s390/cpcmd: fix inline assembly register clobbering Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 20/38] RDMA/cxgb4: check for ipv6 address properly while destroying listener Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 21/38] clk: socfpga: fix iomem pointer cast on 64-bit Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 22/38] cfg80211: remove WARN_ON() in cfg80211_sme_connect Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 23/38] net: tun: set tun->dev->addr_len during TUNSETLINK processing Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 24/38] drivers: net: fix memory leak in atusb_probe Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 25/38] drivers: net: fix memory leak in peak_usb_create_dev Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 26/38] net: mac802154: Fix general protection fault Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 27/38] net: ieee802154: nl-mac: fix check on panid Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 28/38] net: ieee802154: fix nl802154 del llsec key Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 29/38] net: ieee802154: fix nl802154 del llsec dev Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 30/38] net: ieee802154: fix nl802154 add llsec key Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 31/38] net: ieee802154: fix nl802154 del llsec devkey Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 32/38] net: ieee802154: forbid monitor for set llsec params Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 33/38] net: ieee802154: forbid monitor for del llsec seclevel Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 34/38] net: ieee802154: stop dump llsec params for monitors Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 35/38] drm/imx: imx-ldb: fix out of bounds array access warning Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 36/38] netfilter: x_tables: fix compat match/target pad out-of-bound write Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 37/38] perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches Greg Kroah-Hartman
2021-04-15 14:47 ` [PATCH 4.4 38/38] xen/events: fix setting irq affinity Greg Kroah-Hartman
2021-04-15 18:44 ` [PATCH 4.4 00/38] 4.4.267-rc1 review Pavel Machek
2021-04-15 22:47 ` Shuah Khan
2021-04-16 12:52 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210415144413.898345104@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=lb@semihalf.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lma@semihalf.com \
--cc=sashal@kernel.org \
--cc=sboyd@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).