From patchwork Thu Nov 28 05:39:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Torokhov X-Patchwork-Id: 13887710 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89EE412C7FD; Thu, 28 Nov 2024 05:39:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732772390; cv=none; b=phTxcGgQsOkKRbkpCvW6JPbI7zPTxWWx5R1TXjQMT8i2Hkvr3qxSIrC7Tg4JWw6Op5wGue9CLlNfZqO7cLgBeRgjfz42bd5yOgKhYtnIht17J2d2heh8jTkb790mE6FZutwKUYoUM5XhhOE08AXWiumTccWfmJ5yu2HDazoY30k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732772390; c=relaxed/simple; bh=plheEZQytYBgGKVoRVI6FCKulnzuzkfVqLQPHuN98LY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qCZ5g42MWXP/i8OMLc4ArB/ZwmyWypBWlnLN+JdI4Nw6bxOIru9aFX48FhiFYxFWg2FXdVwgnlaDOQj6vPHV0jm3KvR5S0FyF9qoTstBce3qrxyPvNHP/vgnzrF1BSls6M5+gISEJM9ICx3bs0cPNRlwhVUwQolt3v+nFnz4LjQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XpEn37s9; arc=none smtp.client-ip=209.85.216.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XpEn37s9" Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-2ea2dd09971so409302a91.3; Wed, 27 Nov 2024 21:39:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1732772389; x=1733377189; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wH7kKXV6SUgTlW9F8VI+SFr+OnwnXgKARmGzL8+HNko=; b=XpEn37s9ZsKAMKsUXpcE0uDt0qUtcKZEuScjdQ0Asj1ZR+y6YgyJsDifQJ27KvkWeF emV1WHPE89ma52H0LsvWl/p9E19V8jOsbxv/xGYg35jSKeOYfnH9Ti7zUx3G7bTsfMBo umQNCVrckOaipyiNM2zt7M2iwrn22ESGtvzN5xy+b97HTt+tLRIpv8AAjgtCQBR/gdbM gxcjtf2C/kPjVAPXqzZS6Oubz9yIQMc8K/KRH/poeT38gl9tHWtxg4ZM/Kme5jwagyGF 3N9tx6dcMyYQCvs/zzfYhPL8Wrmm97E8RhCs6dKBstlUX3iTx3hf5zu7xGJT97Mg/iB4 DtDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732772389; x=1733377189; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wH7kKXV6SUgTlW9F8VI+SFr+OnwnXgKARmGzL8+HNko=; b=Rlvmvla/jBK6GuvOfsWjFt+ZCI+qAOuAaLumFQROU9D20slQsOXxg6QtV8I8/3KnkF 9qe6+jGBWxRAeEIiTmqOOaYMUdo+YaH2xWwFcP+WMcrSS2ZYs3l/eaqUAboI3nqcZZIb t6Ijqk8j78uX5V6BLIwFP/IuyCNBlu4BBxenPiHDG6qfNv/xHC/HonxzUv7JkZRf9T4h yDCSL+ZUhYBSIxTuL6MrY3m3u0Lx3e1/psJjQRXrLF017vpza6z3Ah2ayClQDQMP9a5X 90hqI3KyWUD+sGmRGqjoiReNF4hMrXcBoy0mHh+10v5UjsqP1LIvWGvf4BeXx/OoCLHL J+gA== X-Forwarded-Encrypted: i=1; AJvYcCUON86rUMhewrtHfl7Dw4Sfz7ddBe6vL8+B/pzcvjuKC8TUfHr0VnF+5h7PkUAtNW/NT3wQpH//xhYn57g=@vger.kernel.org X-Gm-Message-State: AOJu0YzEtlYwalEcHX2uNklIVS4DzBvKz/5JzTxc1grCPvAG61Hmnomo hvhx+W9TZsesmuJZb4kWFAHK0nOO7qzk4v8aE/Zy03TUtI1dIaQN X-Gm-Gg: ASbGncs1yYOkM7uNF55L3yGBTvvwxHo6iN0dVw6PN6LjI6cMyVr07co4ZrIX1Xk2pFu UiHfr1x2tQCCgfhwsWCCPlpXPI0DAok5uV3A1D7BOED+Fkp3N2x4sk6m2VqGxFQqBXVi9uZOvip ZgP9l703V9qpRVUwwj0+ccFeIW+X7YdqEes4QAWxrAGQEygMfN84BsmbhEVr2sJ2Z5DEVMwzWFw YC9h8fj80v46rrZf9Frxi0I6ysIn7SI0oMP7cqKNtLKqCKFfmhIQq6bYWApun/4bn4CXEOP X-Google-Smtp-Source: AGHT+IFnhZEL+4ZWDatpHCDYYr0+uSfxiNH0T66deNFepei/f5o1CbyU18KG1EtqDr4RGlOXwrlPsg== X-Received: by 2002:a17:90b:35c9:b0:2ea:4a6b:79d1 with SMTP id 98e67ed59e1d1-2ee08eb2bdfmr7750727a91.11.1732772388550; Wed, 27 Nov 2024 21:39:48 -0800 (PST) Received: from dtor-ws.sjc.corp.google.com ([2620:15c:9d:2:bb0d:3829:251:d17e]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2ee0fa48129sm2596378a91.16.2024.11.27.21.39.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Nov 2024 21:39:47 -0800 (PST) From: Dmitry Torokhov To: Greg Kroah-Hartman , Andy Shevchenko , "Rafael J . Wysocki" , Sakari Ailus , Heikki Krogerus , Daniel Scally Cc: linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] device property: do not leak child nodes when using NULL/error pointers Date: Wed, 27 Nov 2024 21:39:34 -0800 Message-ID: <20241128053937.4076797-1-dmitry.torokhov@gmail.com> X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog Precedence: bulk X-Mailing-List: linux-acpi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The documentation to various API calls that locate children for a given fwnode (such as fwnode_get_next_available_child_node() or device_get_next_child_node()) states that the reference to the node passed in "child" argument is dropped unconditionally, however the change that added checks for the main node to be NULL or error pointer broke this promise. Add missing fwnode_handle_put() calls to restore the documented behavior. Fixes: 002752af7b89 ("device property: Allow error pointer to be passed to fwnode APIs") Signed-off-by: Dmitry Torokhov --- drivers/base/property.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/base/property.c b/drivers/base/property.c index 837d77e3af2b..696ba43b8e8a 100644 --- a/drivers/base/property.c +++ b/drivers/base/property.c @@ -759,6 +759,12 @@ struct fwnode_handle * fwnode_get_next_child_node(const struct fwnode_handle *fwnode, struct fwnode_handle *child) { + if (IS_ERR_OR_NULL(fwnode) || + !fwnode_has_op(fwnode, get_next_child_node)) { + fwnode_handle_put(child); + return NULL; + } + return fwnode_call_ptr_op(fwnode, get_next_child_node, child); } EXPORT_SYMBOL_GPL(fwnode_get_next_child_node); @@ -778,9 +784,6 @@ fwnode_get_next_available_child_node(const struct fwnode_handle *fwnode, { struct fwnode_handle *next_child = child; - if (IS_ERR_OR_NULL(fwnode)) - return NULL; - do { next_child = fwnode_get_next_child_node(fwnode, next_child); if (!next_child) @@ -806,8 +809,10 @@ struct fwnode_handle *device_get_next_child_node(const struct device *dev, const struct fwnode_handle *fwnode = dev_fwnode(dev); struct fwnode_handle *next; - if (IS_ERR_OR_NULL(fwnode)) + if (IS_ERR_OR_NULL(fwnode)) { + fwnode_handle_put(child); return NULL; + } /* Try to find a child in primary fwnode */ next = fwnode_get_next_child_node(fwnode, child); From patchwork Thu Nov 28 05:39:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Torokhov X-Patchwork-Id: 13887711 Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A46791386BF; Thu, 28 Nov 2024 05:39:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732772392; cv=none; b=Hr8AnwHIBrdhWGzMdpvZ9TgrmGo5Ci89jUAiP2Cb+FoXJeGFFrK+1uXXQYGFMfnW2pUx3eUVTSWcGCGnBlu9fkA4td9T8qJSRyf8nDmI96Grh6KXEYt6gUPe8Y+9YNjjUP1hFpHmcFSrfvxL4USMKXXgz7UuClDObMMc+6KBlZI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732772392; c=relaxed/simple; bh=q0h/8gJLp0gi27H54L5UHK5kW0bmhamvPRIhgEkdf0w=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=u2tqqRqBlL8/NoxEOWcmYjbhERfMwA6UiUU0BOOLb9Nsu6Y4xc66cjGmVnfbZpqjyZ6dytFrdOUECKnGxEmPxF1gIW1B4efv5x1y/uVFdZrslH2UXvSAvZY2jSraYD7EcXrTE6mhylEuqrDfYxWC7/B1SRoxPYQ6r4Ev7G0x4ds= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=P6GzfjcG; arc=none smtp.client-ip=209.85.216.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="P6GzfjcG" Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-2ea1e5fc65bso388289a91.3; Wed, 27 Nov 2024 21:39:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1732772390; x=1733377190; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=t00tEb4E12UQ92MlgqLiTeE/yIwZhbS/yVAJUvJOOsk=; b=P6GzfjcGtYqllC7U/QpZDT4lgjebP6NJ2VKGcf3/1qxkw2Rd1wYyUJsSbrVOw5qQq8 Yl4LIYi7TtI7vuUnSP9mq3BVZPkR8g3TWraQXI6UARvIg8TD00IVlxHEc18ATc9ZR0WR TfWmvhejyt4+BuyuBeYAdce9HqbKA2yH6TZqhb8ogyr8XR0k8z2oJPSCexGdv8BtDzdr oacQSNRGicb6JarXeAYUD6j+hvXXqaXDOb1zCa4NGMKXFOEhoyV0g0WXuEwBiCnodzRK zS+VnueoKGjGXwPstUa2aLPmsFXTzpiMMTZr+BnJgSbstlTicHbD++hTH1oytB2ugIQt 8ABQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732772390; x=1733377190; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t00tEb4E12UQ92MlgqLiTeE/yIwZhbS/yVAJUvJOOsk=; b=G3/Fj5fqsWDdLj4czyBiL9R7ZdGdyRSciDdXmG5gwMHogZdUBDAW2QQyq/7AZMCbYa rV5OYQYyNKoBxK3G6EEBbuWsbugXWKy9RIjru+yYH0lObfVxRZGdkcCYu1L3gKkLU7EC muI8qbe64PsADWbC+VyLoD43zDIH6DC/askCSb8qr0rXKx4uEkw2uB5+Pc7HPRf3gieY zM4wZd6ffkk7uwUnNdaDO19+2DjqsYQvvkvlDp3yjvN0Nq33PWsZjfbAHICZMgdtLYDl tzj0O+kiJABNx0oAXaj1p0o6yufm/mj7tSF0SbhBC1ZmmUCMnhmIlmyakY4WDBDP2UjR TZ9g== X-Forwarded-Encrypted: i=1; AJvYcCVJhO4dRHomsGILWYoS7wQ4cz/0P/ih44P2Zd7UMZCwFxC2hjzWvtRlT+gbwvy/LrDzuWu0usSY5kwWLWo=@vger.kernel.org X-Gm-Message-State: AOJu0YzXAvtLkjDuO4ULor5QelKh/OK0V1D+Hp9F9YILWuHP2gUxaBB/ TbTjO7F7+XEFduNJJ/bEV+bYviPG4HA56hOJ+vhg6H0sBgVtNhEt X-Gm-Gg: ASbGnctdRa4BS+uybwUE4dYTi70qx15nSqrfFdlldZ5QtCjnExgBDiYObtFN4erfjiP 2GZzoevBZMMgziZh8I2bS4xm/r7y4UiPrvvhnCOlXyYyio5dKZztqQ/8Bs7Md7DLx/bUDDjHXgm O2R6CC9iVUBOsewjJ108z2rsKnzGLKA6RJvDJKWbWANvLn1f5urlIQZdAF+epIZPBhW8dHa9jMK Y0NTs3+8N6VUhXwKDEoxsGH4aZBXuPsY9g4M26VELg9CV3AdNbIum6mbukTr3T3pEyJDe+6 X-Google-Smtp-Source: AGHT+IHhKqy7i5oZJ0dDSwXdikeb120EBwdCOEJLtPJyeBeGi/5ktrJ8ovIHj22jK2XheK8pZkm0Wg== X-Received: by 2002:a17:90a:d410:b0:2ea:a9ac:eedd with SMTP id 98e67ed59e1d1-2ee08eb1d90mr7615170a91.9.1732772389741; Wed, 27 Nov 2024 21:39:49 -0800 (PST) Received: from dtor-ws.sjc.corp.google.com ([2620:15c:9d:2:bb0d:3829:251:d17e]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2ee0fa48129sm2596378a91.16.2024.11.27.21.39.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Nov 2024 21:39:49 -0800 (PST) From: Dmitry Torokhov To: Greg Kroah-Hartman , Andy Shevchenko , "Rafael J . Wysocki" , Sakari Ailus , Heikki Krogerus , Daniel Scally Cc: linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] device property: fix UAF in device_get_next_child_node() Date: Wed, 27 Nov 2024 21:39:35 -0800 Message-ID: <20241128053937.4076797-2-dmitry.torokhov@gmail.com> X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog In-Reply-To: <20241128053937.4076797-1-dmitry.torokhov@gmail.com> References: <20241128053937.4076797-1-dmitry.torokhov@gmail.com> Precedence: bulk X-Mailing-List: linux-acpi@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 fwnode_get_next_child_node() always drops reference to the node passed as the "child" argument, which makes "child" pointer no longer valid and we can not use it to scan the secondary node in case there are no more children in primary one. Also, it is not obvious whether it is safe to pass children of the secondary node to fwnode_get_next_child_node() called on the primary node in subsequent calls to device_get_next_child_node(). Fix the issue by checking whether the child node passed in is indeed a child of primary or secondary node, and do not call fwnode_get_next_child_node() for the wrong parent node. Also set the "child" to NULL after unsuccessful call to fwnode_get_next_child_node() on primary node to make sure secondary node's children are scanned from the beginning. Fixes: 114dbb4fa7c4 ("drivers property: When no children in primary, try secondary") Signed-off-by: Dmitry Torokhov --- drivers/base/property.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/drivers/base/property.c b/drivers/base/property.c index 696ba43b8e8a..0ca3c0908b0c 100644 --- a/drivers/base/property.c +++ b/drivers/base/property.c @@ -815,11 +815,26 @@ struct fwnode_handle *device_get_next_child_node(const struct device *dev, } /* Try to find a child in primary fwnode */ - next = fwnode_get_next_child_node(fwnode, child); - if (next) - return next; + if (!child || fwnode_get_parent(child) == fwnode) { + next = fwnode_get_next_child_node(fwnode, child); + if (next) + return next; + /* + * We ran out of children in primary - reset the child + * node to start from the beginning when scanning secondary + * node. + */ + child = NULL; + } /* When no more children in primary, continue with secondary */ + + if (IS_ERR_OR_NULL(fwnode->secondary) || + (child && fwnode_get_parent(child) != fwnode->secondary)) { + fwnode_handle_put(child); + return NULL; + } + return fwnode_get_next_child_node(fwnode->secondary, child); } EXPORT_SYMBOL_GPL(device_get_next_child_node);