On Fri, Aug 9, 2019 at 6:50 AM Schmid, Carsten
<carsten_sch...@mentor.com> wrote:
>
> When a resource is freed and has children, the childrens are
> left without any hint that their parent is no more valid.
> This caused at least one use-after-free in the xhci-hcd using
> ext-caps driver when platform code released platform devices.
>
> Fix this by setting child's parent to zero and warn.
>
> Signed-off-by: Carsten Schmid <carsten_sch...@mentor.com>
> ---
> Rationale:
> When hunting for the root cause of a crash on a 4.14.86 kernel, i
> have found the root cause and checked it being still present
> upstream. Our case:
> Having xhci-hcd and intel_xhci_usb_sw active we can see in
> /proc/meminfo: (exceirpt)
> b3c00000-b3c0ffff : 0000:00:15.0
> b3c00000-b3c0ffff : xhci-hcd
> b3c08070-b3c0846f : intel_xhci_usb_sw
> intel_xhci_usb_sw being a child of xhci-hcd.
>
> Doing an unbind command
> echo 0000:00:15.0 > /sys/bus/pci/drivers/xhci_hcd/unbind
> leads to xhci-hcd being freed in __release_region.
> The intel_xhci_usb_sw resource is accessed in platform code
> in platform_device_del with
> for (i = 0; i < pdev->num_resources; i++) {
> struct resource *r = &pdev->resource[i];
> if (r->parent)
> release_resource(r);
> }
How did we get here while intel_xhci_usb_sw is still active? I would
have expected intel_xhci_usb_sw to pin its parent preventing release
while any usage was pending?
> as the resource's parent has not been updated, the release_resource
> uses the parent:
> p = &old->parent->child;
> which is now invalid.
> Fix this by marking the parent invalid in the child and give a warning
This does not seem like a fix. It does seem like a good sanity check
though, some notes below.
> in dmesg.
> ---
> Advised by Greg (thanks):
> Try resending it with at least the people who get_maintainer.pl says has
> touched that file last in it. [CS:done]
>
> Also, Linus is the unofficial resource.c maintainer. I think he has a
> set of userspace testing scripts for changes somewhere, so you should
> cc: him too. And might as well add me :) [CS:done]
>
> thanks,
>
> greg k-h
> ---
> kernel/resource.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/kernel/resource.c b/kernel/resource.c
> index 158f04ec1d4f..95340cb0b1c2 100644
> --- a/kernel/resource.c
> +++ b/kernel/resource.c
> @@ -1200,6 +1200,15 @@ void __release_region(struct resource *parent,
> resource_size_t start,
> write_unlock(&resource_lock);
> if (res->flags & IORESOURCE_MUXED)
> wake_up(&muxed_resource_wait);
> +
> + write_lock(&resource_lock);
I'd move this above that write_unlock() a few lines up to eliminate a
lock bounce.
> + if (res->child) {
> + printk(KERN_WARNING "__release_region: %s has
> child %s,"
How about WARN_ONCE() to identify the code path that mis-sequenced the release?
> + "invalidating childs
> parent\n",
s/childs/child's/
> + res->name, res->child->name);
> + res->child->parent = NULL;
> + }
> + write_unlock(&resource_lock);
> free_resource(res);
> return;
> }
> --
> 2.17.1
