[thirdparty/kernel/stable-queue.git] / releases / 4.9.30 / powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch

From 68baf692c435339e6295cb470ea5545cbc28160e Mon Sep 17 00:00:00 2001
From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Date: Mon, 17 Apr 2017 20:21:40 -0400
Subject: powerpc/pseries: Fix of_node_put() underflow during DLPAR remove

From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>

commit 68baf692c435339e6295cb470ea5545cbc28160e upstream.

Historically struct device_node references were tracked using a kref embedded as
a struct field. Commit 75b57ecf9d1d ("of: Make device nodes kobjects so they
show up in sysfs") (Mar 2014) refactored device_nodes to be kobjects such that
the device tree could by more simply exposed to userspace using sysfs.

Commit 0829f6d1f69e ("of: device_node kobject lifecycle fixes") (Mar 2014)
followed up these changes to better control the kobject lifecycle and in
particular the referecne counting via of_node_get(), of_node_put(), and
of_node_init().

A result of this second commit was that it introduced an of_node_put() call when
a dynamic node is detached, in of_node_remove(), that removes the initial kobj
reference created by of_node_init().

Traditionally as the original dynamic device node user the pseries code had
assumed responsibilty for releasing this final reference in its platform
specific DLPAR detach code.

This patch fixes a refcount underflow introduced by commit 0829f6d1f6, and
recently exposed by the upstreaming of the recount API.

Messages like the following are no longer seen in the kernel log with this
patch following DLPAR remove operations of cpus and pci devices.

  rpadlpar_io: slot PHB 72 removed
  refcount_t: underflow; use-after-free.
  ------------[ cut here ]------------
  WARNING: CPU: 5 PID: 3335 at lib/refcount.c:128 refcount_sub_and_test+0xf4/0x110

Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes")
Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
[mpe: Make change log commit references more verbose]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/platforms/pseries/dlpar.c |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/powerpc/platforms/pseries/dlpar.c
+++ b/arch/powerpc/platforms/pseries/dlpar.c
@@ -288,7 +288,6 @@ int dlpar_detach_node(struct device_node
 	if (rc)
 		return rc;
 
-	of_node_put(dn); /* Must decrement the refcount */
 	return 0;
 }
Commit	Line	Data
21e6eaa8 GKH	1	From 68baf692c435339e6295cb470ea5545cbc28160e Mon Sep 17 00:00:00 2001
	2	From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
	3	Date: Mon, 17 Apr 2017 20:21:40 -0400
	4	Subject: powerpc/pseries: Fix of_node_put() underflow during DLPAR remove
	5
	6	From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
	7
	8	commit 68baf692c435339e6295cb470ea5545cbc28160e upstream.
	9
	10	Historically struct device_node references were tracked using a kref embedded as
	11	a struct field. Commit 75b57ecf9d1d ("of: Make device nodes kobjects so they
	12	show up in sysfs") (Mar 2014) refactored device_nodes to be kobjects such that
	13	the device tree could by more simply exposed to userspace using sysfs.
	14
	15	Commit 0829f6d1f69e ("of: device_node kobject lifecycle fixes") (Mar 2014)
	16	followed up these changes to better control the kobject lifecycle and in
	17	particular the referecne counting via of_node_get(), of_node_put(), and
	18	of_node_init().
	19
	20	A result of this second commit was that it introduced an of_node_put() call when
	21	a dynamic node is detached, in of_node_remove(), that removes the initial kobj
	22	reference created by of_node_init().
	23
	24	Traditionally as the original dynamic device node user the pseries code had
	25	assumed responsibilty for releasing this final reference in its platform
	26	specific DLPAR detach code.
	27
	28	This patch fixes a refcount underflow introduced by commit 0829f6d1f6, and
	29	recently exposed by the upstreaming of the recount API.
	30
	31	Messages like the following are no longer seen in the kernel log with this
	32	patch following DLPAR remove operations of cpus and pci devices.
	33
	34	rpadlpar_io: slot PHB 72 removed
	35	refcount_t: underflow; use-after-free.
	36	------------[ cut here ]------------
	37	WARNING: CPU: 5 PID: 3335 at lib/refcount.c:128 refcount_sub_and_test+0xf4/0x110
	38
	39	Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes")
	40	Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
	41	[mpe: Make change log commit references more verbose]
	42	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	43	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	44
	45	---
	46	arch/powerpc/platforms/pseries/dlpar.c \| 1 -
	47	1 file changed, 1 deletion(-)
	48
	49	--- a/arch/powerpc/platforms/pseries/dlpar.c
	50	+++ b/arch/powerpc/platforms/pseries/dlpar.c
	51	@@ -288,7 +288,6 @@ int dlpar_detach_node(struct device_node
	52	if (rc)
	53	return rc;
	54
	55	- of_node_put(dn); /* Must decrement the refcount */
	56	return 0;
	57	}
	58