From: Greg Kroah-Hartman Date: Mon, 24 Sep 2018 07:19:14 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v3.18.123~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e4cd008c39b459f2dc51a3b4f0eec548c77b90a4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: mmc-meson-mx-sdio-fix-of-child-node-lookup.patch of-add-helper-to-lookup-compatible-child-node.patch --- diff --git a/queue-4.18/mmc-meson-mx-sdio-fix-of-child-node-lookup.patch b/queue-4.18/mmc-meson-mx-sdio-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..f4c41d209fb --- /dev/null +++ b/queue-4.18/mmc-meson-mx-sdio-fix-of-child-node-lookup.patch @@ -0,0 +1,62 @@ +From c483a5cc9d09f4ceaa9abb106f863cc89cb643d9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:48 +0200 +Subject: mmc: meson-mx-sdio: fix OF child-node lookup + +From: Johan Hovold + +commit c483a5cc9d09f4ceaa9abb106f863cc89cb643d9 upstream. + +Use the new of_get_compatible_child() helper to lookup the slot child +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the node of the device being probed). + +While at it, also fix up the related slot-node reference leak. + +Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs") +Cc: stable # 4.15 +Cc: Carlo Caione +Cc: Martin Blumenstingl +Cc: Ulf Hansson +Acked-by: Martin Blumenstingl +Signed-off-by: Johan Hovold +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/meson-mx-sdio.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/meson-mx-sdio.c ++++ b/drivers/mmc/host/meson-mx-sdio.c +@@ -517,19 +517,23 @@ static struct mmc_host_ops meson_mx_mmc_ + static struct platform_device *meson_mx_mmc_slot_pdev(struct device *parent) + { + struct device_node *slot_node; ++ struct platform_device *pdev; + + /* + * TODO: the MMC core framework currently does not support + * controllers with multiple slots properly. So we only register + * the first slot for now + */ +- slot_node = of_find_compatible_node(parent->of_node, NULL, "mmc-slot"); ++ slot_node = of_get_compatible_child(parent->of_node, "mmc-slot"); + if (!slot_node) { + dev_warn(parent, "no 'mmc-slot' sub-node found\n"); + return ERR_PTR(-ENOENT); + } + +- return of_platform_device_create(slot_node, NULL, parent); ++ pdev = of_platform_device_create(slot_node, NULL, parent); ++ of_node_put(slot_node); ++ ++ return pdev; + } + + static int meson_mx_mmc_add_host(struct meson_mx_mmc_host *host) diff --git a/queue-4.18/of-add-helper-to-lookup-compatible-child-node.patch b/queue-4.18/of-add-helper-to-lookup-compatible-child-node.patch new file mode 100644 index 00000000000..37d66a41c14 --- /dev/null +++ b/queue-4.18/of-add-helper-to-lookup-compatible-child-node.patch @@ -0,0 +1,87 @@ +From 36156f9241cb0f9e37d998052873ca7501ad4b36 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:45 +0200 +Subject: of: add helper to lookup compatible child node + +From: Johan Hovold + +commit 36156f9241cb0f9e37d998052873ca7501ad4b36 upstream. + +Add of_get_compatible_child() helper that can be used to lookup +compatible child nodes. + +Several drivers currently use of_find_compatible_node() to lookup child +nodes while failing to notice that the of_find_ functions search the +entire tree depth-first (from a given start node) and therefore can +match unrelated nodes. The fact that these functions also drop a +reference to the node they start searching from (e.g. the parent node) +is typically also overlooked, something which can lead to use-after-free +bugs. + +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 25 +++++++++++++++++++++++++ + include/linux/of.h | 8 ++++++++ + 2 files changed, 33 insertions(+) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -723,6 +723,31 @@ struct device_node *of_get_next_availabl + EXPORT_SYMBOL(of_get_next_available_child); + + /** ++ * of_get_compatible_child - Find compatible child node ++ * @parent: parent node ++ * @compatible: compatible string ++ * ++ * Lookup child node whose compatible property contains the given compatible ++ * string. ++ * ++ * Returns a node pointer with refcount incremented, use of_node_put() on it ++ * when done; or NULL if not found. ++ */ ++struct device_node *of_get_compatible_child(const struct device_node *parent, ++ const char *compatible) ++{ ++ struct device_node *child; ++ ++ for_each_child_of_node(parent, child) { ++ if (of_device_is_compatible(child, compatible)) ++ break; ++ } ++ ++ return child; ++} ++EXPORT_SYMBOL(of_get_compatible_child); ++ ++/** + * of_get_child_by_name - Find the child node by name for a given parent + * @node: parent node + * @name: child name to look for. +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -290,6 +290,8 @@ extern struct device_node *of_get_next_c + extern struct device_node *of_get_next_available_child( + const struct device_node *node, struct device_node *prev); + ++extern struct device_node *of_get_compatible_child(const struct device_node *parent, ++ const char *compatible); + extern struct device_node *of_get_child_by_name(const struct device_node *node, + const char *name); + +@@ -632,6 +634,12 @@ static inline bool of_have_populated_dt( + return false; + } + ++static inline struct device_node *of_get_compatible_child(const struct device_node *parent, ++ const char *compatible) ++{ ++ return NULL; ++} ++ + static inline struct device_node *of_get_child_by_name( + const struct device_node *node, + const char *name) diff --git a/queue-4.18/series b/queue-4.18/series index 5da282911df..b61b54e2da4 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -141,3 +141,5 @@ of-fix-phandle-cache-creation-for-dts-with-no-phandles.patch x86-eisa-don-t-probe-eisa-bus-for-xen-pv-guests.patch nfsv4-fix-a-tracepoint-oops-in-initiate_file_draining.patch nfsv4.1-fix-infinite-loop-on-i-o.patch +of-add-helper-to-lookup-compatible-child-node.patch +mmc-meson-mx-sdio-fix-of-child-node-lookup.patch