From nobody Thu Dec 18 20:24:02 2025 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1549970819; Wed, 18 Dec 2024 14:20:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734531655; cv=none; b=Unn/X1GEzYbN1VZautTi4ouGWM2B+dXLxT3cr2IDfvFJ9J7qRfeFdogYJVjLl11Sx3tieYENdU6InbaA1DhIFcHx5YjVCTIZ3ddFE5sBhxtolXCRZa515j+8DtVHGghmrGND3D0EqCWr04/larzZmtbvKnSHhtMpwMtGIYruLq0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734531655; c=relaxed/simple; bh=w3gF/r4BB1ATsGbLCnA93cumxvQTXrlpcz/mT/97FSw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=XbUK4XnsycnFDGYnCpHx9CUphd6j1ea/IofhTSw8/h1SHwh52EYbP58pYHhovcb+iQgbRX4mhdwbAXT99fp6euFA0ZDej3GWC6nE9Q/3y5dcTwB0mycnaFhkwbrwRfSYT5UMGCm8ETsTfv+NLYNhnRiSGdNYSR+RY/uqoWDfm84= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LqvzIN7w; arc=none smtp.client-ip=209.85.221.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LqvzIN7w" Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-385df53e559so5293983f8f.3; Wed, 18 Dec 2024 06:20:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734531652; x=1735136452; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=s/+y/YSUxPtfDmBJdtycZ9jo8pi4P6L+XpuOz8AqooA=; b=LqvzIN7wqhuzzCzKFNIBEhM1RZcWi+W24tx6OftV+0R5/+jsgj9lmgVbEzgVcL2xN4 bC8kQ1OdXoOT39h/mjAZ1Znm+hw3kB2QFYvHejJlz8ytuL4fFDqh3YRtzYDU6QGRfOYJ 8Z2PylBY7kHhe0yueCxjN/NnOl3l4Ll3CSm1FOeTEE5aCfS92PrnDi05a604jqBZTvdO RHweV8MQHOQeNenF/AOSBlvGfap04/Xq6UzGceSPehDKQ/1hmUDAbBIxlNwkZCxcutN/ kPUh9LXOnRfzOP53MrjN0iO4DfygcXogkDidb79CO7qz66XRgBR6woKXxvp35EitY/8J CaTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734531652; x=1735136452; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=s/+y/YSUxPtfDmBJdtycZ9jo8pi4P6L+XpuOz8AqooA=; b=s62eac0qXd/8v1yTSl0XVL8DC9E+xmdDfQiJCc1vHgOGKifPMHWKt7fxO8zZ+bz8ZA 5vL/spNMYT34DNZe+rmn7Ps9FPg32UfmkFtz9NnxZ5nQHyApwiRwHh/AMRBEK2eRkBpt Saio1BgLMhfyQDp/f1QgpwRgtEH+Z1etKdfbuXSml08JjihAyt6pdw+k9+gL/uW504Fl q8qsBp/ev80g02dJKjAccZM9dJUbYk1odIMBEzyxX+j68F3EWzY8AlMJUKwE51AwgPyv ABhr9AGqtVjhqp7OtJaOIX3E6KLY+qFfe0QiNWirjGrFeYx8BoMCv+w6Tw0t/KdbPYhu KEsg== X-Forwarded-Encrypted: i=1; AJvYcCUXohMUj9ZbVGhWW82Swr5jcNzb7T9e2W5e6K/Kk3Z1atdP9KE5H7pUJyzbvNPAvzN/sKVUjV5RV/KK00jv@vger.kernel.org, AJvYcCXji+BS3jaH4lzqJsifDj7Vke+KEIMK64FUvDMABg2NSfbxDwPzxTNp4ZOo70qPRZbe7YpxEHLX3CA=@vger.kernel.org X-Gm-Message-State: AOJu0YwFh1BTTRqmXiNKd55L4u7JUhWxNlijRK4bz/h0K/DrEarhncig IZPnaoavigbJx4zXDSxmwb8np8oIpi/JbOmi3mlAwBZ1ynQxVYTm X-Gm-Gg: ASbGncss35sRKKmhwSVennAKpGh+Mvh6Rq911RZh7DmjIGsRxEf8VGdqxy30GlBW0xv /xjSrx93cKpYBVyomUh3/pJeydwFV/fAnBJMhnJlt3uDugX5MD0HsZ1XibPN2epTSLNaNsHF1U9 X8OF13nhjT34HjZfCI0z1b4c0gm4XKArUSJeoxEZ7Hm2o1zwRAF58E7FwkyLFNRXfls6hkzP9BJ FDJGNPbxibFBTh9WJj/mVXBLcaqTVF9peCqg7kxHWWdRYDVFrnKHr8jIEIuR4oTr/ANjj9h33u8 lxPi69qAmw== X-Google-Smtp-Source: AGHT+IEG3STtRHw+ncLc1DbtulvKP7OjyY10VgRPs0+i1Bs5Rmn0XyXuwSpqZlcaS/5mLuwJ5uqslA== X-Received: by 2002:a05:6000:4916:b0:386:37f5:99e7 with SMTP id ffacd0b85a97d-388e4d64938mr3055400f8f.33.1734531651992; Wed, 18 Dec 2024 06:20:51 -0800 (PST) Received: from prasmi.Home ([2a06:5906:61b:2d00:9516:68be:c7cd:69f2]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-388c801ac68sm14107033f8f.51.2024.12.18.06.20.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Dec 2024 06:20:50 -0800 (PST) From: Prabhakar X-Google-Original-From: Prabhakar To: Geert Uytterhoeven , Michael Turquette , Stephen Boyd Cc: linux-renesas-soc@vger.kernel.org, linux-clk@vger.kernel.org, linux-kernel@vger.kernel.org, Prabhakar , Biju Das , Fabrizio Castro , Lad Prabhakar Subject: [PATCH 1/5] clk: renesas: rzv2h: Fix use-after-free in MSTOP refcount handling Date: Wed, 18 Dec 2024 14:20:41 +0000 Message-ID: <20241218142045.77269-2-prabhakar.mahadev-lad.rj@bp.renesas.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241218142045.77269-1-prabhakar.mahadev-lad.rj@bp.renesas.com> References: <20241218142045.77269-1-prabhakar.mahadev-lad.rj@bp.renesas.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Lad Prabhakar Avoid triggering a `refcount_t: addition on 0; use-after-free.` warning when registering a module clock with the same MSTOP configuration. The issue arises when a module clock is registered but not enabled, resulting in a `ref_cnt` of 0. Subsequent calls to `refcount_inc()` on such clocks cause the kernel to warn about use-after-free. [ =C2=A0 =C2=A00.113529] ------------[ cut here ]------------ [ =C2=A0 =C2=A00.113537] refcount_t: addition on 0; use-after-free. [ =C2=A0 =C2=A00.113576] WARNING: CPU: 2 PID: 1 at lib/refcount.c:25 refcou= nt_warn_saturate+0x120/0x144 [ =C2=A0 =C2=A00.113602] Modules linked in: [ =C2=A0 =C2=A00.113616] CPU: 2 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6= .13.0-rc3+ #446 [ =C2=A0 =C2=A00.113629] Hardware name: Renesas RZ/V2H EVK Board based on r= 9a09g057h44 (DT) [ =C2=A0 =C2=A00.113641] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -S= SBS BTYPE=3D--) [ =C2=A0 =C2=A00.113652] pc : refcount_warn_saturate+0x120/0x144 [ =C2=A0 =C2=A00.113664] lr : refcount_warn_saturate+0x120/0x144 [ =C2=A0 =C2=A00.113675] sp : ffff8000818aba90 [ =C2=A0 =C2=A00.113682] x29: ffff8000818aba90 x28: ffff0000c0d96450 x27: f= fff0000c0d96440 [ =C2=A0 =C2=A00.113699] x26: 0000000000000014 x25: 0000000000051000 x24: f= fff0000c0ad6480 [ =C2=A0 =C2=A00.113714] x23: ffff0000c0d96200 x22: ffff800080fae558 x21: 0= 0000000000001e0 [ =C2=A0 =C2=A00.113730] x20: ffff0000c0b11c10 x19: ffff8000815ae6f0 x18: 0= 000000000000006 [ =C2=A0 =C2=A00.113745] x17: ffff800081765368 x16: 0000000000000000 x15: 0= 765076507720766 [ =C2=A0 =C2=A00.113760] x14: ffff8000816a3ea0 x13: 0765076507720766 x12: 0= 72d077207650774 [ =C2=A0 =C2=A00.113776] x11: ffff8000816a3ea0 x10: 00000000000000ce x9 : f= fff8000816fbea0 [ =C2=A0 =C2=A00.113791] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : f= fff8000816fbea0 [ =C2=A0 =C2=A00.113806] x5 : 80000000fffff000 x4 : 0000000000000000 x3 : 0= 000000000000000 [ =C2=A0 =C2=A00.113821] x2 : 0000000000000000 x1 : 0000000000000000 x0 : f= fff0000c0158000 [ =C2=A0 =C2=A00.113837] Call trace: [ =C2=A0 =C2=A00.113845] =C2=A0refcount_warn_saturate+0x120/0x144 (P) [ =C2=A0 =C2=A00.113859] =C2=A0rzv2h_cpg_probe+0x7f8/0xa38 [ =C2=A0 =C2=A00.113874] =C2=A0platform_probe+0x68/0xdc [ =C2=A0 =C2=A00.113890] =C2=A0really_probe+0xbc/0x2c0 [ =C2=A0 =C2=A00.113901] =C2=A0__driver_probe_device+0x78/0x120 [ =C2=A0 =C2=A00.113912] =C2=A0driver_probe_device+0x3c/0x154 [ =C2=A0 =C2=A00.113923] =C2=A0__driver_attach+0x90/0x1a0 [ =C2=A0 =C2=A00.113933] =C2=A0bus_for_each_dev+0x7c/0xe0 [ =C2=A0 =C2=A00.113944] =C2=A0driver_attach+0x24/0x30 [ =C2=A0 =C2=A00.113954] =C2=A0bus_add_driver+0xe4/0x208 [ =C2=A0 =C2=A00.113965] =C2=A0driver_register+0x68/0x124 [ =C2=A0 =C2=A00.113975] =C2=A0__platform_driver_probe+0x54/0xd4 [ =C2=A0 =C2=A00.113987] =C2=A0rzv2h_cpg_init+0x24/0x30 [ =C2=A0 =C2=A00.113998] =C2=A0do_one_initcall+0x60/0x1d4 [ =C2=A0 =C2=A00.114013] =C2=A0kernel_init_freeable+0x214/0x278 [ =C2=A0 =C2=A00.114028] =C2=A0kernel_init+0x20/0x140 [ =C2=A0 =C2=A00.114041] =C2=A0ret_from_fork+0x10/0x20 [ =C2=A0 =C2=A00.114052] ---[ end trace 0000000000000000 ]--- Resolve this by checking the `ref_cnt` value before calling `refcount_inc()`. If `ref_cnt` is 0, reset it to 1 using `refcount_set()`. Fixes: 7bd4cb3d6b7c ("clk: renesas: rzv2h: Relocate MSTOP-related macros to= the family driver") Signed-off-by: Lad Prabhakar --- drivers/clk/renesas/rzv2h-cpg.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/clk/renesas/rzv2h-cpg.c b/drivers/clk/renesas/rzv2h-cp= g.c index 668a2880b2d3..23c89b0de38a 100644 --- a/drivers/clk/renesas/rzv2h-cpg.c +++ b/drivers/clk/renesas/rzv2h-cpg.c @@ -565,8 +565,12 @@ static struct rzv2h_mstop continue; =20 if (BUS_MSTOP(clk->mstop->idx, clk->mstop->mask) =3D=3D mstop_data) { - if (rzv2h_mod_clock_is_enabled(&clock->hw)) - refcount_inc(&clk->mstop->ref_cnt); + if (rzv2h_mod_clock_is_enabled(&clock->hw)) { + if (refcount_read(&clk->mstop->ref_cnt)) + refcount_inc(&clk->mstop->ref_cnt); + else + refcount_set(&clk->mstop->ref_cnt, 1); + } return clk->mstop; } } --=20 2.43.0