diff mbox series

Crash with "ata: ahci_platform: convert kcalloc to devm_kcalloc"

Message ID aaa4c00a-02ff-f4c7-3f2c-8963cf2c6c65@nvidia.com
State Deferred
Headers show
Series Crash with "ata: ahci_platform: convert kcalloc to devm_kcalloc" | expand

Commit Message

Mikko Perttunen July 16, 2018, 1:11 p.m. UTC 
Hello,

the recently applied "ata: ahci_platform: convert kcalloc to 
devm_kcalloc" seems to be causing boot failures on Tegra124 Jetson TK1. 
The patch is as follows:

  static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port,
@@ -408,7 +406,7 @@ struct ahci_host_priv 
*ahci_platform_get_resources(struct platform_device *pdev)
                 rc = -ENOMEM;
                 goto err_out;
         }
-       hpriv->target_pwrs = kcalloc(hpriv->nports, 
sizeof(*hpriv->target_pwrs), GFP_KERNEL);
+       hpriv->target_pwrs = devm_kcalloc(dev, hpriv->nports, 
sizeof(*hpriv->target_pwrs), GFP_KERNEL);
         if (!hpriv->target_pwrs) {
                 rc = -ENOMEM;
                 goto err_out;

However, this is not valid, as it will cause hpriv->target_pwrs to be 
freed before ahci_platform_put_resources is called. With the older code, 
the free happened intentionally only after the regulator_put calls were 
done.

Thanks,
Mikko
--
To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Corentin LABBE July 16, 2018, 2:55 p.m. UTC | #1 
On Mon, Jul 16, 2018 at 04:11:44PM +0300, Mikko Perttunen wrote:
> Hello,
> 
> the recently applied "ata: ahci_platform: convert kcalloc to 
> devm_kcalloc" seems to be causing boot failures on Tegra124 Jetson TK1. 
> The patch is as follows:
> 
> diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
> index be9f54423a9b..fe8939e161ea 100644
> --- a/drivers/ata/libahci_platform.c
> +++ b/drivers/ata/libahci_platform.c
> @@ -271,8 +271,6 @@ static void ahci_platform_put_resources(struct 
> device *dev, void *res)
>          for (c = 0; c < hpriv->nports; c++)
>                  if (hpriv->target_pwrs && hpriv->target_pwrs[c])
>                          regulator_put(hpriv->target_pwrs[c]);
> -
> -       kfree(hpriv->target_pwrs);
>   }
> 
>   static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port,
> @@ -408,7 +406,7 @@ struct ahci_host_priv 
> *ahci_platform_get_resources(struct platform_device *pdev)
>                  rc = -ENOMEM;
>                  goto err_out;
>          }
> -       hpriv->target_pwrs = kcalloc(hpriv->nports, 
> sizeof(*hpriv->target_pwrs), GFP_KERNEL);
> +       hpriv->target_pwrs = devm_kcalloc(dev, hpriv->nports, 
> sizeof(*hpriv->target_pwrs), GFP_KERNEL);
>          if (!hpriv->target_pwrs) {
>                  rc = -ENOMEM;
>                  goto err_out;
> 
> However, this is not valid, as it will cause hpriv->target_pwrs to be 
> freed before ahci_platform_put_resources is called. With the older code, 
> the free happened intentionally only after the regulator_put calls were 
> done.
> 

Hello

I am surprised, since I have tested all my AHCI patch on a Tegra124 Jetson TK1.
Could you print the boot crash ?

Regards
--
To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Mikko Perttunen July 16, 2018, 3:33 p.m. UTC | #2 
On 07/16/2018 05:55 PM, LABBE Corentin wrote:
> On Mon, Jul 16, 2018 at 04:11:44PM +0300, Mikko Perttunen wrote:
>> Hello,
>>
>> the recently applied "ata: ahci_platform: convert kcalloc to
>> devm_kcalloc" seems to be causing boot failures on Tegra124 Jetson TK1.
>> The patch is as follows:
>>
>> diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
>> index be9f54423a9b..fe8939e161ea 100644
>> --- a/drivers/ata/libahci_platform.c
>> +++ b/drivers/ata/libahci_platform.c
>> @@ -271,8 +271,6 @@ static void ahci_platform_put_resources(struct
>> device *dev, void *res)
>>           for (c = 0; c < hpriv->nports; c++)
>>                   if (hpriv->target_pwrs && hpriv->target_pwrs[c])
>>                           regulator_put(hpriv->target_pwrs[c]);
>> -
>> -       kfree(hpriv->target_pwrs);
>>    }
>>
>>    static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port,
>> @@ -408,7 +406,7 @@ struct ahci_host_priv
>> *ahci_platform_get_resources(struct platform_device *pdev)
>>                   rc = -ENOMEM;
>>                   goto err_out;
>>           }
>> -       hpriv->target_pwrs = kcalloc(hpriv->nports,
>> sizeof(*hpriv->target_pwrs), GFP_KERNEL);
>> +       hpriv->target_pwrs = devm_kcalloc(dev, hpriv->nports,
>> sizeof(*hpriv->target_pwrs), GFP_KERNEL);
>>           if (!hpriv->target_pwrs) {
>>                   rc = -ENOMEM;
>>                   goto err_out;
>>
>> However, this is not valid, as it will cause hpriv->target_pwrs to be
>> freed before ahci_platform_put_resources is called. With the older code,
>> the free happened intentionally only after the regulator_put calls were
>> done.
>>
> 
> Hello
> 
> I am surprised, since I have tested all my AHCI patch on a Tegra124 Jetson TK1.
> Could you print the boot crash ?

I don't have the crash log in front of me now (can get it to you 
tomorrow), but basically it was ahci_platform_put_resources calling 
eventually _regulator_put which was dereferencing 0x6b6b6bbf, quite 
clearly an offset of 0x6b6b6b6b which is the use-after-free poison.

It actually only happens on tegra_defconfig -- I assume there's some 
different dependency situation that doesn't happen on 
multi_v7_defconfig, that causes ahci-tegra to defer probe, causing the 
error path to be triggered.

Thanks,
Mikko

> 
> Regards
> --
> To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Corentin LABBE July 16, 2018, 3:40 p.m. UTC | #3 
On Mon, Jul 16, 2018 at 06:33:52PM +0300, Mikko Perttunen wrote:
> 
> 
> On 07/16/2018 05:55 PM, LABBE Corentin wrote:
> > On Mon, Jul 16, 2018 at 04:11:44PM +0300, Mikko Perttunen wrote:
> >> Hello,
> >>
> >> the recently applied "ata: ahci_platform: convert kcalloc to
> >> devm_kcalloc" seems to be causing boot failures on Tegra124 Jetson TK1.
> >> The patch is as follows:
> >>
> >> diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
> >> index be9f54423a9b..fe8939e161ea 100644
> >> --- a/drivers/ata/libahci_platform.c
> >> +++ b/drivers/ata/libahci_platform.c
> >> @@ -271,8 +271,6 @@ static void ahci_platform_put_resources(struct
> >> device *dev, void *res)
> >>           for (c = 0; c < hpriv->nports; c++)
> >>                   if (hpriv->target_pwrs && hpriv->target_pwrs[c])
> >>                           regulator_put(hpriv->target_pwrs[c]);
> >> -
> >> -       kfree(hpriv->target_pwrs);
> >>    }
> >>
> >>    static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port,
> >> @@ -408,7 +406,7 @@ struct ahci_host_priv
> >> *ahci_platform_get_resources(struct platform_device *pdev)
> >>                   rc = -ENOMEM;
> >>                   goto err_out;
> >>           }
> >> -       hpriv->target_pwrs = kcalloc(hpriv->nports,
> >> sizeof(*hpriv->target_pwrs), GFP_KERNEL);
> >> +       hpriv->target_pwrs = devm_kcalloc(dev, hpriv->nports,
> >> sizeof(*hpriv->target_pwrs), GFP_KERNEL);
> >>           if (!hpriv->target_pwrs) {
> >>                   rc = -ENOMEM;
> >>                   goto err_out;
> >>
> >> However, this is not valid, as it will cause hpriv->target_pwrs to be
> >> freed before ahci_platform_put_resources is called. With the older code,
> >> the free happened intentionally only after the regulator_put calls were
> >> done.
> >>
> > 
> > Hello
> > 
> > I am surprised, since I have tested all my AHCI patch on a Tegra124 Jetson TK1.
> > Could you print the boot crash ?
> 
> I don't have the crash log in front of me now (can get it to you 
> tomorrow), but basically it was ahci_platform_put_resources calling 
> eventually _regulator_put which was dereferencing 0x6b6b6bbf, quite 
> clearly an offset of 0x6b6b6b6b which is the use-after-free poison.
> 
> It actually only happens on tegra_defconfig -- I assume there's some 
> different dependency situation that doesn't happen on 
> multi_v7_defconfig, that causes ahci-tegra to defer probe, causing the 
> error path to be triggered.
> 

I have just checked on kernelci.org, and see what you said.
And yes it was the PHY defer which cause this, and explains why I didnt hit the case (I was not using defconfig).

I will send a commit that revert the change add add a warning on why it must remains a simple kcalloc.

Thanks
Regards
--
To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox series

Patch

diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
index be9f54423a9b..fe8939e161ea 100644
--- a/drivers/ata/libahci_platform.c
+++ b/drivers/ata/libahci_platform.c
@@ -271,8 +271,6 @@  static void ahci_platform_put_resources(struct 
device *dev, void *res)
         for (c = 0; c < hpriv->nports; c++)
                 if (hpriv->target_pwrs && hpriv->target_pwrs[c])
                         regulator_put(hpriv->target_pwrs[c]);
-
-       kfree(hpriv->target_pwrs);
  }