From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77F71C433B4 for ; Tue, 18 May 2021 20:02:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4EFA160FF3 for ; Tue, 18 May 2021 20:02:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241346AbhERUDt (ORCPT ); Tue, 18 May 2021 16:03:49 -0400 Received: from ssl.serverraum.org ([176.9.125.105]:35137 "EHLO ssl.serverraum.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239208AbhERUDs (ORCPT ); Tue, 18 May 2021 16:03:48 -0400 Received: from ssl.serverraum.org (web.serverraum.org [172.16.0.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ssl.serverraum.org (Postfix) with ESMTPSA id D145222239; Tue, 18 May 2021 22:02:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walle.cc; s=mail2016061301; t=1621368148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=h0LHPW/w4IwpfoUIXaU9BCUDkKX5JEPEZ2uj7QpdpKw=; b=oO4XsO814zzxDvKliFmFSX1r0OtStVP6JrmFmpcEoyroQcR4EUyXi90OuBxJ6bV67QPGgn impBl6M+4Qh+QN9EV7VJg4R2tUuvo2pWk6xJB+8kI7wh8h9Mp1hWCGwjn8yF5PwH2AFsnG Xh538qco49irr8Qd/oXPiuSIPdpBdDo= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 18 May 2021 22:02:27 +0200 From: Michael Walle To: Jon Hunter Cc: Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, linux-tegra@vger.kernel.org Subject: Re: [PATCH] mtd: core: Fix freeing of otp_info buffer In-Reply-To: <20210518185503.162787-1-jonathanh@nvidia.com> References: <20210424110608.15748-6-michael@walle.cc> <20210518185503.162787-1-jonathanh@nvidia.com> User-Agent: Roundcube Webmail/1.4.11 Message-ID: <016ead00625f91d1247190e7c68c2086@walle.cc> X-Sender: michael@walle.cc Precedence: bulk List-ID: X-Mailing-List: linux-tegra@vger.kernel.org Am 2021-05-18 20:55, schrieb Jon Hunter: > Commit 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") is > causing the following panic ... > > ------------[ cut here ]------------ > kernel BUG at /local/workdir/tegra/linux_next/kernel/mm/slab.c:2730! > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM > Modules linked in: > CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc2-next-20210518 #1 > Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) > PC is at ___cache_free+0x3f8/0x51c > ... > [] (___cache_free) from [] (kfree+0xac/0x1bc) > [] (kfree) from [] (mtd_otp_size+0xc4/0x108) > [] (mtd_otp_size) from [] > (mtd_device_parse_register+0xe4/0x2b4) > [] (mtd_device_parse_register) from [] > (spi_nor_probe+0x210/0x2c0) > [] (spi_nor_probe) from [] (spi_probe+0x88/0xac) > [] (spi_probe) from [] (really_probe+0x214/0x3a4) > [] (really_probe) from [] > (driver_probe_device+0x68/0xc0) > [] (driver_probe_device) from [] > (bus_for_each_drv+0x5c/0xbc) > [] (bus_for_each_drv) from [] > (__device_attach+0xe4/0x150) > [] (__device_attach) from [] > (bus_probe_device+0x84/0x8c) > [] (bus_probe_device) from [] > (device_add+0x48c/0x868) > [] (device_add) from [] > (spi_add_device+0xa0/0x168) > [] (spi_add_device) from [] > (spi_register_controller+0x8b8/0xb38) > [] (spi_register_controller) from [] > (devm_spi_register_controller+0x14/0x50) > [] (devm_spi_register_controller) from [] > (tegra_spi_probe+0x33c/0x450) > [] (tegra_spi_probe) from [] > (platform_probe+0x5c/0xb8) > [] (platform_probe) from [] > (really_probe+0x214/0x3a4) > [] (really_probe) from [] > (driver_probe_device+0x68/0xc0) > [] (driver_probe_device) from [] > (device_driver_attach+0x58/0x60) > [] (device_driver_attach) from [] > (__driver_attach+0x80/0xc8) > [] (__driver_attach) from [] > (bus_for_each_dev+0x78/0xb8) > [] (bus_for_each_dev) from [] > (bus_add_driver+0x164/0x1e8) > [] (bus_add_driver) from [] > (driver_register+0x7c/0x114) > [] (driver_register) from [] > (do_one_initcall+0x50/0x2b0) > [] (do_one_initcall) from [] > (kernel_init_freeable+0x1a8/0x1fc) > [] (kernel_init_freeable) from [] > (kernel_init+0x8/0x118) > [] (kernel_init) from [] (ret_from_fork+0x14/0x24) > ... > ---[ end trace 0f652dd222de75d7 ]--- > > In the function mtd_otp_size() a buffer is allocated by calling > kmalloc() and a pointer to the buffer is stored in a variable 'info'. > The pointer 'info' may then be incremented depending on the length > returned from mtd_get_user/fact_prot_info(). If 'info' is incremented, > when kfree() is called to free the buffer the above panic occurs > because > we are no longer passing the original address of the buffer allocated. > Fix this by indexing through the buffer allocated to avoid incrementing > the pointer. > > Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") > Signed-off-by: Jon Hunter uhm.. yes of course. Two fixes for this function. Not my best day :/ I'm wondering why CONFIG_SLUB_DEBUG_ON doesn't catch this, whereas slub_debug=f (or fzpu) as commandline parameter works as expected. Reviewed-by: Michael Walle Thanks, -michael From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E676C433ED for ; Tue, 18 May 2021 20:03:56 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C91DC60FF3 for ; Tue, 18 May 2021 20:03:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C91DC60FF3 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=walle.cc Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-mtd-bounces+linux-mtd=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Message-ID:References:In-Reply-To:Subject:Cc:To:From :Date:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=sc5SvRG5tUFcyh2v99IW13NyeVJOG32qODK8yArjb+A=; b=MdP5EudErs2ofWi0a9sNK2Akv bntioW6Mlrct17alZbdJCQN9xBrv+BuT4STpb5wwP0Lyb9N8hiOhC7FNiLgWcbmzSYgeCSqv+iOgt M3z/lk0Yht15XLqXe05okckXAnJWFD3dZFLjAkO+cXcg3ac2LaOXFkVTWvDIZ+zuEnWTtpiTkTqV3 BjizI1qaLLZnNBswpXYdMkkuKVRWrgth1MK3JZ2U3SRcY1rVT64t+aV4BVVDNR28ydEMgzzw3nU48 Li2fB3XxoYlZeVZOYgq5vgEG92vkkmdYR41C5pE2stsyW7PJDFLRdQoflQub5sW2KHJ2VJjTOjkEd vHD83QbMQ==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lj5vM-001mXr-Bb; Tue, 18 May 2021 20:02:40 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lj5vK-001mXm-2D for linux-mtd@desiato.infradead.org; Tue, 18 May 2021 20:02:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Message-ID:References:In-Reply-To: Subject:Cc:To:From:Date:Content-Transfer-Encoding:Content-Type:MIME-Version: Sender:Reply-To:Content-ID:Content-Description; bh=h0LHPW/w4IwpfoUIXaU9BCUDkKX5JEPEZ2uj7QpdpKw=; b=WQA4QRSRg5mq8aRCfeMrnGNEy1 J3qyjqAuDuqMd7LTWaX6M0zvxrXpLdbUUnKQ8/TyMH/3UtacT+pQePHr6ZK9Zf7d629XJ49X+Dbzj CLBNpIQfPxPaGC7nFq0+FjbB8g55JCOHzXxf7dfCuzLIu4l0n6wig/ony/Up4i0mGKFZ/6IVsswmp BnmseWuN33AD4L89DeRuaX0JPJHVLXhR96Pt4sVocanOyc5UGpAnQe1erAP0gqI9bt0N6yAKQHVfE 99l5ogZr0+b//ihCTRN8AKbr61oE2FjE9NUXQiyL9j1SiVWCWQzgSQDPHd6izgoX032ASVEQxJXiR WPAsFPLA==; Received: from ssl.serverraum.org ([176.9.125.105]) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lj5vG-00EvnS-P4 for linux-mtd@lists.infradead.org; Tue, 18 May 2021 20:02:36 +0000 Received: from ssl.serverraum.org (web.serverraum.org [172.16.0.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ssl.serverraum.org (Postfix) with ESMTPSA id D145222239; Tue, 18 May 2021 22:02:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walle.cc; s=mail2016061301; t=1621368148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=h0LHPW/w4IwpfoUIXaU9BCUDkKX5JEPEZ2uj7QpdpKw=; b=oO4XsO814zzxDvKliFmFSX1r0OtStVP6JrmFmpcEoyroQcR4EUyXi90OuBxJ6bV67QPGgn impBl6M+4Qh+QN9EV7VJg4R2tUuvo2pWk6xJB+8kI7wh8h9Mp1hWCGwjn8yF5PwH2AFsnG Xh538qco49irr8Qd/oXPiuSIPdpBdDo= MIME-Version: 1.0 Date: Tue, 18 May 2021 22:02:27 +0200 From: Michael Walle To: Jon Hunter Cc: Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, linux-tegra@vger.kernel.org Subject: Re: [PATCH] mtd: core: Fix freeing of otp_info buffer In-Reply-To: <20210518185503.162787-1-jonathanh@nvidia.com> References: <20210424110608.15748-6-michael@walle.cc> <20210518185503.162787-1-jonathanh@nvidia.com> User-Agent: Roundcube Webmail/1.4.11 Message-ID: <016ead00625f91d1247190e7c68c2086@walle.cc> X-Sender: michael@walle.cc X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210518_130235_002722_078729CE X-CRM114-Status: GOOD ( 13.17 ) X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-mtd" Errors-To: linux-mtd-bounces+linux-mtd=archiver.kernel.org@lists.infradead.org Am 2021-05-18 20:55, schrieb Jon Hunter: > Commit 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") is > causing the following panic ... > > ------------[ cut here ]------------ > kernel BUG at /local/workdir/tegra/linux_next/kernel/mm/slab.c:2730! > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM > Modules linked in: > CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc2-next-20210518 #1 > Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) > PC is at ___cache_free+0x3f8/0x51c > ... > [] (___cache_free) from [] (kfree+0xac/0x1bc) > [] (kfree) from [] (mtd_otp_size+0xc4/0x108) > [] (mtd_otp_size) from [] > (mtd_device_parse_register+0xe4/0x2b4) > [] (mtd_device_parse_register) from [] > (spi_nor_probe+0x210/0x2c0) > [] (spi_nor_probe) from [] (spi_probe+0x88/0xac) > [] (spi_probe) from [] (really_probe+0x214/0x3a4) > [] (really_probe) from [] > (driver_probe_device+0x68/0xc0) > [] (driver_probe_device) from [] > (bus_for_each_drv+0x5c/0xbc) > [] (bus_for_each_drv) from [] > (__device_attach+0xe4/0x150) > [] (__device_attach) from [] > (bus_probe_device+0x84/0x8c) > [] (bus_probe_device) from [] > (device_add+0x48c/0x868) > [] (device_add) from [] > (spi_add_device+0xa0/0x168) > [] (spi_add_device) from [] > (spi_register_controller+0x8b8/0xb38) > [] (spi_register_controller) from [] > (devm_spi_register_controller+0x14/0x50) > [] (devm_spi_register_controller) from [] > (tegra_spi_probe+0x33c/0x450) > [] (tegra_spi_probe) from [] > (platform_probe+0x5c/0xb8) > [] (platform_probe) from [] > (really_probe+0x214/0x3a4) > [] (really_probe) from [] > (driver_probe_device+0x68/0xc0) > [] (driver_probe_device) from [] > (device_driver_attach+0x58/0x60) > [] (device_driver_attach) from [] > (__driver_attach+0x80/0xc8) > [] (__driver_attach) from [] > (bus_for_each_dev+0x78/0xb8) > [] (bus_for_each_dev) from [] > (bus_add_driver+0x164/0x1e8) > [] (bus_add_driver) from [] > (driver_register+0x7c/0x114) > [] (driver_register) from [] > (do_one_initcall+0x50/0x2b0) > [] (do_one_initcall) from [] > (kernel_init_freeable+0x1a8/0x1fc) > [] (kernel_init_freeable) from [] > (kernel_init+0x8/0x118) > [] (kernel_init) from [] (ret_from_fork+0x14/0x24) > ... > ---[ end trace 0f652dd222de75d7 ]--- > > In the function mtd_otp_size() a buffer is allocated by calling > kmalloc() and a pointer to the buffer is stored in a variable 'info'. > The pointer 'info' may then be incremented depending on the length > returned from mtd_get_user/fact_prot_info(). If 'info' is incremented, > when kfree() is called to free the buffer the above panic occurs > because > we are no longer passing the original address of the buffer allocated. > Fix this by indexing through the buffer allocated to avoid incrementing > the pointer. > > Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") > Signed-off-by: Jon Hunter uhm.. yes of course. Two fixes for this function. Not my best day :/ I'm wondering why CONFIG_SLUB_DEBUG_ON doesn't catch this, whereas slub_debug=f (or fzpu) as commandline parameter works as expected. Reviewed-by: Michael Walle Thanks, -michael ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/