From: Robin Murphy <robin.murphy@arm.com>
To: "Artem S. Tashkinov" <aros@gmx.com>, Christoph Hellwig <hch@lst.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
iommu@lists.linux-foundation.org,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org
Subject: Re: [Bug 206175] Fedora >= 5.4 kernels instantly freeze on boot without producing any display output
Date: Wed, 11 Mar 2020 16:15:31 +0000 [thread overview]
Message-ID: <eadd21f1-c618-9523-fa14-e862dfa256ac@arm.com> (raw)
In-Reply-To: <962693d9-b595-c44d-1390-e044f29e91d3@gmx.com>
On 11/03/2020 4:02 pm, Artem S. Tashkinov wrote:
> On 3/11/20 3:47 PM, Christoph Hellwig wrote:
>> And actually one more idea after looking at what slab interactions
>> could exist. platform_device_register_full frees the dma_mask
>> unconditionally, even if it didn't allocated it, which might lead
>> to weird memory corruption if we hit the failure path. So let's try
>> something like this, replacing the earlier patch in that file.
>>
>> diff --git a/drivers/base/platform.c b/drivers/base/platform.c
>> index b230beb6ccb4..04080a8d94e2 100644
>> --- a/drivers/base/platform.c
>> +++ b/drivers/base/platform.c
>> @@ -632,19 +632,6 @@ struct platform_device
>> *platform_device_register_full(
>> pdev->dev.of_node_reused = pdevinfo->of_node_reused;
>>
>> if (pdevinfo->dma_mask) {
>> - /*
>> - * This memory isn't freed when the device is put,
>> - * I don't have a nice idea for that though. Conceptually
>> - * dma_mask in struct device should not be a pointer.
>> - * See http://thread.gmane.org/gmane.linux.kernel.pci/9081
>> - */
>> - pdev->dev.dma_mask =
>> - kmalloc(sizeof(*pdev->dev.dma_mask), GFP_KERNEL);
>> - if (!pdev->dev.dma_mask)
>> - goto err;
>> -
>> - kmemleak_ignore(pdev->dev.dma_mask);
>> -
>> *pdev->dev.dma_mask = pdevinfo->dma_mask;
>> pdev->dev.coherent_dma_mask = pdevinfo->dma_mask;
>> }
>> @@ -670,7 +657,6 @@ struct platform_device
>> *platform_device_register_full(
>> if (ret) {
>> err:
>> ACPI_COMPANION_SET(&pdev->dev, NULL);
>> - kfree(pdev->dev.dma_mask);
>> platform_device_put(pdev);
>> return ERR_PTR(ret);
>> }
>>
>
> With this patch the system works (I haven't created an initrd, so it
> doesn't completely boot and panics on not being able to mount root fs
> but that's expected).
Yup, a few lines earlier in the log you can see the wdat_wdt driver
failing in platform_device_add(), which since it called into
platform_device_register_full() with pdevinfo.dma_mask = 0, will have
unwound into that kfree() of pdev.dma_mask corrupting the heap.
Robin.
next prev parent reply other threads:[~2020-03-11 16:15 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-206175-5873@https.bugzilla.kernel.org/>
[not found] ` <bug-206175-5873-dSmrOaqbiZ@https.bugzilla.kernel.org/>
2020-01-14 21:40 ` [Bug 206175] Fedora >= 5.4 kernels instantly freeze on boot without producing any display output Linus Torvalds
2020-01-14 22:22 ` Alex Deucher
[not found] ` <bug-206175-5873-S6PaNNClEr@https.bugzilla.kernel.org/>
[not found] ` <CAHk-=wi4GS05j67V0D_cRXRQ=_Jh-NT0OuNpF-JFsDFj7jZK9A@mail.gmail.com>
[not found] ` <20200310162342.GA4483@lst.de>
[not found] ` <CAHk-=wgB2YMM6kw8W0wq=7efxsRERL14OHMOLU=Nd1OaR+sXvw@mail.gmail.com>
2020-03-10 18:25 ` Christoph Hellwig
2020-03-10 18:25 ` Christoph Hellwig
2020-03-11 15:24 ` Christoph Hellwig
2020-03-11 15:34 ` Artem S. Tashkinov
2020-03-11 15:43 ` Christoph Hellwig
2020-03-11 15:47 ` Christoph Hellwig
2020-03-11 16:02 ` Artem S. Tashkinov
2020-03-11 16:15 ` Robin Murphy [this message]
2020-03-11 16:21 ` Linus Torvalds
2020-03-11 16:24 ` Linus Torvalds
2020-03-11 16:48 ` Linus Torvalds
2020-03-11 16:48 ` Linus Torvalds
2020-03-11 17:05 ` Artem S. Tashkinov
2020-03-11 17:05 ` Artem S. Tashkinov
2020-03-11 17:21 ` Artem S. Tashkinov
2020-03-11 17:21 ` Artem S. Tashkinov
2020-03-11 17:27 ` Linus Torvalds
2020-03-11 17:27 ` Linus Torvalds
2020-03-11 15:48 ` Artem S. Tashkinov
2020-03-11 15:57 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eadd21f1-c618-9523-fa14-e862dfa256ac@arm.com \
--to=robin.murphy@arm.com \
--cc=aros@gmx.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=iommu@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.