* [PATCH] regmap: Properly free allocated name for regmap_config of syscon
@ 2020-11-09 11:58 Kefeng Wang
2020-11-09 17:23 ` Mark Brown
0 siblings, 1 reply; 5+ messages in thread
From: Kefeng Wang @ 2020-11-09 11:58 UTC (permalink / raw)
To: Mark Brown; +Cc: Marc Zyngier, linux-kernel, Kefeng Wang
syscon_config.name in of_syscon_register is allocated using kasprintf,
which should be freed when it is not used after regmap_set_name, fix
the following memory leak.
unreferenced object 0xffffffe07fe8c150 (size 16):
comm "swapper/0", pid 1, jiffies 4294892540 (age 68.168s)
hex dump (first 16 bytes):
74 65 73 74 40 31 30 30 30 30 30 00 e0 ff ff ff test@100000.....
backtrace:
[<0000000023d86736>] create_object+0xe8/0x348
[<00000000fe9d1b17>] kmemleak_alloc+0x20/0x2a
[<000000006bba3c96>] __kmalloc_track_caller+0x174/0x272
[<000000008bbb1565>] kvasprintf+0x42/0x86
[<000000000e566920>] kasprintf+0x34/0x50
[<00000000809602dd>] of_syscon_register+0x11c/0x2a8
[<00000000711191ee>] device_node_get_regmap+0x6a/0x98
[<0000000083dd951c>] syscon_node_to_regmap+0x2e/0x38
[<00000000cbe0596d>] syscon_regmap_lookup_by_phandle+0x1e/0x26
[<000000009d9c679f>] syscon_reboot_probe+0x58/0x1aa
[<000000007b610fab>] platform_drv_probe+0x30/0x64
[<0000000031597f78>] really_probe+0x9c/0x274
[<000000004d1de808>] driver_probe_device+0x2c/0x68
[<000000008a998a90>] device_driver_attach+0x4c/0x50
[<000000002ea43ad9>] __driver_attach+0x66/0xa0
[<0000000018505756>] bus_for_each_dev+0x5a/0x98
Fixes: 529a1101212a ("mfd: syscon: Don't free allocated name for regmap_config")
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
---
drivers/base/regmap/regmap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 5db536ccfcd6..c1c1e53d46ac 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -601,6 +601,7 @@ static int regmap_set_name(struct regmap *map, const struct regmap_config *confi
if (!name)
return -ENOMEM;
+ kfree_const(config->name);
kfree_const(map->name);
map->name = name;
}
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] regmap: Properly free allocated name for regmap_config of syscon
2020-11-09 11:58 [PATCH] regmap: Properly free allocated name for regmap_config of syscon Kefeng Wang
@ 2020-11-09 17:23 ` Mark Brown
2020-11-10 1:35 ` Kefeng Wang
0 siblings, 1 reply; 5+ messages in thread
From: Mark Brown @ 2020-11-09 17:23 UTC (permalink / raw)
To: Kefeng Wang; +Cc: Marc Zyngier, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1741 bytes --]
On Mon, Nov 09, 2020 at 07:58:16PM +0800, Kefeng Wang wrote:
> syscon_config.name in of_syscon_register is allocated using kasprintf,
> which should be freed when it is not used after regmap_set_name, fix
> the following memory leak.
> unreferenced object 0xffffffe07fe8c150 (size 16):
> comm "swapper/0", pid 1, jiffies 4294892540 (age 68.168s)
> hex dump (first 16 bytes):
> 74 65 73 74 40 31 30 30 30 30 30 00 e0 ff ff ff test@100000.....
> backtrace:
> [<0000000023d86736>] create_object+0xe8/0x348
> [<00000000fe9d1b17>] kmemleak_alloc+0x20/0x2a
Please think hard before including complete backtraces in upstream
reports, they are very large and contain almost no useful information
relative to their size so often obscure the relevant content in your
message. If part of the backtrace is usefully illustrative (it often is
for search engines if nothing else) then it's usually better to pull out
the relevant sections.
> @@ -601,6 +601,7 @@ static int regmap_set_name(struct regmap *map, const struct regmap_config *confi
> if (!name)
> return -ENOMEM;
>
> + kfree_const(config->name);
> kfree_const(map->name);
> map->name = name;
> }
Why would we free the passed in name here? The name wes passed in from
outside regmap in a const configuration struct, we've no idea within
regmap if it was dynamically allocted or not and it seems very
surprising that we'd go off and free it. The whole reason we're
duplicating it in regmap_set_name() is that we don't know how long it's
going to be around so we don't want to reference it after having
returned to the caller. If the caller has dynamically allocated it then
the caller should deal with freeing it.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] regmap: Properly free allocated name for regmap_config of syscon
2020-11-09 17:23 ` Mark Brown
@ 2020-11-10 1:35 ` Kefeng Wang
2020-11-10 8:47 ` Marc Zyngier
0 siblings, 1 reply; 5+ messages in thread
From: Kefeng Wang @ 2020-11-10 1:35 UTC (permalink / raw)
To: Mark Brown; +Cc: Marc Zyngier, linux-kernel, wangkefeng.wang
On 2020/11/10 1:23, Mark Brown wrote:
> On Mon, Nov 09, 2020 at 07:58:16PM +0800, Kefeng Wang wrote:
>
>> syscon_config.name in of_syscon_register is allocated using kasprintf,
>> which should be freed when it is not used after regmap_set_name, fix
>> the following memory leak.
>> unreferenced object 0xffffffe07fe8c150 (size 16):
>> comm "swapper/0", pid 1, jiffies 4294892540 (age 68.168s)
>> hex dump (first 16 bytes):
>> 74 65 73 74 40 31 30 30 30 30 30 00 e0 ff ff ff test@100000.....
>> backtrace:
>> [<0000000023d86736>] create_object+0xe8/0x348
>> [<00000000fe9d1b17>] kmemleak_alloc+0x20/0x2a
> Please think hard before including complete backtraces in upstream
> reports, they are very large and contain almost no useful information
> relative to their size so often obscure the relevant content in your
> message. If part of the backtrace is usefully illustrative (it often is
> for search engines if nothing else) then it's usually better to pull out
> the relevant sections.
2899872b627e "regmap: debugfs: Fix memory leak in regmap_debugfs_init"
add a similar
backtrack, but the address of the trace is useless, will be careful next
time.
>> @@ -601,6 +601,7 @@ static int regmap_set_name(struct regmap *map, const struct regmap_config *confi
>> if (!name)
>> return -ENOMEM;
>>
>> + kfree_const(config->name);
>> kfree_const(map->name);
>> map->name = name;
>> }
> Why would we free the passed in name here? The name wes passed in from
> outside regmap in a const configuration struct, we've no idea within
> regmap if it was dynamically allocted or not and it seems very
> surprising that we'd go off and free it. The whole reason we're
> duplicating it in regmap_set_name() is that we don't know how long it's
> going to be around so we don't want to reference it after having
> returned to the caller. If the caller has dynamically allocated it then
> the caller should deal with freeing it.
Yes, after check it again, this patch is wrong.
Hi Marc, the regmap debugfs will duplicate a name in regmap_set_name(),
and
syscon_config.name won't be used in syscon, so your following patch
doesn't seem
to be necessary, right ? Please correct me if I'm wrong, thanks.
commit 529a1101212a785c5df92c314b0e718287150c3b
Author: Marc Zyngier <maz@kernel.org>
Date: Thu Sep 3 17:02:37 2020 +0100
mfd: syscon: Don't free allocated name for regmap_config
The name allocated for the regmap_config structure is freed
pretty early, right after the registration of the MMIO region.
Unfortunately, that doesn't follow the life cycle that debugfs
expects, as it can access the name field long after the free
has occurred.
Move the free on the error path, and keep it forever otherwise.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] regmap: Properly free allocated name for regmap_config of syscon
2020-11-10 1:35 ` Kefeng Wang
@ 2020-11-10 8:47 ` Marc Zyngier
2020-11-11 10:53 ` Kefeng Wang
0 siblings, 1 reply; 5+ messages in thread
From: Marc Zyngier @ 2020-11-10 8:47 UTC (permalink / raw)
To: Kefeng Wang; +Cc: Mark Brown, linux-kernel
On 2020-11-10 01:35, Kefeng Wang wrote:
> On 2020/11/10 1:23, Mark Brown wrote:
>> On Mon, Nov 09, 2020 at 07:58:16PM +0800, Kefeng Wang wrote:
>>
>>> syscon_config.name in of_syscon_register is allocated using
>>> kasprintf,
>>> which should be freed when it is not used after regmap_set_name, fix
>>> the following memory leak.
>>> unreferenced object 0xffffffe07fe8c150 (size 16):
>>> comm "swapper/0", pid 1, jiffies 4294892540 (age 68.168s)
>>> hex dump (first 16 bytes):
>>> 74 65 73 74 40 31 30 30 30 30 30 00 e0 ff ff ff
>>> test@100000.....
>>> backtrace:
>>> [<0000000023d86736>] create_object+0xe8/0x348
>>> [<00000000fe9d1b17>] kmemleak_alloc+0x20/0x2a
>> Please think hard before including complete backtraces in upstream
>> reports, they are very large and contain almost no useful information
>> relative to their size so often obscure the relevant content in your
>> message. If part of the backtrace is usefully illustrative (it often
>> is
>> for search engines if nothing else) then it's usually better to pull
>> out
>> the relevant sections.
>
> 2899872b627e "regmap: debugfs: Fix memory leak in
> regmap_debugfs_init" add a similar
>
> backtrack, but the address of the trace is useless, will be careful
> next time.
>
>>> @@ -601,6 +601,7 @@ static int regmap_set_name(struct regmap *map,
>>> const struct regmap_config *confi
>>> if (!name)
>>> return -ENOMEM;
>>> + kfree_const(config->name);
>>> kfree_const(map->name);
>>> map->name = name;
>>> }
>> Why would we free the passed in name here? The name wes passed in
>> from
>> outside regmap in a const configuration struct, we've no idea within
>> regmap if it was dynamically allocted or not and it seems very
>> surprising that we'd go off and free it. The whole reason we're
>> duplicating it in regmap_set_name() is that we don't know how long
>> it's
>> going to be around so we don't want to reference it after having
>> returned to the caller. If the caller has dynamically allocated it
>> then
>> the caller should deal with freeing it.
>
> Yes, after check it again, this patch is wrong.
>
> Hi Marc, the regmap debugfs will duplicate a name in
> regmap_set_name(), and
>
> syscon_config.name won't be used in syscon, so your following patch
> doesn't seem
>
> to be necessary, right ? Please correct me if I'm wrong, thanks.
It was certainly necessary at the time when I wrote the patch, as it
was fixing some obvious memory corruption (use after free).
It is very possible that the flow has been reorganised since, as the
following commit hints at:
commit e15d7f2b81d2e7d93115d46fa931b366c1cdebc2
Author: Suman Anna <s-anna@ti.com>
Date: Mon Jul 27 16:10:08 2020 -0500
mfd: syscon: Use a unique name with regmap_config
The DT node full name is currently being used in regmap_config
which in turn is used to create the regmap debugfs directories.
This name however is not guaranteed to be unique and the regmap
debugfs registration can fail in the cases where the syscon nodes
have the same unit-address but are present in different DT node
hierarchies. Replace this logic using the syscon reg resource
address instead (inspired from logic used while creating platform
devices) to ensure a unique name is given for each syscon.
Signed-off-by: Suman Anna <s-anna@ti.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
I suggest you come up with a more complete analysis of the problem
and how it came to be.
M.
--
Jazz is not dead. It just smells funny...
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] regmap: Properly free allocated name for regmap_config of syscon
2020-11-10 8:47 ` Marc Zyngier
@ 2020-11-11 10:53 ` Kefeng Wang
0 siblings, 0 replies; 5+ messages in thread
From: Kefeng Wang @ 2020-11-11 10:53 UTC (permalink / raw)
To: Marc Zyngier; +Cc: Mark Brown, linux-kernel
On 2020/11/10 16:47, Marc Zyngier wrote:
> On 2020-11-10 01:35, Kefeng Wang wrote:
>> On 2020/11/10 1:23, Mark Brown wrote:
>>> On Mon, Nov 09, 2020 at 07:58:16PM +0800, Kefeng Wang wrote:
>>>
>> Hi Marc, the regmap debugfs will duplicate a name in
>> regmap_set_name(), and
>>
>> syscon_config.name won't be used in syscon, so your following patch
>> doesn't seem
>>
>> to be necessary, right ? Please correct me if I'm wrong, thanks.
>
> It was certainly necessary at the time when I wrote the patch, as it
> was fixing some obvious memory corruption (use after free).
>
> It is very possible that the flow has been reorganised since, as the
> following commit hints at:
>
> commit e15d7f2b81d2e7d93115d46fa931b366c1cdebc2
> Author: Suman Anna <s-anna@ti.com>
> Date: Mon Jul 27 16:10:08 2020 -0500
>
> mfd: syscon: Use a unique name with regmap_config
>
> The DT node full name is currently being used in regmap_config
> which in turn is used to create the regmap debugfs directories.
> This name however is not guaranteed to be unique and the regmap
> debugfs registration can fail in the cases where the syscon nodes
> have the same unit-address but are present in different DT node
> hierarchies. Replace this logic using the syscon reg resource
> address instead (inspired from logic used while creating platform
> devices) to ensure a unique name is given for each syscon.
>
> Signed-off-by: Suman Anna <s-anna@ti.com>
> Reviewed-by: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Lee Jones <lee.jones@linaro.org>
>
> I suggest you come up with a more complete analysis of the problem
> and how it came to be.
I check the history of above patch[1],
"The regmap name is expected to be managed by the caller and should be
live as long as the regmap is live, it is almost always static data."
so keep it as your patch said, thanks.
[1]
https://patchwork.kernel.org/project/linux-arm-kernel/patch/20200727211008.24225-1-s-anna@ti.com/#23575471
>
> M.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-11 10:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-09 11:58 [PATCH] regmap: Properly free allocated name for regmap_config of syscon Kefeng Wang
2020-11-09 17:23 ` Mark Brown
2020-11-10 1:35 ` Kefeng Wang
2020-11-10 8:47 ` Marc Zyngier
2020-11-11 10:53 ` Kefeng Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).