|
Takashi Iwai |
67220d |
From baaf965f94308301d2dc554d72a87d7432cd5ce6 Mon Sep 17 00:00:00 2001
|
|
Takashi Iwai |
67220d |
From: "George G. Davis" <davis.george@siemens.com>
|
|
Takashi Iwai |
67220d |
Date: Fri, 16 Jul 2021 16:49:35 -0400
|
|
Takashi Iwai |
67220d |
Subject: [PATCH] mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove
|
|
Takashi Iwai |
67220d |
Git-commit: baaf965f94308301d2dc554d72a87d7432cd5ce6
|
|
Takashi Iwai |
67220d |
Patch-mainline: v5.17-rc1
|
|
Takashi Iwai |
67220d |
References: git-fixes
|
|
Takashi Iwai |
67220d |
|
|
Takashi Iwai |
67220d |
The following KASAN BUG is observed when testing the rpc-if driver on
|
|
Takashi Iwai |
67220d |
Rcar-gen3:
|
|
Takashi Iwai |
67220d |
|
|
Takashi Iwai |
67220d |
root@rcar-gen3:~# modprobe -r rpc-if
|
|
Takashi Iwai |
67220d |
[ 101.930146] ==================================================================
|
|
Takashi Iwai |
67220d |
[ 101.937408] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x518/0x25d0
|
|
Takashi Iwai |
67220d |
[ 101.944240] Read of size 8 at addr ffff0004c5be2750 by task modprobe/664
|
|
Takashi Iwai |
67220d |
[ 101.950959]
|
|
Takashi Iwai |
67220d |
[ 101.952466] CPU: 2 PID: 664 Comm: modprobe Not tainted 5.14.0-rc1-00342-g1a1464d7aa31 #1
|
|
Takashi Iwai |
67220d |
[ 101.960578] Hardware name: Renesas H3ULCB board based on r8a77951 (DT)
|
|
Takashi Iwai |
67220d |
[ 101.967120] Call trace:
|
|
Takashi Iwai |
67220d |
[ 101.969580] dump_backtrace+0x0/0x2c0
|
|
Takashi Iwai |
67220d |
[ 101.973275] show_stack+0x1c/0x30
|
|
Takashi Iwai |
67220d |
[ 101.976616] dump_stack_lvl+0x9c/0xd8
|
|
Takashi Iwai |
67220d |
[ 101.980301] print_address_description.constprop.0+0x74/0x2b8
|
|
Takashi Iwai |
67220d |
[ 101.986071] kasan_report+0x1f4/0x26c
|
|
Takashi Iwai |
67220d |
[ 101.989757] __asan_load8+0x98/0xd4
|
|
Takashi Iwai |
67220d |
[ 101.993266] __lock_acquire+0x518/0x25d0
|
|
Takashi Iwai |
67220d |
[ 101.997215] lock_acquire.part.0+0x18c/0x360
|
|
Takashi Iwai |
67220d |
[ 102.001506] lock_acquire+0x74/0x90
|
|
Takashi Iwai |
67220d |
[ 102.005013] _raw_spin_lock_irq+0x98/0x130
|
|
Takashi Iwai |
67220d |
[ 102.009131] __pm_runtime_disable+0x30/0x210
|
|
Takashi Iwai |
67220d |
[ 102.013427] rpcif_hb_remove+0x5c/0x70 [rpc_if]
|
|
Takashi Iwai |
67220d |
[ 102.018001] platform_remove+0x40/0x80
|
|
Takashi Iwai |
67220d |
[ 102.021771] __device_release_driver+0x234/0x350
|
|
Takashi Iwai |
67220d |
[ 102.026412] driver_detach+0x158/0x20c
|
|
Takashi Iwai |
67220d |
[ 102.030179] bus_remove_driver+0xa0/0x140
|
|
Takashi Iwai |
67220d |
[ 102.034212] driver_unregister+0x48/0x80
|
|
Takashi Iwai |
67220d |
[ 102.038153] platform_driver_unregister+0x18/0x24
|
|
Takashi Iwai |
67220d |
[ 102.042879] rpcif_platform_driver_exit+0x1c/0x34 [rpc_if]
|
|
Takashi Iwai |
67220d |
[ 102.048400] __arm64_sys_delete_module+0x210/0x310
|
|
Takashi Iwai |
67220d |
[ 102.053212] invoke_syscall+0x60/0x190
|
|
Takashi Iwai |
67220d |
[ 102.056986] el0_svc_common+0x12c/0x144
|
|
Takashi Iwai |
67220d |
[ 102.060844] do_el0_svc+0x88/0xac
|
|
Takashi Iwai |
67220d |
[ 102.064181] el0_svc+0x24/0x3c
|
|
Takashi Iwai |
67220d |
[ 102.067257] el0t_64_sync_handler+0x1a8/0x1b0
|
|
Takashi Iwai |
67220d |
[ 102.071634] el0t_64_sync+0x198/0x19c
|
|
Takashi Iwai |
67220d |
[ 102.075315]
|
|
Takashi Iwai |
67220d |
[ 102.076815] Allocated by task 628:
|
|
Takashi Iwai |
67220d |
[ 102.080781]
|
|
Takashi Iwai |
67220d |
[ 102.082280] Last potentially related work creation:
|
|
Takashi Iwai |
67220d |
[ 102.087524]
|
|
Takashi Iwai |
67220d |
[ 102.089022] The buggy address belongs to the object at ffff0004c5be2000
|
|
Takashi Iwai |
67220d |
[ 102.089022] which belongs to the cache kmalloc-2k of size 2048
|
|
Takashi Iwai |
67220d |
[ 102.101555] The buggy address is located 1872 bytes inside of
|
|
Takashi Iwai |
67220d |
[ 102.101555] 2048-byte region [ffff0004c5be2000, ffff0004c5be2800)
|
|
Takashi Iwai |
67220d |
[ 102.113486] The buggy address belongs to the page:
|
|
Takashi Iwai |
67220d |
[ 102.118409]
|
|
Takashi Iwai |
67220d |
[ 102.119908] Memory state around the buggy address:
|
|
Takashi Iwai |
67220d |
[ 102.124711] ffff0004c5be2600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
|
|
Takashi Iwai |
67220d |
[ 102.131947] ffff0004c5be2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
|
|
Takashi Iwai |
67220d |
[ 102.139181] >ffff0004c5be2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
|
|
Takashi Iwai |
67220d |
[ 102.146412] ^
|
|
Takashi Iwai |
67220d |
[ 102.152257] ffff0004c5be2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
|
|
Takashi Iwai |
67220d |
[ 102.159491] ffff0004c5be2800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
|
|
Takashi Iwai |
67220d |
[ 102.166723] ==================================================================
|
|
Takashi Iwai |
67220d |
|
|
Takashi Iwai |
67220d |
The above bug is caused by use of the wrong pointer in the
|
|
Takashi Iwai |
67220d |
rpcif_disable_rpm() call. Fix the bug by using the correct pointer.
|
|
Takashi Iwai |
67220d |
|
|
Takashi Iwai |
67220d |
Fixes: 5de15b610f78 ("mtd: hyperbus: add Renesas RPC-IF driver")
|
|
Takashi Iwai |
67220d |
Signed-off-by: George G. Davis <davis.george@siemens.com>
|
|
Takashi Iwai |
67220d |
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
|
|
Takashi Iwai |
67220d |
Link: https://lore.kernel.org/r/20210716204935.25859-1-george_davis@mentor.com
|
|
Takashi Iwai |
67220d |
Acked-by: Takashi Iwai <tiwai@suse.de>
|
|
Takashi Iwai |
67220d |
|
|
Takashi Iwai |
67220d |
---
|
|
Takashi Iwai |
67220d |
drivers/mtd/hyperbus/rpc-if.c | 4 ++--
|
|
Takashi Iwai |
67220d |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
Takashi Iwai |
67220d |
|
|
Takashi Iwai |
67220d |
diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c
|
|
Takashi Iwai |
67220d |
index 367b0d72bf62..dc164c18f842 100644
|
|
Takashi Iwai |
67220d |
--- a/drivers/mtd/hyperbus/rpc-if.c
|
|
Takashi Iwai |
67220d |
+++ b/drivers/mtd/hyperbus/rpc-if.c
|
|
Takashi Iwai |
67220d |
@@ -152,9 +152,9 @@ static int rpcif_hb_remove(struct platform_device *pdev)
|
|
Takashi Iwai |
67220d |
{
|
|
Takashi Iwai |
67220d |
struct rpcif_hyperbus *hyperbus = platform_get_drvdata(pdev);
|
|
Takashi Iwai |
67220d |
int error = hyperbus_unregister_device(&hyperbus->hbdev);
|
|
Takashi Iwai |
67220d |
- struct rpcif *rpc = dev_get_drvdata(pdev->dev.parent);
|
|
Takashi Iwai |
67220d |
|
|
Takashi Iwai |
67220d |
- rpcif_disable_rpm(rpc);
|
|
Takashi Iwai |
67220d |
+ rpcif_disable_rpm(&hyperbus->rpc);
|
|
Takashi Iwai |
67220d |
+
|
|
Takashi Iwai |
67220d |
return error;
|
|
Takashi Iwai |
67220d |
}
|
|
Takashi Iwai |
67220d |
|
|
Takashi Iwai |
67220d |
--
|
|
Takashi Iwai |
67220d |
2.31.1
|
|
Takashi Iwai |
67220d |
|