Re: next-20150120 broken on Tegra by "ata: libahci: Allow using multiple regulators"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 21, 2015 at 07:31:34AM -0500, Tejun Heo wrote:
> On Wed, Jan 21, 2015 at 11:50:03AM +0100, Thierry Reding wrote:
> > Tejun, preferably the attached patch should be squashed into commit
> > c7d7ddee7e24 ("ata: libahci: Allow using multiple regulators") to avoid
> > breaking bisectability. If you don't want to rewrite history, let me
> > know and I can turn it into a proper patch.
> 
> Yes, please make it a proper patch.
> 
> Thanks a lot!

Attaching the patch.

Thierry
From a4f78e3ec05f1b2ad86aa44d6bd5394d75a23a06 Mon Sep 17 00:00:00 2001
From: Thierry Reding <treding@xxxxxxxxxx>
Date: Wed, 21 Jan 2015 11:50:52 +0100
Subject: [PATCH] ata: libahci: Fix devres cleanup on failure

Commit c7d7ddee7e24 ("ata: libahci: Allow using multiple regulators")
releases regulators during ahci_platform_put_resources(). That doesn't
work because the function is run as part of the devres machinery. Such
resources are torn down in reverse order. Since the array that holds
pointers to the regulators is allocated using devres after the device
context to which ahci_platform_put_resources() is attached, the memory
will be freed before calling ahci_platform_put_resources() and thereby
causing a use-after-free error.

This commit fixes this by using regular allocations for the array. The
memory can then be freed after the regulators have been released. This
conserves the advantages of using the managed API.

Reported-by: Paul Walmsley <paul@xxxxxxxxx>
Signed-off-by: Thierry Reding <treding@xxxxxxxxxx>
---
 drivers/ata/libahci_platform.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
index 73a086664ee7..504d534ccbfe 100644
--- a/drivers/ata/libahci_platform.c
+++ b/drivers/ata/libahci_platform.c
@@ -276,6 +276,7 @@ static void ahci_platform_put_resources(struct device *dev, void *res)
 		if (hpriv->target_pwrs && hpriv->target_pwrs[c])
 			regulator_put(hpriv->target_pwrs[c]);
 
+	kfree(hpriv->target_pwrs);
 }
 
 static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port,
@@ -412,7 +413,7 @@ struct ahci_host_priv *ahci_platform_get_resources(struct platform_device *pdev)
 		goto err_out;
 	}
 	sz = hpriv->nports * sizeof(*hpriv->target_pwrs);
-	hpriv->target_pwrs = devm_kzalloc(dev, sz, GFP_KERNEL);
+	hpriv->target_pwrs = kzalloc(sz, GFP_KERNEL);
 	if (!hpriv->target_pwrs) {
 		rc = -ENOMEM;
 		goto err_out;
-- 
2.1.3

Attachment: pgpjBDZMrzZ3k.pgp
Description: PGP signature


[Index of Archives]     [Linux Filesystems]     [Linux SCSI]     [Linux RAID]     [Git]     [Kernel Newbies]     [Linux Newbie]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Samba]     [Device Mapper]

  Powered by Linux