Re: Crash with "ata: ahci_platform: convert kcalloc to devm_kcalloc"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 07/16/2018 05:55 PM, LABBE Corentin wrote:
On Mon, Jul 16, 2018 at 04:11:44PM +0300, Mikko Perttunen wrote:
Hello,

the recently applied "ata: ahci_platform: convert kcalloc to
devm_kcalloc" seems to be causing boot failures on Tegra124 Jetson TK1.
The patch is as follows:

diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
index be9f54423a9b..fe8939e161ea 100644
--- a/drivers/ata/libahci_platform.c
+++ b/drivers/ata/libahci_platform.c
@@ -271,8 +271,6 @@ static void ahci_platform_put_resources(struct
device *dev, void *res)
          for (c = 0; c < hpriv->nports; c++)
                  if (hpriv->target_pwrs && hpriv->target_pwrs[c])
                          regulator_put(hpriv->target_pwrs[c]);
-
-       kfree(hpriv->target_pwrs);
   }

   static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port,
@@ -408,7 +406,7 @@ struct ahci_host_priv
*ahci_platform_get_resources(struct platform_device *pdev)
                  rc = -ENOMEM;
                  goto err_out;
          }
-       hpriv->target_pwrs = kcalloc(hpriv->nports,
sizeof(*hpriv->target_pwrs), GFP_KERNEL);
+       hpriv->target_pwrs = devm_kcalloc(dev, hpriv->nports,
sizeof(*hpriv->target_pwrs), GFP_KERNEL);
          if (!hpriv->target_pwrs) {
                  rc = -ENOMEM;
                  goto err_out;

However, this is not valid, as it will cause hpriv->target_pwrs to be
freed before ahci_platform_put_resources is called. With the older code,
the free happened intentionally only after the regulator_put calls were
done.


Hello

I am surprised, since I have tested all my AHCI patch on a Tegra124 Jetson TK1.
Could you print the boot crash ?

I don't have the crash log in front of me now (can get it to you tomorrow), but basically it was ahci_platform_put_resources calling eventually _regulator_put which was dereferencing 0x6b6b6bbf, quite clearly an offset of 0x6b6b6b6b which is the use-after-free poison.

It actually only happens on tegra_defconfig -- I assume there's some different dependency situation that doesn't happen on multi_v7_defconfig, that causes ahci-tegra to defer probe, causing the error path to be triggered.

Thanks,
Mikko


Regards
--
To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Filesystems]     [Linux SCSI]     [Linux RAID]     [Git]     [Kernel Newbies]     [Linux Newbie]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Samba]     [Device Mapper]

  Powered by Linux