On Mon, Jul 16, 2018 at 06:33:52PM +0300, Mikko Perttunen wrote: > > > On 07/16/2018 05:55 PM, LABBE Corentin wrote: > > On Mon, Jul 16, 2018 at 04:11:44PM +0300, Mikko Perttunen wrote: > >> Hello, > >> > >> the recently applied "ata: ahci_platform: convert kcalloc to > >> devm_kcalloc" seems to be causing boot failures on Tegra124 Jetson TK1. > >> The patch is as follows: > >> > >> diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c > >> index be9f54423a9b..fe8939e161ea 100644 > >> --- a/drivers/ata/libahci_platform.c > >> +++ b/drivers/ata/libahci_platform.c > >> @@ -271,8 +271,6 @@ static void ahci_platform_put_resources(struct > >> device *dev, void *res) > >> for (c = 0; c < hpriv->nports; c++) > >> if (hpriv->target_pwrs && hpriv->target_pwrs[c]) > >> regulator_put(hpriv->target_pwrs[c]); > >> - > >> - kfree(hpriv->target_pwrs); > >> } > >> > >> static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port, > >> @@ -408,7 +406,7 @@ struct ahci_host_priv > >> *ahci_platform_get_resources(struct platform_device *pdev) > >> rc = -ENOMEM; > >> goto err_out; > >> } > >> - hpriv->target_pwrs = kcalloc(hpriv->nports, > >> sizeof(*hpriv->target_pwrs), GFP_KERNEL); > >> + hpriv->target_pwrs = devm_kcalloc(dev, hpriv->nports, > >> sizeof(*hpriv->target_pwrs), GFP_KERNEL); > >> if (!hpriv->target_pwrs) { > >> rc = -ENOMEM; > >> goto err_out; > >> > >> However, this is not valid, as it will cause hpriv->target_pwrs to be > >> freed before ahci_platform_put_resources is called. With the older code, > >> the free happened intentionally only after the regulator_put calls were > >> done. > >> > > > > Hello > > > > I am surprised, since I have tested all my AHCI patch on a Tegra124 Jetson TK1. > > Could you print the boot crash ? > > I don't have the crash log in front of me now (can get it to you > tomorrow), but basically it was ahci_platform_put_resources calling > eventually _regulator_put which was dereferencing 0x6b6b6bbf, quite > clearly an offset of 0x6b6b6b6b which is the use-after-free poison. > > It actually only happens on tegra_defconfig -- I assume there's some > different dependency situation that doesn't happen on > multi_v7_defconfig, that causes ahci-tegra to defer probe, causing the > error path to be triggered. > I have just checked on kernelci.org, and see what you said. And yes it was the PHY defer which cause this, and explains why I didnt hit the case (I was not using defconfig). I will send a commit that revert the change add add a warning on why it must remains a simple kcalloc. Thanks Regards -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html