Re: [PATCHv2 1/2] usb: dwc3: pci: use build-in properties instead of platform data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/9/2016 5:51 AM, Heikki Krogerus wrote:
> Hi,
> 
>> I can reproduce this now when the device does not have primary fwnode
>> (of_node or ACPI). Everything seems to work fine if there is the
>> primary fwnode and when the build-in properties are used as the
>> secondary fwnode (fallback).
>>
>> This is a regression in drivers/base/property.c. Thanks for the
>> report. I'll try to prepare a fix for it today. I'll let you know
>> then so you can test it.
> 
> OK, I found a few problems with the fwnode handling. One problem is
> that ACPI_COMPANION_SET macro will simply clear the primary fwnode
> unconditionally without checking the fwnode type if NULL is passed to
> it as parameter.
> 
> An other problem is that the secondary fwnode will have ERR_PTR in
> some cases, I'm not completely sure why, but in any case,
> drivers/base/property.c is not considering that at all.
> 
> I've prepared a small diff where I solve temporarily the first issue
> by making sure the ACPI companion is set before the build-in
> properties are attached to the platform device, and the second issue
> quite simply by considering that the secondary fwnode may contain
> ERR_PTR.
> 
> It can be applied on top of the two patches. Please give it a try and
> let me know if it works for you.
> 


Hi Heikki,

The properties are now set using your patch.

However I get a use-after-free error when I unload the driver:

[  348.389334] ==================================================================
[  348.389352] BUG: KASAN: use-after-free in set_secondary_fwnode+0xc5/0xe0 at addr ffff88039dafd268
[  348.389357] Read of size 8 by task rmmod/2919
[  348.389361] =============================================================================
[  348.389367] BUG kmalloc-32 (Tainted: G    B          ): kasan: bad access detected
[  348.389370] -----------------------------------------------------------------------------
[  348.389370] 
[  348.389380] INFO: Allocated in device_add_property_set+0x5f/0x870 age=776 cpu=4 pid=2897
[  348.389385]  ___slab_alloc+0x4f6/0x520
[  348.389387]  __slab_alloc+0x51/0x90
[  348.389390]  kmem_cache_alloc_trace+0x25d/0x2e0
[  348.389394]  device_add_property_set+0x5f/0x870
[  348.389397]  platform_device_add_properties+0x12/0x20
[  348.389401]  dwc3_pci_quirks+0xc3/0x100 [dwc3_pci]
[  348.389404]  dwc3_pci_probe+0x24e/0x37c [dwc3_pci]
[  348.389410]  local_pci_probe+0xde/0x190
[  348.389413]  pci_device_probe+0x21d/0x2b0
[  348.389416]  driver_probe_device+0x21a/0xc30
[  348.389419]  __driver_attach+0x121/0x160
[  348.389422]  bus_for_each_dev+0x11f/0x1a0
[  348.389424]  driver_attach+0x3d/0x50
[  348.389427]  bus_add_driver+0x4c9/0x770
[  348.389430]  driver_register+0x18c/0x3b0
[  348.389433]  __pci_register_driver+0x13a/0x1e0
[  348.389437] INFO: Freed in pset_free_set+0x24c/0x320 age=0 cpu=2 pid=2919
[  348.389443]  __slab_free+0x175/0x280
[  348.389446]  kfree+0x269/0x280
[  348.389450]  pset_free_set+0x24c/0x320
[  348.389455]  device_remove_property_set+0xcf/0x100
[  348.389461]  platform_device_del+0x133/0x200
[  348.389466]  platform_device_unregister+0x12/0x30
[  348.389471]  dwc3_pci_remove+0x8c/0xf0 [dwc3_pci]
[  348.389477]  pci_device_remove+0xa2/0x1e0
[  348.389480]  __device_release_driver+0x176/0x3d0
[  348.389485]  driver_detach+0x189/0x200
[  348.389490]  bus_remove_driver+0xf2/0x2d0
[  348.389494]  driver_unregister+0x67/0xa0
[  348.389500]  pci_unregister_driver+0x2c/0xe0
[  348.389505]  dwc3_pci_driver_exit+0x10/0x14 [dwc3_pci]
[  348.389512]  SyS_delete_module+0x32e/0x3d0
[  348.389520]  entry_SYSCALL_64_fastpath+0x23/0xc1
[  348.389526] INFO: Slab 0xffffea000e76bf00 objects=24 used=17 fp=0xffff88039dafd260 flags=0x2ffff0000004080
[  348.389531] INFO: Object 0xffff88039dafd260 @offset=4704 fp=0xffff88039dafdb90
[  348.389531] 
[  348.389537] Bytes b4 ffff88039dafd250: 02 00 00 00 67 0b 00 00 42 2f 00 00 01 00 00 00  ....g...B/......
[  348.389540] Object ffff88039dafd260: 90 db af 9d 03 88 ff ff ed ff ff ff ff ff ff ff  ................
[  348.389543] Object ffff88039dafd270: 00 00 14 a4 03 88 ff ff 00 00 00 00 00 00 00 00  ................
[  348.389548] CPU: 2 PID: 2919 Comm: rmmod Tainted: G    B           4.5.0-rc2-next-20160208-snps-00002-gcb702ac-dirty #204
[  348.389550] Hardware name: BASE_BOARD_MANUFACTURER MODEL_NAME/151-SE-E777, BIOS 4.6.5 10/16/2014
[  348.389553]  ffffea000e76bf00 ffff88036415fb58 ffffffff81b61a81 ffff8803ae404480
[  348.389558]  ffff88039dafd260 ffff88036415fb88 ffffffff81594a52 ffff8803ae404480
[  348.389562]  ffffea000e76bf00 ffff88039dafd260 ffff8800b3324050 ffff88036415fbb0
[  348.389567] Call Trace:
[  348.389572]  [<ffffffff81b61a81>] dump_stack+0x85/0xc4
[  348.389578]  [<ffffffff81594a52>] print_trailer+0x112/0x1a0
[  348.389581]  [<ffffffff8159b3d4>] object_err+0x34/0x40
[  348.389584]  [<ffffffff8159db30>] kasan_report_error+0x230/0x550
[  348.389588]  [<ffffffff81f677ec>] ? pset_free_set+0x24c/0x320
[  348.389592]  [<ffffffff8159df83>] __asan_report_load8_noabort+0x43/0x50
[  348.389595]  [<ffffffff81f53735>] ? set_secondary_fwnode+0xc5/0xe0
[  348.389599]  [<ffffffff81f53735>] set_secondary_fwnode+0xc5/0xe0
[  348.389603]  [<ffffffff81f67a79>] device_remove_property_set+0xb9/0x100
[  348.389606]  [<ffffffff81f5f823>] platform_device_del+0x133/0x200
[  348.389610]  [<ffffffff81f5f902>] platform_device_unregister+0x12/0x30
[  348.389613]  [<ffffffffc07e008c>] dwc3_pci_remove+0x8c/0xf0 [dwc3_pci]
[  348.389617]  [<ffffffff81c699b2>] pci_device_remove+0xa2/0x1e0
[  348.389620]  [<ffffffff81f59066>] __device_release_driver+0x176/0x3d0
[  348.389623]  [<ffffffff81f5ad99>] driver_detach+0x189/0x200
[  348.389627]  [<ffffffff81f58272>] bus_remove_driver+0xf2/0x2d0
[  348.389630]  [<ffffffff82944c0e>] ? mutex_unlock+0xe/0x10
[  348.389634]  [<ffffffff81f5c477>] driver_unregister+0x67/0xa0
[  348.389637]  [<ffffffff81c641bc>] pci_unregister_driver+0x2c/0xe0
[  348.389641]  [<ffffffffc07e057c>] dwc3_pci_driver_exit+0x10/0x14 [dwc3_pci]
[  348.389645]  [<ffffffff812feb2e>] SyS_delete_module+0x32e/0x3d0
[  348.389648]  [<ffffffff812fe800>] ? free_module+0x940/0x940
[  348.389653]  [<ffffffff8100480f>] ? exit_to_usermode_loop+0x6f/0x140
[  348.389656]  [<ffffffff81004017>] ? trace_hardirqs_on_thunk+0x17/0x19
[  348.389660]  [<ffffffff8294c780>] entry_SYSCALL_64_fastpath+0x23/0xc1
[  348.389663] Memory state around the buggy address:
[  348.389666]  ffff88039dafd100: fc fc fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[  348.389668]  ffff88039dafd180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  348.389671] >ffff88039dafd200: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb
[  348.389673]                                                           ^
[  348.389676]  ffff88039dafd280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  348.389678]  ffff88039dafd300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  348.389680] ==================================================================


Regards,
John
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux