1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
From 5ae4c4ac2d992afcf4087e5f33ad7e5f7d073fbf Mon Sep 17 00:00:00 2001
From: Claudiu Manoil <claudiu.manoil@nxp.com>
Date: Wed, 4 Dec 2019 14:36:09 +0200
Subject: [PATCH] net: dsa: felix: Fix probing allocation and cleanup path
dsa_switch_alloc() uses managed (devm_alloc) allocation
to alloc 'ds'. kfree()-ing 'ds' results in memory corruption.
kfree(ds) seems harmless on the error path, however for this
particular device, dsa_register_swtich() deffers probing to
allow the enetc driver to probe the master port first.
This results in kfree(ds) being called during the first
probing attempt of felix, followed by a NULL poiter access
crash during enetc driver probing (when accessing its net_device).
This patch fixes following crash (triggerred in the enetc driver by
the probing routine of the felix driver):
[ 3.502254] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 3.511073] Mem abort info:
[ 3.513874] ESR = 0x96000044
[ 3.516936] EC = 0x25: DABT (current EL), IL = 32 bits
[ 3.522266] SET = 0, FnV = 0
[ 3.525327] EA = 0, S1PTW = 0
[ 3.528476] Data abort info:
[ 3.531359] ISV = 0, ISS = 0x00000044
[ 3.535205] CM = 0, WnR = 1
[ 3.538182] user pgtable: 4k pages, 48-bit VAs, pgdp=00000020f612d000
[ 3.544645] [0000000000000000] pgd=0000000000000000
[ 3.549542] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[ 3.555128] Modules linked in:
[ 3.558189] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.0-03552-gfa6e1cd69f80 #1
[ 3.565781] Hardware name: LS1028A RDB Board (DT)
[ 3.570496] pstate: a0000005 (NzCv daif -PAN -UAO)
[ 3.575303] pc : enetc_pf_probe+0x784/0xba8
[ 3.579495] lr : enetc_pf_probe+0x6e8/0xba8
[ 3.583686] sp : ffff80001002ba90
[ 3.587005] x29: ffff80001002ba90 x28: ffff002076130c08
[ 3.592331] x27: 0000000000000002 x26: ffff002076130c80
[ 3.597657] x25: ffff002076130c00 x24: ffff002076130c80
[ 3.602982] x23: ffffb3f2ab0ec000 x22: ffff0020760d7840
[ 3.608307] x21: ffff0020760d7000 x20: ffff002076130c00
[ 3.613632] x19: ffff800010850000 x18: ffffffffffffffff
[ 3.618957] x17: 000000007dee1586 x16: 00000000cb746ba4
[ 3.624282] x15: ffffb3f2abce9908 x14: 0000000000000000
[ 3.629608] x13: 0000000000000101 x12: 0000000000010000
[ 3.634933] x11: 00000000ffffffff x10: ffff4c2dd0136000
[ 3.640257] x9 : 0000000000000000 x8 : ffff002076122000
[ 3.645582] x7 : 0000000000000000 x6 : 000000000000003f
[ 3.650908] x5 : 0000000000000040 x4 : 0000000000000001
[ 3.656234] x3 : ffff800010850000 x2 : ffffb3f2ab0ed868
[ 3.661560] x1 : 0000000000000000 x0 : 00000000051ca556
[ 3.666886] Call trace:
[ 3.669333] enetc_pf_probe+0x784/0xba8
[ 3.673178] local_pci_probe+0x3c/0xa0
[ 3.676935] pci_device_probe+0x128/0x1c0
[ 3.680954] really_probe+0x108/0x348
[ 3.684623] driver_probe_device+0x58/0x100
[ 3.688815] device_driver_attach+0x6c/0x90
[ 3.693006] __driver_attach+0x84/0xc8
[ 3.696762] bus_for_each_dev+0x74/0xc8
[ 3.700605] driver_attach+0x20/0x28
[ 3.704186] bus_add_driver+0x148/0x1f0
[ 3.708029] driver_register+0x60/0x110
[ 3.711872] __pci_register_driver+0x40/0x48
[ 3.716153] enetc_pf_driver_init+0x20/0x28
[ 3.720346] do_one_initcall+0x5c/0x1b0
[ 3.724189] kernel_init_freeable+0x1a4/0x24c
[ 3.728557] kernel_init+0x10/0x108
[ 3.732052] ret_from_fork+0x10/0x18
[ 3.735635] Code: f9400680 f9417ea1 91020000 b9400000 (b9000020)
[ 3.741749] ---[ end trace c8ab43e3d33fed3f ]---
[ 3.746396] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 3.748522] ata1: SATA link down (SStatus 0 SControl 300)
[ 3.754077] SMP: stopping secondary CPUs
[ 3.754082] Kernel Offset: 0x33f299c00000 from 0xffff800010000000
[ 3.754083] PHYS_OFFSET: 0xfffff019c0000000
[ 3.754086] CPU features: 0x0002,21806008
[ 3.754088] Memory Limit: none
[ 3.780794] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
As a result of the fix, struct felix allocation also needs to
be converted to managed allocation (devm_alloc).
Fixes: bb849431a970 ("net: dsa: ocelot: alloc memory for dsa switch instance")
Signed-off-by: Claudiu Manoil <claudiu.manoil@nxp.com>
---
drivers/net/dsa/ocelot/felix.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
--- a/drivers/net/dsa/ocelot/felix.c
+++ b/drivers/net/dsa/ocelot/felix.c
@@ -485,7 +485,7 @@ static int felix_pci_probe(struct pci_de
}
}
- felix = kzalloc(sizeof(struct felix), GFP_KERNEL);
+ felix = devm_kzalloc(&pdev->dev, sizeof(*felix), GFP_KERNEL);
if (!felix) {
err = -ENOMEM;
dev_err(&pdev->dev, "Failed to allocate driver memory\n");
@@ -532,11 +532,9 @@ static int felix_pci_probe(struct pci_de
return 0;
err_register_ds:
- kfree(ds);
err_alloc_ds:
err_alloc_irq:
err_alloc_felix:
- kfree(felix);
err_dma:
pci_disable_device(pdev);
err_pci_enable:
@@ -551,9 +549,6 @@ static void felix_pci_remove(struct pci_
dsa_unregister_switch(felix->ds);
- kfree(felix->ds);
- kfree(felix);
-
pci_disable_device(pdev);
}
|
