Message ID | 20200903160237.932818-1-maz@kernel.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | mfd: syscon: Don't free allocated name for regmap_config | expand |
On Thu, 03 Sep 2020, Marc Zyngier wrote: > The name allocated for the regmap_config structure is freed > pretty early, right after the registration of the MMIO region. > > Unfortunately, that doesn't follow the life cycle that debugfs > expects, as it can access the name field long after the free > has occured. > > Move the free on the error path, and keep it forever otherwise. > > Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") > Signed-off-by: Marc Zyngier <maz@kernel.org> > --- > drivers/mfd/syscon.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Does this work for you Suman, Arnd? > diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c > index 75859e492984..7a660411c562 100644 > --- a/drivers/mfd/syscon.c > +++ b/drivers/mfd/syscon.c > @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) > syscon_config.max_register = resource_size(&res) - reg_io_width; > > regmap = regmap_init_mmio(NULL, base, &syscon_config); > - kfree(syscon_config.name); > if (IS_ERR(regmap)) { > pr_err("regmap init failed\n"); > ret = PTR_ERR(regmap); > @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) > regmap_exit(regmap); > err_regmap: > iounmap(base); > + kfree(syscon_config.name); > err_map: > kfree(syscon); > return ERR_PTR(ret);
On Thu, 03 Sep 2020, Marc Zyngier wrote: > The name allocated for the regmap_config structure is freed > pretty early, right after the registration of the MMIO region. > > Unfortunately, that doesn't follow the life cycle that debugfs > expects, as it can access the name field long after the free > has occured. > > Move the free on the error path, and keep it forever otherwise. > > Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") > Signed-off-by: Marc Zyngier <maz@kernel.org> > --- > drivers/mfd/syscon.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Fixed the spelling mistake and applied, thanks.
On 9/24/20 7:39 AM, Lee Jones wrote: > On Thu, 03 Sep 2020, Marc Zyngier wrote: > >> The name allocated for the regmap_config structure is freed >> pretty early, right after the registration of the MMIO region. >> >> Unfortunately, that doesn't follow the life cycle that debugfs >> expects, as it can access the name field long after the free >> has occured. >> >> Move the free on the error path, and keep it forever otherwise. >> >> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") >> Signed-off-by: Marc Zyngier <maz@kernel.org> >> --- >> drivers/mfd/syscon.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) > > Fixed the spelling mistake and applied, thanks. > Marc, Can you recheck the behavior once on the latest master to see if this patch is still needed? I see a new patch within the regmap core that is dealing with the delayed debugfs registration name. This follows the similar design logic I suggested on your initial submission [1]. Please see commit 94cc89eb8fa5 ("regmap: debugfs: Fix handling of name string for debugfs init delays") in mainline. Lee, I haven't seen this patch in -next yet, so maybe worthwhile to hold it a little longer. regards Suman [1] https://patchwork.kernel.org/comment/23575471/
On Fri, 25 Sep 2020, Suman Anna wrote: > On 9/24/20 7:39 AM, Lee Jones wrote: > > On Thu, 03 Sep 2020, Marc Zyngier wrote: > > > >> The name allocated for the regmap_config structure is freed > >> pretty early, right after the registration of the MMIO region. > >> > >> Unfortunately, that doesn't follow the life cycle that debugfs > >> expects, as it can access the name field long after the free > >> has occured. > >> > >> Move the free on the error path, and keep it forever otherwise. > >> > >> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") > >> Signed-off-by: Marc Zyngier <maz@kernel.org> > >> --- > >> drivers/mfd/syscon.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > > > > Fixed the spelling mistake and applied, thanks. > > > > Marc, > Can you recheck the behavior once on the latest master to see if this patch is > still needed? I see a new patch within the regmap core that is dealing with the > delayed debugfs registration name. This follows the similar design logic I > suggested on your initial submission [1]. > > Please see commit 94cc89eb8fa5 ("regmap: debugfs: Fix handling of name string > for debugfs init delays") in mainline. > > Lee, > I haven't seen this patch in -next yet, so maybe worthwhile to hold it a little > longer. It's already applied. If the lines become superfluous please submit a subsequent patch.
Hi Marc, On 03/09/2020 19:02, Marc Zyngier wrote: > The name allocated for the regmap_config structure is freed > pretty early, right after the registration of the MMIO region. > > Unfortunately, that doesn't follow the life cycle that debugfs > expects, as it can access the name field long after the free > has occured. > > Move the free on the error path, and keep it forever otherwise. > > Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") > Signed-off-by: Marc Zyngier <maz@kernel.org> > --- > drivers/mfd/syscon.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c > index 75859e492984..7a660411c562 100644 > --- a/drivers/mfd/syscon.c > +++ b/drivers/mfd/syscon.c > @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) > syscon_config.max_register = resource_size(&res) - reg_io_width; > > regmap = regmap_init_mmio(NULL, base, &syscon_config); > - kfree(syscon_config.name); > if (IS_ERR(regmap)) { > pr_err("regmap init failed\n"); > ret = PTR_ERR(regmap); > @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) > regmap_exit(regmap); > err_regmap: > iounmap(base); > + kfree(syscon_config.name); > err_map: > kfree(syscon); > return ERR_PTR(ret); > This patch causes lots of kmemleak reports, for example: unreferenced object 0xc8e6f000 (size 64): comm "kworker/1:1", pid 22, jiffies 4294938454 (age 95.540s) hex dump (first 32 bytes): 64 73 70 5f 73 79 73 74 65 6d 40 34 30 64 30 30 dsp_system@40d00 30 30 30 00 e0 09 4d c1 ac 1b 4d c1 64 74 4c c1 000...M...M.dtL. backtrace: [<(ptrval)>] __kmalloc_track_caller+0x2bc/0x418 [<(ptrval)>] kvasprintf+0x9c/0x124 [<(ptrval)>] kasprintf+0x70/0xac [<(ptrval)>] of_syscon_register+0x1f0/0x4f0 [<(ptrval)>] device_node_get_regmap+0x12c/0x158 [<(ptrval)>] syscon_regmap_lookup_by_phandle+0x5c/0x6c [<(ptrval)>] omap_iommu_probe+0x6ac/0xc28 [<(ptrval)>] platform_probe+0x120/0x1e0 [<(ptrval)>] really_probe+0x2b4/0x121c [<(ptrval)>] driver_probe_device+0x10c/0x4c0 [<(ptrval)>] __device_attach_driver+0x1d8/0x26c [<(ptrval)>] bus_for_each_drv+0x174/0x200 [<(ptrval)>] __device_attach+0x2f0/0x45c [<(ptrval)>] device_initial_probe+0x1c/0x20 [<(ptrval)>] bus_probe_device+0x224/0x2b8 [<(ptrval)>] device_add+0xad0/0x1e18 Tomi
Hi Tomi, On Tue, 16 Feb 2021 06:34:50 +0000, Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> wrote: > > Hi Marc, > > On 03/09/2020 19:02, Marc Zyngier wrote: > > The name allocated for the regmap_config structure is freed > > pretty early, right after the registration of the MMIO region. > > > > Unfortunately, that doesn't follow the life cycle that debugfs > > expects, as it can access the name field long after the free > > has occured. > > > > Move the free on the error path, and keep it forever otherwise. > > > > Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") > > Signed-off-by: Marc Zyngier <maz@kernel.org> > > --- > > drivers/mfd/syscon.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c > > index 75859e492984..7a660411c562 100644 > > --- a/drivers/mfd/syscon.c > > +++ b/drivers/mfd/syscon.c > > @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) > > syscon_config.max_register = resource_size(&res) - reg_io_width; > > > > regmap = regmap_init_mmio(NULL, base, &syscon_config); > > - kfree(syscon_config.name); > > if (IS_ERR(regmap)) { > > pr_err("regmap init failed\n"); > > ret = PTR_ERR(regmap); > > @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) > > regmap_exit(regmap); > > err_regmap: > > iounmap(base); > > + kfree(syscon_config.name); > > err_map: > > kfree(syscon); > > return ERR_PTR(ret); > > > > This patch causes lots of kmemleak reports, for example: It may trigger some kmemleak reports, but at the time it was written, this patch avoided some very nasty memory corruption with debugfs. The problem is that the memory management responsibilities between syscon, regmap and debugfs are rather obscure. If you can come up with an accurate description of the life cycle of syscon_config.name across these 3 subsystems, we may be able to fix it for good. Thanks, M.
diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c index 75859e492984..7a660411c562 100644 --- a/drivers/mfd/syscon.c +++ b/drivers/mfd/syscon.c @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) syscon_config.max_register = resource_size(&res) - reg_io_width; regmap = regmap_init_mmio(NULL, base, &syscon_config); - kfree(syscon_config.name); if (IS_ERR(regmap)) { pr_err("regmap init failed\n"); ret = PTR_ERR(regmap); @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) regmap_exit(regmap); err_regmap: iounmap(base); + kfree(syscon_config.name); err_map: kfree(syscon); return ERR_PTR(ret);
The name allocated for the regmap_config structure is freed pretty early, right after the registration of the MMIO region. Unfortunately, that doesn't follow the life cycle that debugfs expects, as it can access the name field long after the free has occured. Move the free on the error path, and keep it forever otherwise. Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") Signed-off-by: Marc Zyngier <maz@kernel.org> --- drivers/mfd/syscon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)