From patchwork Sun Mar 5 23:36:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Guenter Roeck X-Patchwork-Id: 9604821 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 59DD960234 for ; Sun, 5 Mar 2017 23:37:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4AA9F25F31 for ; Sun, 5 Mar 2017 23:37:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3B15C27D0C; Sun, 5 Mar 2017 23:37:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A9DF425F31 for ; Sun, 5 Mar 2017 23:37:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=FSe3m1/Jcna6ZZZyKR3Dp6fywPGf5ZCtA+j8aj+R2ms=; b=mpp hysJSLmpmTwVuPnZHexnzeSlurfOelf2/NMDJW4J/TelCNrQkiba6yioJ/N7wuyuoURhSXvvQEdJB 8BaPP24i9h/dvncH2RdTY6G70tZ2ozixCoeDbgx271FenmVcd0fV20tgJJbyDEv4YelVycwLLZyG9 VME4LrwNV5r3Jk54YOWjcxVeOgkHdPrq/RXPREJvx+3Mzt9PiYDq2e9oKp2ar75iN1lkE2nA9Lxks 8c5fEhdzK5dhT5Fcp4jZxDIttp7sWsQolKcIfR19Le3Wh/oP6I+5gqlnt7V45T8WRqkA4D6E+dk4+ Q+AlDcgcIBwIOBYwl/oD/ctUYFmhnvA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1ckfiB-0006Zu-Nt; Sun, 05 Mar 2017 23:37:11 +0000 Received: from bh-25.webhostbox.net ([208.91.199.152]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1ckfi7-0006AC-Ig for linux-arm-kernel@lists.infradead.org; Sun, 05 Mar 2017 23:37:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=roeck-us.net; s=default; h=Message-Id:Date:Subject:Cc:To:From:Sender: Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iIxNb5K6s7xI+YEgJZxF3TBHFdTLBYmz2R9uA8rrMYU=; b=Mk2SkCG7gnBlYEHQDisYpVDdKD DbsCWY1y+y23NQ7blWcqpKXyPRxWLww/757hHABKcOeLDMa22l5ywG0Qhaqo5DH65um5uzX6aQICD EUsK3IA0h5sVR2WlMLTATMgK3G6rvA/WfkAY2C2kAndDQV6RsDnJjxnDJW+NMwn07pV/UPAFMz4e1 J+ef7IJnoANBiHvMinLN+N/m8VS3Z3pbjz5Ov43unjxfW5hDNlZUIe39y2MW6+9XUyDHwqFuw9aCZ uO8kLYTOKtjPWcwL8FY2AdcEvVJ83+5V9o+bh0v9nUoMxLvjn/o56pSXXIB9GnTvzdh2ZsSHZSXPf Ob6O7QvQ==; Received: from 108-223-40-66.lightspeed.sntcca.sbcglobal.net ([108.223.40.66]:44792 helo=localhost) by bh-25.webhostbox.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from ) id 1ckfh6-000YjS-9t; Sun, 05 Mar 2017 23:36:04 +0000 From: Guenter Roeck To: Michal Simek Subject: [PATCH] block: systemace: Fix refcount underflow in error handler Date: Sun, 5 Mar 2017 15:36:00 -0800 Message-Id: <1488756960-3659-1-git-send-email-linux@roeck-us.net> X-Mailer: git-send-email 2.7.4 X-Authenticated_sender: guenter@roeck-us.net X-OutGoing-Spam-Status: No, score=-1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - bh-25.webhostbox.net X-AntiAbuse: Original Domain - lists.infradead.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - roeck-us.net X-Get-Message-Sender-Via: bh-25.webhostbox.net: authenticated_id: guenter@roeck-us.net X-Authenticated-Sender: bh-25.webhostbox.net: guenter@roeck-us.net X-Source: X-Source-Args: X-Source-Dir: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170305_153707_765908_55B591D5 X-CRM114-Status: GOOD ( 10.08 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guenter Roeck , linux-arm-kernel@lists.infradead.org, =?UTF-8?q?S=C3=B6ren=20Brinkmann?= , linux-kernel@vger.kernel.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Since commit 29dee3c03abc ("locking/refcounts: Out-of-line everything"), the following runtime warning is seen if xsysace fails to initialize. The commit only exposes the problem. refcount_t: underflow; use-after-free. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at lib/refcount.c:128 refcount_sub_and_test+0x90/0xd0 Modules linked in: CPU: 0 PID: 1 Comm: swapper Not tainted 4.11.0-rc1+ #1 task: cf81d5a0 task.stack: cf81e000 NIP: c02104d0 LR: c02104d0 CTR: c0279d90 REGS: cf81fc80 TRAP: 0700 Not tainted (4.11.0-rc1+) MSR: 00029000 CR: 24000022 XER: 00000000 GPR00: c02104d0 cf81fd30 cf81d5a0 00000026 00000000 00000000 c027a7f0 00000000 GPR08: c05412dc 00000800 00000000 00000000 24000024 00000000 c0001ad0 00000000 GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c054b3c0 c0550000 GPR24: 00000000 00000001 cf95a010 00000015 00000000 00000000 cfb2b2c0 cfb2b0e8 NIP [c02104d0] refcount_sub_and_test+0x90/0xd0 LR [c02104d0] refcount_sub_and_test+0x90/0xd0 Call Trace: [cf81fd30] [c02104d0] refcount_sub_and_test+0x90/0xd0 (unreliable) [cf81fd40] [c01f68c4] kobject_put+0x34/0x90 [cf81fd50] [c01cef64] blk_cleanup_queue+0x164/0x1e0 [cf81fd60] [c02acab0] ace_probe+0x4c0/0x510 [cf81fda0] [c0293b64] platform_drv_probe+0x44/0xc0 [cf81fdc0] [c0291974] driver_probe_device+0x234/0x340 [cf81fdf0] [c0291b4c] __driver_attach+0xcc/0xd0 [cf81fe10] [c028f4d8] bus_for_each_dev+0x68/0xc0 [cf81fe40] [c0290d18] bus_add_driver+0x208/0x280 [cf81fe60] [c0292678] driver_register+0x88/0x140 [cf81fe70] [c050ce24] ace_init+0x48/0xa4 [cf81fe90] [c0001350] do_one_initcall+0x40/0x180 [cf81fef0] [c04f3ae0] kernel_init_freeable+0x134/0x1d0 [cf81ff30] [c0001ae4] kernel_init+0x14/0x110 [cf81ff40] [c000c3d0] ret_from_kernel_thread+0x5c/0x64 Debugging shows that blk_put_queue() is called twice during error handling, once from disk_release() (called from put_disk) and once from blk_cleanup_queue(). disk_release() only calls blk_put_queue() if the queue pointer is initialized, so moving the initialization of gd->queue avoids the problem. Signed-off-by: Guenter Roeck Acked-by: Michal Simek --- drivers/block/xsysace.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c index 757dce2147e0..a22b38968930 100644 --- a/drivers/block/xsysace.c +++ b/drivers/block/xsysace.c @@ -1004,7 +1004,6 @@ static int ace_setup(struct ace_device *ace) ace->gd->major = ace_major; ace->gd->first_minor = ace->id * ACE_NUM_MINORS; ace->gd->fops = &ace_fops; - ace->gd->queue = ace->queue; ace->gd->private_data = ace; snprintf(ace->gd->disk_name, 32, "xs%c", ace->id + 'a'); @@ -1032,6 +1031,8 @@ static int ace_setup(struct ace_device *ace) ace_out(ace, ACE_CTRL, ACE_CTRL_FORCECFGMODE | ACE_CTRL_DATABUFRDYIRQ | ACE_CTRL_ERRORIRQ); + ace->gd->queue = ace->queue; + /* Now we can hook up the irq handler */ if (ace->irq) { rc = request_irq(ace->irq, ace_interrupt, 0, "systemace", ace);