mfd: syscon: Don't free allocated name for regmap_config

Message ID	20200903160237.932818-1-maz@kernel.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=t8P7=CM=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0293F20716 From: Marc Zyngier <maz@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH] mfd: syscon: Don't free allocated name for regmap_config Date: Thu, 3 Sep 2020 17:02:37 +0100 Message-Id: <20200903160237.932818-1-maz@kernel.org> MIME-Version: 1.0 summary: Content analysis details: (-5.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [198.145.29.99 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender Precedence: list Cc: kernel-team@android.com, Lee Jones <lee.jones@linaro.org>, Arnd Bergmann <arnd@arndb.de> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
Series	mfd: syscon: Don't free allocated name for regmap_config \| expand mfd: syscon: Don't free allocated name for regmap_config

Marc Zyngier Sept. 3, 2020, 4:02 p.m. UTC

The name allocated for the regmap_config structure is freed
pretty early, right after the registration of the MMIO region.

Unfortunately, that doesn't follow the life cycle that debugfs
expects, as it can access the name field long after the free
has occured.

Move the free on the error path, and keep it forever otherwise.

Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
Signed-off-by: Marc Zyngier <maz@kernel.org>
---
 drivers/mfd/syscon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Lee Jones Sept. 8, 2020, 8:22 a.m. UTC | #1

On Thu, 03 Sep 2020, Marc Zyngier wrote:

> The name allocated for the regmap_config structure is freed
> pretty early, right after the registration of the MMIO region.
> 
> Unfortunately, that doesn't follow the life cycle that debugfs
> expects, as it can access the name field long after the free
> has occured.
> 
> Move the free on the error path, and keep it forever otherwise.
> 
> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> ---
>  drivers/mfd/syscon.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Does this work for you Suman, Arnd?

> diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
> index 75859e492984..7a660411c562 100644
> --- a/drivers/mfd/syscon.c
> +++ b/drivers/mfd/syscon.c
> @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
>  	syscon_config.max_register = resource_size(&res) - reg_io_width;
>  
>  	regmap = regmap_init_mmio(NULL, base, &syscon_config);
> -	kfree(syscon_config.name);
>  	if (IS_ERR(regmap)) {
>  		pr_err("regmap init failed\n");
>  		ret = PTR_ERR(regmap);
> @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
>  	regmap_exit(regmap);
>  err_regmap:
>  	iounmap(base);
> +	kfree(syscon_config.name);
>  err_map:
>  	kfree(syscon);
>  	return ERR_PTR(ret);

Lee Jones Sept. 24, 2020, 12:39 p.m. UTC | #2

On Thu, 03 Sep 2020, Marc Zyngier wrote:

> The name allocated for the regmap_config structure is freed
> pretty early, right after the registration of the MMIO region.
> 
> Unfortunately, that doesn't follow the life cycle that debugfs
> expects, as it can access the name field long after the free
> has occured.
> 
> Move the free on the error path, and keep it forever otherwise.
> 
> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> ---
>  drivers/mfd/syscon.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Fixed the spelling mistake and applied, thanks.

Suman Anna Sept. 26, 2020, 12:28 a.m. UTC | #3

On 9/24/20 7:39 AM, Lee Jones wrote:
> On Thu, 03 Sep 2020, Marc Zyngier wrote:
> 
>> The name allocated for the regmap_config structure is freed
>> pretty early, right after the registration of the MMIO region.
>>
>> Unfortunately, that doesn't follow the life cycle that debugfs
>> expects, as it can access the name field long after the free
>> has occured.
>>
>> Move the free on the error path, and keep it forever otherwise.
>>
>> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
>> Signed-off-by: Marc Zyngier <maz@kernel.org>
>> ---
>>  drivers/mfd/syscon.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Fixed the spelling mistake and applied, thanks.
> 

Marc,
Can you recheck the behavior once on the latest master to see if this patch is
still needed? I see a new patch within the regmap core that is dealing with the
delayed debugfs registration name. This follows the similar design logic I
suggested on your initial submission [1].

Please see commit 94cc89eb8fa5 ("regmap: debugfs: Fix handling of name string
for debugfs init delays") in mainline.

Lee,
I haven't seen this patch in -next yet, so maybe worthwhile to hold it a little
longer.

regards
Suman

[1] https://patchwork.kernel.org/comment/23575471/

Lee Jones Sept. 28, 2020, 9:19 a.m. UTC | #4

On Fri, 25 Sep 2020, Suman Anna wrote:

> On 9/24/20 7:39 AM, Lee Jones wrote:
> > On Thu, 03 Sep 2020, Marc Zyngier wrote:
> > 
> >> The name allocated for the regmap_config structure is freed
> >> pretty early, right after the registration of the MMIO region.
> >>
> >> Unfortunately, that doesn't follow the life cycle that debugfs
> >> expects, as it can access the name field long after the free
> >> has occured.
> >>
> >> Move the free on the error path, and keep it forever otherwise.
> >>
> >> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> >> Signed-off-by: Marc Zyngier <maz@kernel.org>
> >> ---
> >>  drivers/mfd/syscon.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > Fixed the spelling mistake and applied, thanks.
> > 
> 
> Marc,
> Can you recheck the behavior once on the latest master to see if this patch is
> still needed? I see a new patch within the regmap core that is dealing with the
> delayed debugfs registration name. This follows the similar design logic I
> suggested on your initial submission [1].
> 
> Please see commit 94cc89eb8fa5 ("regmap: debugfs: Fix handling of name string
> for debugfs init delays") in mainline.
> 
> Lee,
> I haven't seen this patch in -next yet, so maybe worthwhile to hold it a little
> longer.

It's already applied.

If the lines become superfluous please submit a subsequent patch.

Tomi Valkeinen Feb. 16, 2021, 6:34 a.m. UTC | #5

Hi Marc,

On 03/09/2020 19:02, Marc Zyngier wrote:
> The name allocated for the regmap_config structure is freed
> pretty early, right after the registration of the MMIO region.
> 
> Unfortunately, that doesn't follow the life cycle that debugfs
> expects, as it can access the name field long after the free
> has occured.
> 
> Move the free on the error path, and keep it forever otherwise.
> 
> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> ---
>  drivers/mfd/syscon.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
> index 75859e492984..7a660411c562 100644
> --- a/drivers/mfd/syscon.c
> +++ b/drivers/mfd/syscon.c
> @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
>  	syscon_config.max_register = resource_size(&res) - reg_io_width;
>  
>  	regmap = regmap_init_mmio(NULL, base, &syscon_config);
> -	kfree(syscon_config.name);
>  	if (IS_ERR(regmap)) {
>  		pr_err("regmap init failed\n");
>  		ret = PTR_ERR(regmap);
> @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
>  	regmap_exit(regmap);
>  err_regmap:
>  	iounmap(base);
> +	kfree(syscon_config.name);
>  err_map:
>  	kfree(syscon);
>  	return ERR_PTR(ret);
> 

This patch causes lots of kmemleak reports, for example:

unreferenced object 0xc8e6f000 (size 64):
  comm "kworker/1:1", pid 22, jiffies 4294938454 (age 95.540s)
  hex dump (first 32 bytes):
    64 73 70 5f 73 79 73 74 65 6d 40 34 30 64 30 30  dsp_system@40d00
    30 30 30 00 e0 09 4d c1 ac 1b 4d c1 64 74 4c c1  000...M...M.dtL.
  backtrace:
    [<(ptrval)>] __kmalloc_track_caller+0x2bc/0x418
    [<(ptrval)>] kvasprintf+0x9c/0x124
    [<(ptrval)>] kasprintf+0x70/0xac
    [<(ptrval)>] of_syscon_register+0x1f0/0x4f0
    [<(ptrval)>] device_node_get_regmap+0x12c/0x158
    [<(ptrval)>] syscon_regmap_lookup_by_phandle+0x5c/0x6c
    [<(ptrval)>] omap_iommu_probe+0x6ac/0xc28
    [<(ptrval)>] platform_probe+0x120/0x1e0
    [<(ptrval)>] really_probe+0x2b4/0x121c
    [<(ptrval)>] driver_probe_device+0x10c/0x4c0
    [<(ptrval)>] __device_attach_driver+0x1d8/0x26c
    [<(ptrval)>] bus_for_each_drv+0x174/0x200
    [<(ptrval)>] __device_attach+0x2f0/0x45c
    [<(ptrval)>] device_initial_probe+0x1c/0x20
    [<(ptrval)>] bus_probe_device+0x224/0x2b8
    [<(ptrval)>] device_add+0xad0/0x1e18

 Tomi

Marc Zyngier Feb. 16, 2021, 8:42 a.m. UTC | #6

Hi Tomi,

On Tue, 16 Feb 2021 06:34:50 +0000,
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> wrote:
> 
> Hi Marc,
> 
> On 03/09/2020 19:02, Marc Zyngier wrote:
> > The name allocated for the regmap_config structure is freed
> > pretty early, right after the registration of the MMIO region.
> > 
> > Unfortunately, that doesn't follow the life cycle that debugfs
> > expects, as it can access the name field long after the free
> > has occured.
> > 
> > Move the free on the error path, and keep it forever otherwise.
> > 
> > Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> > Signed-off-by: Marc Zyngier <maz@kernel.org>
> > ---
> >  drivers/mfd/syscon.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
> > index 75859e492984..7a660411c562 100644
> > --- a/drivers/mfd/syscon.c
> > +++ b/drivers/mfd/syscon.c
> > @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
> >  	syscon_config.max_register = resource_size(&res) - reg_io_width;
> >  
> >  	regmap = regmap_init_mmio(NULL, base, &syscon_config);
> > -	kfree(syscon_config.name);
> >  	if (IS_ERR(regmap)) {
> >  		pr_err("regmap init failed\n");
> >  		ret = PTR_ERR(regmap);
> > @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
> >  	regmap_exit(regmap);
> >  err_regmap:
> >  	iounmap(base);
> > +	kfree(syscon_config.name);
> >  err_map:
> >  	kfree(syscon);
> >  	return ERR_PTR(ret);
> > 
> 
> This patch causes lots of kmemleak reports, for example:

It may trigger some kmemleak reports, but at the time it was written,
this patch avoided some very nasty memory corruption with debugfs. The
problem is that the memory management responsibilities between syscon,
regmap and debugfs are rather obscure.

If you can come up with an accurate description of the life cycle of
syscon_config.name across these 3 subsystems, we may be able to fix it
for good.

Thanks,

	M.

mfd: syscon: Don't free allocated name for regmap_config

Commit Message

Comments

Patch