The name allocated for the regmap_config structure is freed
pretty early, right after the registration of the MMIO region.
Unfortunately, that doesn't follow the life cycle that debugfs
expects, as it can access the name field long after the free
has occured.
Move the free on the error path, and keep it forever otherwise.
Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
Signed-off-by: Marc Zyngier <[email protected]>
---
drivers/mfd/syscon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
index 75859e492984..7a660411c562 100644
--- a/drivers/mfd/syscon.c
+++ b/drivers/mfd/syscon.c
@@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
syscon_config.max_register = resource_size(&res) - reg_io_width;
regmap = regmap_init_mmio(NULL, base, &syscon_config);
- kfree(syscon_config.name);
if (IS_ERR(regmap)) {
pr_err("regmap init failed\n");
ret = PTR_ERR(regmap);
@@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
regmap_exit(regmap);
err_regmap:
iounmap(base);
+ kfree(syscon_config.name);
err_map:
kfree(syscon);
return ERR_PTR(ret);
--
2.27.0
On Thu, 03 Sep 2020, Marc Zyngier wrote:
> The name allocated for the regmap_config structure is freed
> pretty early, right after the registration of the MMIO region.
>
> Unfortunately, that doesn't follow the life cycle that debugfs
> expects, as it can access the name field long after the free
> has occured.
>
> Move the free on the error path, and keep it forever otherwise.
>
> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> Signed-off-by: Marc Zyngier <[email protected]>
> ---
> drivers/mfd/syscon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Does this work for you Suman, Arnd?
> diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
> index 75859e492984..7a660411c562 100644
> --- a/drivers/mfd/syscon.c
> +++ b/drivers/mfd/syscon.c
> @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
> syscon_config.max_register = resource_size(&res) - reg_io_width;
>
> regmap = regmap_init_mmio(NULL, base, &syscon_config);
> - kfree(syscon_config.name);
> if (IS_ERR(regmap)) {
> pr_err("regmap init failed\n");
> ret = PTR_ERR(regmap);
> @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
> regmap_exit(regmap);
> err_regmap:
> iounmap(base);
> + kfree(syscon_config.name);
> err_map:
> kfree(syscon);
> return ERR_PTR(ret);
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
On Thu, 03 Sep 2020, Marc Zyngier wrote:
> The name allocated for the regmap_config structure is freed
> pretty early, right after the registration of the MMIO region.
>
> Unfortunately, that doesn't follow the life cycle that debugfs
> expects, as it can access the name field long after the free
> has occured.
>
> Move the free on the error path, and keep it forever otherwise.
>
> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> Signed-off-by: Marc Zyngier <[email protected]>
> ---
> drivers/mfd/syscon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Fixed the spelling mistake and applied, thanks.
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
On 9/24/20 7:39 AM, Lee Jones wrote:
> On Thu, 03 Sep 2020, Marc Zyngier wrote:
>
>> The name allocated for the regmap_config structure is freed
>> pretty early, right after the registration of the MMIO region.
>>
>> Unfortunately, that doesn't follow the life cycle that debugfs
>> expects, as it can access the name field long after the free
>> has occured.
>>
>> Move the free on the error path, and keep it forever otherwise.
>>
>> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
>> Signed-off-by: Marc Zyngier <[email protected]>
>> ---
>> drivers/mfd/syscon.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Fixed the spelling mistake and applied, thanks.
>
Marc,
Can you recheck the behavior once on the latest master to see if this patch is
still needed? I see a new patch within the regmap core that is dealing with the
delayed debugfs registration name. This follows the similar design logic I
suggested on your initial submission [1].
Please see commit 94cc89eb8fa5 ("regmap: debugfs: Fix handling of name string
for debugfs init delays") in mainline.
Lee,
I haven't seen this patch in -next yet, so maybe worthwhile to hold it a little
longer.
regards
Suman
[1] https://patchwork.kernel.org/comment/23575471/
On Fri, 25 Sep 2020, Suman Anna wrote:
> On 9/24/20 7:39 AM, Lee Jones wrote:
> > On Thu, 03 Sep 2020, Marc Zyngier wrote:
> >
> >> The name allocated for the regmap_config structure is freed
> >> pretty early, right after the registration of the MMIO region.
> >>
> >> Unfortunately, that doesn't follow the life cycle that debugfs
> >> expects, as it can access the name field long after the free
> >> has occured.
> >>
> >> Move the free on the error path, and keep it forever otherwise.
> >>
> >> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> >> Signed-off-by: Marc Zyngier <[email protected]>
> >> ---
> >> drivers/mfd/syscon.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > Fixed the spelling mistake and applied, thanks.
> >
>
> Marc,
> Can you recheck the behavior once on the latest master to see if this patch is
> still needed? I see a new patch within the regmap core that is dealing with the
> delayed debugfs registration name. This follows the similar design logic I
> suggested on your initial submission [1].
>
> Please see commit 94cc89eb8fa5 ("regmap: debugfs: Fix handling of name string
> for debugfs init delays") in mainline.
>
> Lee,
> I haven't seen this patch in -next yet, so maybe worthwhile to hold it a little
> longer.
It's already applied.
If the lines become superfluous please submit a subsequent patch.
--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog
Hi Marc,
On 03/09/2020 19:02, Marc Zyngier wrote:
> The name allocated for the regmap_config structure is freed
> pretty early, right after the registration of the MMIO region.
>
> Unfortunately, that doesn't follow the life cycle that debugfs
> expects, as it can access the name field long after the free
> has occured.
>
> Move the free on the error path, and keep it forever otherwise.
>
> Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> Signed-off-by: Marc Zyngier <[email protected]>
> ---
> drivers/mfd/syscon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
> index 75859e492984..7a660411c562 100644
> --- a/drivers/mfd/syscon.c
> +++ b/drivers/mfd/syscon.c
> @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
> syscon_config.max_register = resource_size(&res) - reg_io_width;
>
> regmap = regmap_init_mmio(NULL, base, &syscon_config);
> - kfree(syscon_config.name);
> if (IS_ERR(regmap)) {
> pr_err("regmap init failed\n");
> ret = PTR_ERR(regmap);
> @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
> regmap_exit(regmap);
> err_regmap:
> iounmap(base);
> + kfree(syscon_config.name);
> err_map:
> kfree(syscon);
> return ERR_PTR(ret);
>
This patch causes lots of kmemleak reports, for example:
unreferenced object 0xc8e6f000 (size 64):
comm "kworker/1:1", pid 22, jiffies 4294938454 (age 95.540s)
hex dump (first 32 bytes):
64 73 70 5f 73 79 73 74 65 6d 40 34 30 64 30 30 dsp_system@40d00
30 30 30 00 e0 09 4d c1 ac 1b 4d c1 64 74 4c c1 000...M...M.dtL.
backtrace:
[<(ptrval)>] __kmalloc_track_caller+0x2bc/0x418
[<(ptrval)>] kvasprintf+0x9c/0x124
[<(ptrval)>] kasprintf+0x70/0xac
[<(ptrval)>] of_syscon_register+0x1f0/0x4f0
[<(ptrval)>] device_node_get_regmap+0x12c/0x158
[<(ptrval)>] syscon_regmap_lookup_by_phandle+0x5c/0x6c
[<(ptrval)>] omap_iommu_probe+0x6ac/0xc28
[<(ptrval)>] platform_probe+0x120/0x1e0
[<(ptrval)>] really_probe+0x2b4/0x121c
[<(ptrval)>] driver_probe_device+0x10c/0x4c0
[<(ptrval)>] __device_attach_driver+0x1d8/0x26c
[<(ptrval)>] bus_for_each_drv+0x174/0x200
[<(ptrval)>] __device_attach+0x2f0/0x45c
[<(ptrval)>] device_initial_probe+0x1c/0x20
[<(ptrval)>] bus_probe_device+0x224/0x2b8
[<(ptrval)>] device_add+0xad0/0x1e18
Tomi
Hi Tomi,
On Tue, 16 Feb 2021 06:34:50 +0000,
Tomi Valkeinen <[email protected]> wrote:
>
> Hi Marc,
>
> On 03/09/2020 19:02, Marc Zyngier wrote:
> > The name allocated for the regmap_config structure is freed
> > pretty early, right after the registration of the MMIO region.
> >
> > Unfortunately, that doesn't follow the life cycle that debugfs
> > expects, as it can access the name field long after the free
> > has occured.
> >
> > Move the free on the error path, and keep it forever otherwise.
> >
> > Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config")
> > Signed-off-by: Marc Zyngier <[email protected]>
> > ---
> > drivers/mfd/syscon.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c
> > index 75859e492984..7a660411c562 100644
> > --- a/drivers/mfd/syscon.c
> > +++ b/drivers/mfd/syscon.c
> > @@ -108,7 +108,6 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
> > syscon_config.max_register = resource_size(&res) - reg_io_width;
> >
> > regmap = regmap_init_mmio(NULL, base, &syscon_config);
> > - kfree(syscon_config.name);
> > if (IS_ERR(regmap)) {
> > pr_err("regmap init failed\n");
> > ret = PTR_ERR(regmap);
> > @@ -145,6 +144,7 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk)
> > regmap_exit(regmap);
> > err_regmap:
> > iounmap(base);
> > + kfree(syscon_config.name);
> > err_map:
> > kfree(syscon);
> > return ERR_PTR(ret);
> >
>
> This patch causes lots of kmemleak reports, for example:
It may trigger some kmemleak reports, but at the time it was written,
this patch avoided some very nasty memory corruption with debugfs. The
problem is that the memory management responsibilities between syscon,
regmap and debugfs are rather obscure.
If you can come up with an accurate description of the life cycle of
syscon_config.name across these 3 subsystems, we may be able to fix it
for good.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.