On Mon, Apr 18, 2022 at 07:07:14AM +0100, Wang Kefeng wrote:
> If amba_device_try_add() return error code (not EPROBE_DEFER),
> memory leak occurred when amba device fails to read periphid.
>
This patch results in a refcount underflow.
NET: Registered PF_NETLINK/PF_ROUTE protocol family
DMA: preallocated 256 KiB pool for atomic coherent allocations
platform vga: Fixing up cyclic dependency with bridge
OF: amba_device_add() failed (-19) for /amba/smc@10100000
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at lib/refcount.c:28 of_platform_bus_create+0x33c/0x3dc
refcount_t: underflow; use-after-free.
Modules linked in:
CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0-next-20220523 #1
Hardware name: ARM-Versatile (Device Tree Support)
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x38/0x5c
dump_stack_lvl from __warn+0xc8/0x1d4
__warn from warn_slowpath_fmt+0x90/0xc8
warn_slowpath_fmt from of_platform_bus_create+0x33c/0x3dc
of_platform_bus_create from of_platform_bus_create+0x1ec/0x3dc
of_platform_bus_create from of_platform_populate+0x68/0xd8
of_platform_populate from customize_machine+0x1c/0x30
customize_machine from do_one_initcall+0x8c/0x2fc
do_one_initcall from kernel_init_freeable+0x190/0x220
kernel_init_freeable from kernel_init+0x10/0x108
kernel_init from ret_from_fork+0x14/0x3c
Guenter
---
# bad: [cc63e8e92cb872081f249ea16e6c460642f3e4fb] Add linux-next specific files for 20220523
# good: [4b0986a3613c92f4ec1bdc7f60ec66fea135991f] Linux 5.18
git bisect start 'HEAD' 'v5.18'
# bad: [a812cac8ff60a3f57d59225eaf668f574fd36a65] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
git bisect bad a812cac8ff60a3f57d59225eaf668f574fd36a65
# bad: [ad67b5f981704e575b24e3b650653bae607980dc] Merge branch 'for-next' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git
git bisect bad ad67b5f981704e575b24e3b650653bae607980dc
# bad: [793dd6392ef951ae61473acfc7e7016ea22c40f4] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git
git bisect bad 793dd6392ef951ae61473acfc7e7016ea22c40f4
# good: [00ad84f582be91dd03132c133917cc6b62d754e2] Merge branch 'arm/dt' into for-next
git bisect good 00ad84f582be91dd03132c133917cc6b62d754e2
# bad: [5c4a49fbe99c7c9b814d677ac99e3efcc43d019a] Merge branch 'for-next/core' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
git bisect bad 5c4a49fbe99c7c9b814d677ac99e3efcc43d019a
# good: [33cd6948f953ab47ffa493bac6c0f34feb191e0d] Merge branch 'clang-format' of https://github.com/ojeda/linux.git
git bisect good 33cd6948f953ab47ffa493bac6c0f34feb191e0d
# good: [d6fc5db0f82828c74742319cb6c988c4a8aac535] Merge branch 'for-next/kselftest' into for-next/core
git bisect good d6fc5db0f82828c74742319cb6c988c4a8aac535
# good: [d7015e50a9ed180dcc3947635bb2b5711c37f48b] perf intel-pt: Add support for emulated ptwrite
git bisect good d7015e50a9ed180dcc3947635bb2b5711c37f48b
# good: [5b86b659fa4b3dd45acbdce13f2e94f882a3d125] Merge branch 'for-next' of git://git.infradead.org/users/hch/dma-mapping.git
git bisect good 5b86b659fa4b3dd45acbdce13f2e94f882a3d125
# good: [945980a9ba0744038659769e9f04e83e8f6b494b] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic.git
git bisect good 945980a9ba0744038659769e9f04e83e8f6b494b
# bad: [b6f21d14f1ac1261579b691673a0c823275cbaf8] ARM: 9204/2: module: Add all unwind tables when load module
git bisect bad b6f21d14f1ac1261579b691673a0c823275cbaf8
# bad: [c4f486f1e7b34b27ec578494a236061b337d50ae] ARM: 9198/1: spectre-bhb: simplify BPIALL vector macro
git bisect bad c4f486f1e7b34b27ec578494a236061b337d50ae
# bad: [7719a68b2fa404fa8af6b0b7119a38c406c74858] ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
git bisect bad 7719a68b2fa404fa8af6b0b7119a38c406c74858
# good: [1f44de0f5e309e8699b569b49a8e89ef4e7527c7] ARM: 9193/1: amba: Add amba_read_periphid() helper
git bisect good 1f44de0f5e309e8699b569b49a8e89ef4e7527c7
# first bad commit: [7719a68b2fa404fa8af6b0b7119a38c406c74858] ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
On 2022/5/24 5:17, Guenter Roeck wrote:
> On Mon, Apr 18, 2022 at 07:07:14AM +0100, Wang Kefeng wrote:
>> If amba_device_try_add() return error code (not EPROBE_DEFER),
>> memory leak occurred when amba device fails to read periphid.
>>
> This patch results in a refcount underflow.
>
> NET: Registered PF_NETLINK/PF_ROUTE protocol family
> DMA: preallocated 256 KiB pool for atomic coherent allocations
> platform vga: Fixing up cyclic dependency with bridge
> OF: amba_device_add() failed (-19) for /amba/smc@10100000
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 1 at lib/refcount.c:28 of_platform_bus_create+0x33c/0x3dc
> refcount_t: underflow; use-after-free.
> Modules linked in:
> CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0-next-20220523 #1
> Hardware name: ARM-Versatile (Device Tree Support)
> unwind_backtrace from show_stack+0x10/0x14
> show_stack from dump_stack_lvl+0x38/0x5c
> dump_stack_lvl from __warn+0xc8/0x1d4
> __warn from warn_slowpath_fmt+0x90/0xc8
> warn_slowpath_fmt from of_platform_bus_create+0x33c/0x3dc
> of_platform_bus_create from of_platform_bus_create+0x1ec/0x3dc
> of_platform_bus_create from of_platform_populate+0x68/0xd8
> of_platform_populate from customize_machine+0x1c/0x30
> customize_machine from do_one_initcall+0x8c/0x2fc
> do_one_initcall from kernel_init_freeable+0x190/0x220
> kernel_init_freeable from kernel_init+0x10/0x108
> kernel_init from ret_from_fork+0x14/0x3c
Thank, I use vexpress-v2p-ca15-tc1 and can't reproduce , but after
check the code,
amba_device_try_add() is called amba_deferred_retry() and amba_device_add(),
1) for amba_device_add(), called by of_amba_device_create() and
amba_handler_attach(),
which has called amba_device_put() to release resource when meet error, my
patch leads to the above issue.
2) for amba_deferred_retry(), it only releases the struct
deferred_device, but forget
to call amba_device_put() to release amba device and device name
so we only need to call amba_device_put() in amba_deferred_retry(),
could you
help me to try the following patch, thanks.
diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
index 0e3ed5eb367b..0cb20324da16 100644
--- a/drivers/amba/bus.c
+++ b/drivers/amba/bus.c
@@ -493,13 +493,8 @@ static int amba_device_try_add(struct amba_device
*dev, struct resource *parent)
goto skip_probe;
ret = amba_read_periphid(dev);
- if (ret) {
- if (ret != -EPROBE_DEFER) {
- amba_device_put(dev);
- goto err_out;
- }
+ if (ret)
goto err_release;
- }
skip_probe:
ret = device_add(&dev->dev);
@@ -546,6 +541,7 @@ static int amba_deferred_retry(void)
continue;
list_del_init(&ddev->node);
+ amba_device_put(ddev->dev);
kfree(ddev);
}
>
> Guenter
>
> ---
> # bad: [cc63e8e92cb872081f249ea16e6c460642f3e4fb] Add linux-next specific files for 20220523
> # good: [4b0986a3613c92f4ec1bdc7f60ec66fea135991f] Linux 5.18
> git bisect start 'HEAD' 'v5.18'
> # bad: [a812cac8ff60a3f57d59225eaf668f574fd36a65] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
> git bisect bad a812cac8ff60a3f57d59225eaf668f574fd36a65
> # bad: [ad67b5f981704e575b24e3b650653bae607980dc] Merge branch 'for-next' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git
> git bisect bad ad67b5f981704e575b24e3b650653bae607980dc
> # bad: [793dd6392ef951ae61473acfc7e7016ea22c40f4] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git
> git bisect bad 793dd6392ef951ae61473acfc7e7016ea22c40f4
> # good: [00ad84f582be91dd03132c133917cc6b62d754e2] Merge branch 'arm/dt' into for-next
> git bisect good 00ad84f582be91dd03132c133917cc6b62d754e2
> # bad: [5c4a49fbe99c7c9b814d677ac99e3efcc43d019a] Merge branch 'for-next/core' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
> git bisect bad 5c4a49fbe99c7c9b814d677ac99e3efcc43d019a
> # good: [33cd6948f953ab47ffa493bac6c0f34feb191e0d] Merge branch 'clang-format' of https://github.com/ojeda/linux.git
> git bisect good 33cd6948f953ab47ffa493bac6c0f34feb191e0d
> # good: [d6fc5db0f82828c74742319cb6c988c4a8aac535] Merge branch 'for-next/kselftest' into for-next/core
> git bisect good d6fc5db0f82828c74742319cb6c988c4a8aac535
> # good: [d7015e50a9ed180dcc3947635bb2b5711c37f48b] perf intel-pt: Add support for emulated ptwrite
> git bisect good d7015e50a9ed180dcc3947635bb2b5711c37f48b
> # good: [5b86b659fa4b3dd45acbdce13f2e94f882a3d125] Merge branch 'for-next' of git://git.infradead.org/users/hch/dma-mapping.git
> git bisect good 5b86b659fa4b3dd45acbdce13f2e94f882a3d125
> # good: [945980a9ba0744038659769e9f04e83e8f6b494b] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic.git
> git bisect good 945980a9ba0744038659769e9f04e83e8f6b494b
> # bad: [b6f21d14f1ac1261579b691673a0c823275cbaf8] ARM: 9204/2: module: Add all unwind tables when load module
> git bisect bad b6f21d14f1ac1261579b691673a0c823275cbaf8
> # bad: [c4f486f1e7b34b27ec578494a236061b337d50ae] ARM: 9198/1: spectre-bhb: simplify BPIALL vector macro
> git bisect bad c4f486f1e7b34b27ec578494a236061b337d50ae
> # bad: [7719a68b2fa404fa8af6b0b7119a38c406c74858] ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
> git bisect bad 7719a68b2fa404fa8af6b0b7119a38c406c74858
> # good: [1f44de0f5e309e8699b569b49a8e89ef4e7527c7] ARM: 9193/1: amba: Add amba_read_periphid() helper
> git bisect good 1f44de0f5e309e8699b569b49a8e89ef4e7527c7
> # first bad commit: [7719a68b2fa404fa8af6b0b7119a38c406c74858] ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
>
>
> .
On 5/23/22 18:57, Kefeng Wang wrote:
>
> On 2022/5/24 5:17, Guenter Roeck wrote:
>> On Mon, Apr 18, 2022 at 07:07:14AM +0100, Wang Kefeng wrote:
>>> If amba_device_try_add() return error code (not EPROBE_DEFER),
>>> memory leak occurred when amba device fails to read periphid.
>>>
>> This patch results in a refcount underflow.
>>
>> NET: Registered PF_NETLINK/PF_ROUTE protocol family
>> DMA: preallocated 256 KiB pool for atomic coherent allocations
>> platform vga: Fixing up cyclic dependency with bridge
>> OF: amba_device_add() failed (-19) for /amba/smc@10100000
>> ------------[ cut here ]------------
>> WARNING: CPU: 0 PID: 1 at lib/refcount.c:28 of_platform_bus_create+0x33c/0x3dc
>> refcount_t: underflow; use-after-free.
>> Modules linked in:
>> CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0-next-20220523 #1
>> Hardware name: ARM-Versatile (Device Tree Support)
>> unwind_backtrace from show_stack+0x10/0x14
>> show_stack from dump_stack_lvl+0x38/0x5c
>> dump_stack_lvl from __warn+0xc8/0x1d4
>> __warn from warn_slowpath_fmt+0x90/0xc8
>> warn_slowpath_fmt from of_platform_bus_create+0x33c/0x3dc
>> of_platform_bus_create from of_platform_bus_create+0x1ec/0x3dc
>> of_platform_bus_create from of_platform_populate+0x68/0xd8
>> of_platform_populate from customize_machine+0x1c/0x30
>> customize_machine from do_one_initcall+0x8c/0x2fc
>> do_one_initcall from kernel_init_freeable+0x190/0x220
>> kernel_init_freeable from kernel_init+0x10/0x108
>> kernel_init from ret_from_fork+0x14/0x3c
>
> Thank, I use vexpress-v2p-ca15-tc1 and can't reproduce , but after check the code,
>
> amba_device_try_add() is called amba_deferred_retry() and amba_device_add(),
>
> 1) for amba_device_add(), called by of_amba_device_create() and amba_handler_attach(),
>
> which has called amba_device_put() to release resource when meet error, my
>
> patch leads to the above issue.
>
> 2) for amba_deferred_retry(), it only releases the struct deferred_device, but forget
>
> to call amba_device_put() to release amba device and device name
>
> so we only need to call amba_device_put() in amba_deferred_retry(), could you
>
> help me to try the following patch, thanks.
>
It doesn't apply; it looks like you used cut-and-paste, which replaced
tabs with spaces. I tried to fix it up, but it didn't work.
Please send a clean patch.
Thanks,
Guenter
>
> diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
> index 0e3ed5eb367b..0cb20324da16 100644
> --- a/drivers/amba/bus.c
> +++ b/drivers/amba/bus.c
> @@ -493,13 +493,8 @@ static int amba_device_try_add(struct amba_device *dev, struct resource *parent)
> goto skip_probe;
>
> ret = amba_read_periphid(dev);
> - if (ret) {
> - if (ret != -EPROBE_DEFER) {
> - amba_device_put(dev);
> - goto err_out;
> - }
> + if (ret)
> goto err_release;
> - }
>
> skip_probe:
> ret = device_add(&dev->dev);
> @@ -546,6 +541,7 @@ static int amba_deferred_retry(void)
> continue;
>
> list_del_init(&ddev->node);
> + amba_device_put(ddev->dev);
> kfree(ddev);
> }
>
>
>
>>
>> Guenter
>>
>> ---
>> # bad: [cc63e8e92cb872081f249ea16e6c460642f3e4fb] Add linux-next specific files for 20220523
>> # good: [4b0986a3613c92f4ec1bdc7f60ec66fea135991f] Linux 5.18
>> git bisect start 'HEAD' 'v5.18'
>> # bad: [a812cac8ff60a3f57d59225eaf668f574fd36a65] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
>> git bisect bad a812cac8ff60a3f57d59225eaf668f574fd36a65
>> # bad: [ad67b5f981704e575b24e3b650653bae607980dc] Merge branch 'for-next' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git
>> git bisect bad ad67b5f981704e575b24e3b650653bae607980dc
>> # bad: [793dd6392ef951ae61473acfc7e7016ea22c40f4] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git
>> git bisect bad 793dd6392ef951ae61473acfc7e7016ea22c40f4
>> # good: [00ad84f582be91dd03132c133917cc6b62d754e2] Merge branch 'arm/dt' into for-next
>> git bisect good 00ad84f582be91dd03132c133917cc6b62d754e2
>> # bad: [5c4a49fbe99c7c9b814d677ac99e3efcc43d019a] Merge branch 'for-next/core' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
>> git bisect bad 5c4a49fbe99c7c9b814d677ac99e3efcc43d019a
>> # good: [33cd6948f953ab47ffa493bac6c0f34feb191e0d] Merge branch 'clang-format' of https://github.com/ojeda/linux.git
>> git bisect good 33cd6948f953ab47ffa493bac6c0f34feb191e0d
>> # good: [d6fc5db0f82828c74742319cb6c988c4a8aac535] Merge branch 'for-next/kselftest' into for-next/core
>> git bisect good d6fc5db0f82828c74742319cb6c988c4a8aac535
>> # good: [d7015e50a9ed180dcc3947635bb2b5711c37f48b] perf intel-pt: Add support for emulated ptwrite
>> git bisect good d7015e50a9ed180dcc3947635bb2b5711c37f48b
>> # good: [5b86b659fa4b3dd45acbdce13f2e94f882a3d125] Merge branch 'for-next' of git://git.infradead.org/users/hch/dma-mapping.git
>> git bisect good 5b86b659fa4b3dd45acbdce13f2e94f882a3d125
>> # good: [945980a9ba0744038659769e9f04e83e8f6b494b] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic.git
>> git bisect good 945980a9ba0744038659769e9f04e83e8f6b494b
>> # bad: [b6f21d14f1ac1261579b691673a0c823275cbaf8] ARM: 9204/2: module: Add all unwind tables when load module
>> git bisect bad b6f21d14f1ac1261579b691673a0c823275cbaf8
>> # bad: [c4f486f1e7b34b27ec578494a236061b337d50ae] ARM: 9198/1: spectre-bhb: simplify BPIALL vector macro
>> git bisect bad c4f486f1e7b34b27ec578494a236061b337d50ae
>> # bad: [7719a68b2fa404fa8af6b0b7119a38c406c74858] ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
>> git bisect bad 7719a68b2fa404fa8af6b0b7119a38c406c74858
>> # good: [1f44de0f5e309e8699b569b49a8e89ef4e7527c7] ARM: 9193/1: amba: Add amba_read_periphid() helper
>> git bisect good 1f44de0f5e309e8699b569b49a8e89ef4e7527c7
>> # first bad commit: [7719a68b2fa404fa8af6b0b7119a38c406c74858] ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
>>
>>
>> .