Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3621453imm;
        Mon, 4 Jun 2018 06:45:48 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJ8w+XxD4+PYp1x/nG05wGPDgE7tHdsT80QlhFkz1z/igini1NQgAijrN537p8U3b3J5grL
X-Received: by 2002:a65:654a:: with SMTP id a10-v6mr17151231pgw.107.1528119948264;
        Mon, 04 Jun 2018 06:45:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528119948; cv=none;
        d=google.com; s=arc-20160816;
        b=ZLea0da6b9nI7aeZNBQ6URQeh53jAOn9HOq4UhMtg0y9HeCosmP8OLhVnPl7R9q9Ql
         pXWnG0BdVlEB2QfcOb67TsIlM6W89dmTrU44LuwLNkD4M3KO41mRyer1RKs2uO/XnZr4
         zRrhqkP0k8JyFwNOLUJEqf2lhZHaWv5qtohu34xpDFRJJC0S5hskEgnI8IPsQLNBBF8l
         cPo3Qp1xD28T1paX30GN1V2EcEXokPBa0/d5X7HsqjAEXa5n9trchSb7jdUSg/2NyPZU
         2yNbyowfOihaNGqtX9Utc1+2UiC1kC+TqOHzJO22T33G8XrcJ3f+ME+Es9MDfccsN9N+
         rkLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=Hq6WEd4PFOfmnfeTjietPnJ3zQoU+7Gdl21DiiE+ddA=;
        b=XGxFKQ6FqPfaK5ZJHzzRGrls562u8iXhLMP0jTn3WtL31ZHCWia1iekwgndRSe7dE9
         V+2aIr/nwxR3vBDZvOJHJacAf7I3f47TDydMQWW9TIA3zlzLztsAZBk3C9nKi5LZQDSs
         PFIhsHbGI16I0hcAESEvn7bAzr0ghb0t1G9Tq2gRXWJayHzpDIYDmYJov1HGMpqg+jSJ
         GmV9bVJsDbKYdZc2/cUhuJzDECv/QkcFEdemKVWQvqmDcqks5bgkwYHawSwNAK84c1C9
         YN1gPz4H1o4OCzrOt9ykbbznLbPwc8zrP2bpkdGNkvmIXTEq1R7CiaqBFYXSOCHvrvGK
         S3Cg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=wiJoZmvy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z70-v6si6595508pfi.7.2018.06.04.06.45.33;
        Mon, 04 Jun 2018 06:45:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=wiJoZmvy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753359AbeFDNpE (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Mon, 4 Jun 2018 09:45:04 -0400
Received: from mail.kernel.org ([198.145.29.99]:33664 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753057AbeFDNpB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 Jun 2018 09:45:01 -0400
Received: from mail-io0-f171.google.com (mail-io0-f171.google.com [209.85.223.171])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 4834E2089F;
        Mon,  4 Jun 2018 13:45:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1528119901;
        bh=N8J9h2by0RGIua2241S/AgVUSRIrWOvB8b//0H0KjX8=;
        h=In-Reply-To:References:From:Date:Subject:To:Cc:From;
        b=wiJoZmvylfpWQF8eUJHmCLhFRbNfyAKLMEmAX6FVjSkeN9qRBjUOJGGkW6RSINmkX
         XBdKlo51KMarl0HyDv+Cvvix90bJC0BIlERwalMoccN4qkS5w0ncHGd5d7cPUCj2B7
         pfzB5TFPncssW9wa++byVxKWpPJlQIob/cGrHE20=
Received: by mail-io0-f171.google.com with SMTP id g7-v6so14242923ioh.11;
        Mon, 04 Jun 2018 06:45:01 -0700 (PDT)
X-Gm-Message-State: APt69E0LiXtijRfh915ogIuv8Y4MhsLldXv3WUg8Fo2LT8+3DOWAwosm
        SEqSzrcGXC+7sH72+/aGvSfdcrNgVmEFFHQ+Qw==
X-Received: by 2002:a6b:ca83:: with SMTP id a125-v6mr22621633iog.111.1528119900689;
 Mon, 04 Jun 2018 06:45:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:5505:0:0:0:0:0 with HTTP; Mon, 4 Jun 2018 06:44:39 -0700 (PDT)
In-Reply-To: <20180602000343.20045-1-srinivas.kandagatla@linaro.org>
References: <20180602000343.20045-1-srinivas.kandagatla@linaro.org>
From:   Rob Herring <robh+dt@kernel.org>
Date:   Mon, 4 Jun 2018 08:44:39 -0500
X-Gmail-Original-Message-ID: <CAL_JsqJ9AMDiYCfgGgHZ=XL_1yJjTdSA4Jb_GqHAZML3jwB6+Q@mail.gmail.com>
Message-ID: <CAL_JsqJ9AMDiYCfgGgHZ=XL_1yJjTdSA4Jb_GqHAZML3jwB6+Q@mail.gmail.com>
Subject: Re: [PATCH v2] of: platform: stop accessing invalid dev in of_platform_device_destroy
To:     Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Cc:     Frank Rowand <frowand.list@gmail.com>,
        linux-arm-msm <linux-arm-msm@vger.kernel.org>,
        Banajit Goswami <bgoswami@codeaurora.org>,
        devicetree@vger.kernel.org,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE" 
        <linux-arm-kernel@lists.infradead.org>,
        Rohit Kumar <rohkumar@qti.qualcomm.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 1, 2018 at 7:03 PM, Srinivas Kandagatla
<srinivas.kandagatla@linaro.org> wrote:
> Immediately after the platform_device_unregister() the device will be cleaned up.
> Accessing the freed pointer immediately after that will crash the system.
>
> Found this bug when kernel is built with CONFIG_PAGE_POISONING and testing
> loading/unloading audio drivers in a loop on Qcom platforms.

Curious, does the unittest not catch this too?

>
> Fix this by removing accessing the dev pointer.
> Below is the carsh trace:

s/carsh/crash/

[...]

> diff --git a/drivers/of/platform.c b/drivers/of/platform.c
> index c00d81dfac0b..84c5c899187b 100644
> --- a/drivers/of/platform.c
> +++ b/drivers/of/platform.c
> @@ -529,10 +529,13 @@ arch_initcall_sync(of_platform_default_populate_init);
>
>  int of_platform_device_destroy(struct device *dev, void *data)
>  {
> +       struct device_node *np;
> +
>         /* Do not touch devices not populated from the device tree */
>         if (!dev->of_node || !of_node_check_flag(dev->of_node, OF_POPULATED))
>                 return 0;
>
> +       np = dev->of_node;
>         /* Recurse for any nodes that were treated as busses */
>         if (of_node_check_flag(dev->of_node, OF_POPULATED_BUS))
>                 device_for_each_child(dev, NULL, of_platform_device_destroy);
> @@ -544,8 +547,8 @@ int of_platform_device_destroy(struct device *dev, void *data)
>                 amba_device_unregister(to_amba_device(dev));
>  #endif
>
> -       of_node_clear_flag(dev->of_node, OF_POPULATED);
> -       of_node_clear_flag(dev->of_node, OF_POPULATED_BUS);

Just move these 2 lines to before unregister calls.

> +       of_node_clear_flag(np, OF_POPULATED);
> +       of_node_clear_flag(np, OF_POPULATED_BUS);
>         return 0;
>  }
>  EXPORT_SYMBOL_GPL(of_platform_device_destroy);
> --
> 2.16.2
>