Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3709629ybv; Mon, 10 Feb 2020 05:07:01 -0800 (PST) X-Google-Smtp-Source: APXvYqwOauFi3U4kxyOh5V0gp2y+xxQFWt58QYEoxf6xI3r1Z610lBMpN+poxbOqb32H2g0OnCsu X-Received: by 2002:a9d:62d8:: with SMTP id z24mr945248otk.362.1581340021738; Mon, 10 Feb 2020 05:07:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581340021; cv=none; d=google.com; s=arc-20160816; b=rVCq2WnGKtuK8YdvxpJPRFS/ToCyA/O74zMBSyHCzoh2PNZM6VD5YlI3z4lpB9aNtL 0ZuN8jS/r+tisZaInQW1eqNNMIPHwJtIDoYgqVxep733txFm5VO+bAUySTfslkNKcZZN mrNyd05R3UEDRzekriXePeu1tM6zGZQ6nLGhPRKDcszlQxZp2FWT4HmNOiJOqesgC6Bj DGW+lR3ojtcr/Jnud1jPJ9UbCMYu6cyx6SVo5DZMhJiiHWoEzPCJ3og3AvI7kSnw5tyW jTM1bvlAfTW7i513UWB+qQnXpyE9gzCJi7DjCjievbXc7oyBWnTfHHKEacxXvxwI9tVQ Zr7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CyC5FVGDNQuIyvMv09281kcbTtdniYUWZVdXZXRNOgQ=; b=ioBA0SV+XJN277H6ou44P0mQQ9uTjYGd6WfCbBD6wgnP0/64TFARsvGZCtNovTBpx5 T/VX+B1NeqV7AfI9/8u+9Nv6Q4i0z8PxJ642TJ2Ncz09Bg5ZXIjWqYVy2emMCP7Yi8oC bQB/cnmZVBy8EJNU+DG+qw7N8yVeJIhJizfj836ETOmSjdpZ6ekyz34Wy23FOwUvfGa1 6kb4PfPjyjgDC+VgMkK4YWtl0791RcVCLu+ToC8/dCxsOEZX6zBtHzZKLGr3VVA5OCTF 0DBGL9zDWEDVq39VXMAqgr6Ww9KuqBMctEqMZZ3MvEGDmQ6FPkCfhzKC6d6VzipScQdA DanA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iLQpyrAv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2si150660oth.267.2020.02.10.05.06.49; Mon, 10 Feb 2020 05:07:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iLQpyrAv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730457AbgBJNFD (ORCPT + 99 others); Mon, 10 Feb 2020 08:05:03 -0500 Received: from mail.kernel.org ([198.145.29.99]:39548 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729634AbgBJMkJ (ORCPT ); Mon, 10 Feb 2020 07:40:09 -0500 Received: from localhost (unknown [209.37.97.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8BAED20873; Mon, 10 Feb 2020 12:40:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581338408; bh=LNeibIY6axNTtFN8sdKrJ2bxfbs3upu9sCY0s3IUwDg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iLQpyrAvNiU96W3nydFQRhZUlHFVUF02Xb5pH+wlTxjROD59ud5RMN1AA8wwq8uBJ l+0MLIn+fSi9Yq6SBTjm6xmy/1XLNOgaDyOFIohvZws/gBeR9qOR7brsjGu6eRYP67 dlzI6jG06unXQ1WgeJS2thIK0R1A2WpHhZBb2g2w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Bitan Biswas , Srinivas Kandagatla Subject: [PATCH 5.5 113/367] nvmem: core: fix memory abort in cleanup path Date: Mon, 10 Feb 2020 04:30:26 -0800 Message-Id: <20200210122435.013356076@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200210122423.695146547@linuxfoundation.org> References: <20200210122423.695146547@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Bitan Biswas commit 16bb7abc4a6b9defffa294e4dc28383e62a1dbcf upstream. nvmem_cell_info_to_nvmem_cell implementation has static allocation of name. nvmem_add_cells_from_of() call may return error and kfree name results in memory abort. Use kstrdup_const() and kfree_const calls for name alloc and free. Unable to handle kernel paging request at virtual address ffffffffffe44888 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 swapper pgtable: 64k pages, 48-bit VAs, pgdp=00000000815d0000 [ffffffffffe44888] pgd=0000000081d30803, pud=0000000081d30803, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 43 Comm: kworker/2:1 Tainted Hardware name: quill (DT) Workqueue: events deferred_probe_work_func pstate: a0000005 (NzCv daif -PAN -UAO) pc : kfree+0x38/0x278 lr : nvmem_cell_drop+0x68/0x80 sp : ffff80001284f9d0 x29: ffff80001284f9d0 x28: ffff0001f677e830 x27: ffff800011b0b000 x26: ffff0001c36e1008 x25: ffff8000112ad000 x24: ffff8000112c9000 x23: ffffffffffffffea x22: ffff800010adc7f0 x21: ffffffffffe44880 x20: ffff800011b0b068 x19: ffff80001122d380 x18: ffffffffffffffff x17: 00000000d5cb4756 x16: 0000000070b193b8 x15: ffff8000119538c8 x14: 0720072007200720 x13: 07200720076e0772 x12: 07750762072d0765 x11: 0773077507660765 x10: 072f073007300730 x9 : 0730073207380733 x8 : 0000000000000151 x7 : 07660765072f0720 x6 : ffff0001c00e0f00 x5 : 0000000000000000 x4 : ffff0001c0b43800 x3 : ffff800011b0b068 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffffdfffe00000 Call trace: kfree+0x38/0x278 nvmem_cell_drop+0x68/0x80 nvmem_device_remove_all_cells+0x2c/0x50 nvmem_register.part.9+0x520/0x628 devm_nvmem_register+0x48/0xa0 tegra_fuse_probe+0x140/0x1f0 platform_drv_probe+0x50/0xa0 really_probe+0x108/0x348 driver_probe_device+0x58/0x100 __device_attach_driver+0x90/0xb0 bus_for_each_drv+0x64/0xc8 __device_attach+0xd8/0x138 device_initial_probe+0x10/0x18 bus_probe_device+0x90/0x98 deferred_probe_work_func+0x74/0xb0 process_one_work+0x1e0/0x358 worker_thread+0x208/0x488 kthread+0x118/0x120 ret_from_fork+0x10/0x18 Code: d350feb5 f2dffbe0 aa1e03f6 8b151815 (f94006a0) ---[ end trace 49b1303c6b83198e ]--- Fixes: badcdff107cbf ("nvmem: Convert to using %pOFn instead of device_node.name") Signed-off-by: Bitan Biswas Cc: stable Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20200109104017.6249-5-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman --- drivers/nvmem/core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -83,7 +83,7 @@ static void nvmem_cell_drop(struct nvmem list_del(&cell->node); mutex_unlock(&nvmem_mutex); of_node_put(cell->np); - kfree(cell->name); + kfree_const(cell->name); kfree(cell); } @@ -110,7 +110,9 @@ static int nvmem_cell_info_to_nvmem_cell cell->nvmem = nvmem; cell->offset = info->offset; cell->bytes = info->bytes; - cell->name = info->name; + cell->name = kstrdup_const(info->name, GFP_KERNEL); + if (!cell->name) + return -ENOMEM; cell->bit_offset = info->bit_offset; cell->nbits = info->nbits; @@ -300,7 +302,7 @@ static int nvmem_add_cells_from_of(struc dev_err(dev, "cell %s unaligned to nvmem stride %d\n", cell->name, nvmem->stride); /* Cells already added will be freed later. */ - kfree(cell->name); + kfree_const(cell->name); kfree(cell); return -EINVAL; }