Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp546359ybk;
        Wed, 20 May 2020 06:17:14 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwkTcxFNZDqJBNTEMUzoPWpb4wrO1CR1CcjYt8NnKmsV9RC+TFlZ8cH7DVVwwpL9TZHGQqp
X-Received: by 2002:a05:6402:3044:: with SMTP id bu4mr3469725edb.342.1589980634786;
        Wed, 20 May 2020 06:17:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589980634; cv=none;
        d=google.com; s=arc-20160816;
        b=J3rWkpKboZA+KTrMwuMRlxqn6tcsK1rGufx75D+cbSl27HLJ5ygxrErInrQP8xxEYk
         KFFtXqSx0SYkbOE3N8Yt0jocUfoNnQPxtMqqDmCAvv4w2yEJ+yBmWha3LrZBKUfl8l10
         Tam+XBUDUVPyit9nzVETzinH+9Iq7fL8iMW3C3FTRfT2Si9tic0D58IgtM7xUwdrPs56
         9p9ahVLVjwMTms1To4qakJQl0KLyQ+qcjOS4YVx0YbE6tuHAQEPJ2lK9iwiXUGFSXTqa
         nMW6lCE78zRUg8MUsDVMc/yttEa4dkK1v3A9XvwdirYTw2iKsQQarxLxdfKhUK6qDdrg
         vGig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=xkbaa594c8hv+diM8KSwVgXKuqqnjj5zKvkKBeTJ7Y8=;
        b=F3Fjpj296oIja5AhRoeE0051Sdtz2T0OydchwaXZ6sPvqCFVYWIWFidarbOsVND9ao
         +yLZOLROUYNV1DQmRYsyqSOlMjcBwRJYDF3O99QkLkIEtF+FOhWZODzN4BfltkoBraf3
         Oj6YWTj7e6wVEpvYT1Dwfi7lGhX1c/768uu1HvGwGSksfqdoMZe3SzTFwBtlSsNJdgOW
         7Dw2S0S77TSJkfTiAnXOWFqU1s/rEZs9YbcX+gHD3jgpLF/HqYFctAWogkWHR5PUK0XB
         BgSFxamk5aPIXAjcO6ybPT1hGc38oFPvBN3I0Vcl4SeRaX6SN+cu2on8fReFdFrOcAEC
         /1DA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=bIQJC7j5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id la5si1709486ejb.229.2020.05.20.06.16.47;
        Wed, 20 May 2020 06:17:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=bIQJC7j5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726846AbgETNN1 (ORCPT <rfc822;sunnyliangjy@gmail.com>
        + 99 others); Wed, 20 May 2020 09:13:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44338 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726435AbgETNN0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 May 2020 09:13:26 -0400
Received: from mail-vs1-xe43.google.com (mail-vs1-xe43.google.com [IPv6:2607:f8b0:4864:20::e43])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AB212C061A0F
        for <linux-kernel@vger.kernel.org>; Wed, 20 May 2020 06:13:24 -0700 (PDT)
Received: by mail-vs1-xe43.google.com with SMTP id d7so1805742vsh.0
        for <linux-kernel@vger.kernel.org>; Wed, 20 May 2020 06:13:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=xkbaa594c8hv+diM8KSwVgXKuqqnjj5zKvkKBeTJ7Y8=;
        b=bIQJC7j5R8fNWSzcDnZyiArEu05iGkkV808NYTZQsP9ZndMtm0jSwoxGTbP1wEWlWS
         xRvVuUoC+ICgjPaSL9GOuBMvRvhCz/oV11aDNMykz7McJBAePHxFzcKEm2csk/abeviv
         D3/0I/daBMJyLnVyrTZXwrFlsu6Qr030DDT0pm/tTkAog+FNfcyyKnrcz7kUH4hSQVk/
         shmMRTf+d19IX2eqzvEZZYNj2OAevUZTfFu4jEivt8IjMA8fzzIJVvzJtEPJSWpi1EAk
         CzAit9S+UCd0ryi7WKOLuuzIQJyTdbAPBwV3Oql+f+L7D1hgLkcYWjM8GYghy4CBAvv9
         C1jQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=xkbaa594c8hv+diM8KSwVgXKuqqnjj5zKvkKBeTJ7Y8=;
        b=R3BnzXQmDEI2ekOEn2b/Jz3vMeJrpwo7LoYuVnPlwTH/kJ9rAR6NdzogtVQnAegSmL
         9RPmcjMzWSYX+UN2fRyzJ3dKPR/zw/yIU5n3QdpXlKEmJ2MsUc/ro1ayvWsByLmhJxBr
         3HhgobACU/D54MOYFzlyK90FImnnxrZiTLt5QNejTQ8zx6GdyCbebbsIaofrYJFmv+ag
         PD1VBesj8Knowf2sn3cnSAiuSsDwM182f0IR+iaqVk2rTZ7WrK/6scz2eKDcPr3/TezD
         4J+S9M7MPig3oUbAPixUJDT5ryPddQtBWI0LZi/NF1q62XkuKwHDHm0V37C8skof6FB0
         ubIQ==
X-Gm-Message-State: AOAM530V823VrNNn6RImDrcDAiarelLw940bUcK5hSwGG4OXX5FcDHGW
        AHvFZsdutIrGQXBxSoG3i0EuMnPLUOS2hjWtBBjBiQ==
X-Received: by 2002:a67:be05:: with SMTP id x5mr3092492vsq.35.1589980403704;
 Wed, 20 May 2020 06:13:23 -0700 (PDT)
MIME-Version: 1.0
References: <CGME20200520090109eucas1p17270805f81f6958cd5084a7b910efc6c@eucas1p1.samsung.com>
 <a9df7155-dd7a-752b-6d1c-3426837756b1@ti.com> <e9674719-0c86-63be-04a3-ee98bd884901@samsung.com>
 <f3c58dcd-b806-95ef-2434-3084e65e1afb@ti.com> <e3fa0b35-7cca-1e37-c2fa-63cc07e6bfda@samsung.com>
 <227465a5-c6e6-5b4d-abbd-7789727843a6@ti.com> <29a21e64-a63f-6721-c938-d713488767c1@samsung.com>
In-Reply-To: <29a21e64-a63f-6721-c938-d713488767c1@samsung.com>
From:   Ulf Hansson <ulf.hansson@linaro.org>
Date:   Wed, 20 May 2020 15:12:47 +0200
Message-ID: <CAPDyKFq8-JYA_tKZmUZOY3mT-jeoWMHNpdj8SDGkqYmX7jJHVQ@mail.gmail.com>
Subject: Re: Bad kfree of dma_parms in v5.7-rc5
To:     Marek Szyprowski <m.szyprowski@samsung.com>,
        Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc:     Linux Media Mailing List <linux-media@vger.kernel.org>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

+ Greg

On Wed, 20 May 2020 at 14:54, Marek Szyprowski <m.szyprowski@samsung.com> wrote:
>
> Hi Tomi,
>
> On 20.05.2020 14:43, Tomi Valkeinen wrote:
> > On 20/05/2020 12:22, Marek Szyprowski wrote:
> >> On 20.05.2020 11:18, Tomi Valkeinen wrote:
> >>> On 20/05/2020 12:13, Marek Szyprowski wrote:
> >>>> On 20.05.2020 11:00, Tomi Valkeinen wrote:
> >>>>> Commit 9495b7e92f716ab2bd6814fab5e97ab4a39adfdd ("driver core:
> >>>>> platform: Initialize dma_parms for platform devices") v5.7-rc5 causes
> >>>>> at least some v4l2 platform drivers to break when freeing resources.
> >>>>>
> >>>>> E.g. drivers/media/platform/ti-vpe/cal.c uses
> >>>>> vb2_dma_contig_set_max_seg_size() and
> >>>>> vb2_dma_contig_clear_max_seg_size() to manage the dma_params, and
> >>>>> similar pattern is seen in other drivers too.
> >>>>>
> >>>>> After 9495b7e92f716ab2, vb2_dma_contig_set_max_seg_size() will not
> >>>>> allocate anything, but vb2_dma_contig_clear_max_seg_size() will still
> >>>>> kfree the dma_params.
> >>>>>
> >>>>> I'm not sure what's the proper fix here. A flag somewhere to indicate
> >>>>> that vb2_dma_contig_set_max_seg_size() did allocate, and thus
> >>>>> vb2_dma_contig_clear_max_seg_size() must free?
> >>>>>
> >>>>> Or drop the kzalloc and kfree totally, if dma_params is now supposed
> >>>>> to always be there?
> >>>>
> >>>> Thanks for reporting this issue!
> >>>>
> >>>> Once the mentioned commit has been merged, the code should assume that
> >>>> the platform devices does have a struct dma_params allocated, so the
> >>>> proper fix is to alloc dma_params only if the bus is not a platform
> >>>> bus:
> >>>>
> >>>> if (!dev_is_platform(dev) && !dev->dma_parms) {
> >>>>        dev->dma_parms = kzalloc(sizeof(*dev->dma_parms), GFP_KERNEL);
> >>>>
> >>>> same check for the free path.
> >>>
> >>> There is also "amba: Initialize dma_parms for amba devices". And the
> >>> commit message says PCI devices do this too.
> >>>
> >>> Guessing this based on the device type doesn't sound like a good idea
> >>> to me.
> >>
> >> Indeed. Then replace the allocation with a simple check for NULL
> >> dma_parms and return an error in such case. This should be enough for
> >> v5.8. Later we can simply get rid of those helpers and inline setting
> >> max segment size directly to the drivers.

That seems like a good idea, in the long run.

> >
> > Is that valid either? Then we assume that dma_parms is always set up
> > by someone else. That's true for platform devices and apparently some
> > other devices, but is it true for all devices now?
>
> # git grep vb2_dma_contig_set_max_seg_size | wc -l
>
> 18
>
> I've checked all clients of the vb2_dma_contig_set_max_seg_size
> function. There are only 9 drivers, all of them are platform device
> drivers. We don't care about off-tree users, so the proposed approach is
> imho fine.

Thanks for reporting and for looking into this. I apologize for the mess!

There is one case, where the above solution could be a problem (unless
I am wrong). That is, s5p_mfc_configure_2port_memory() that calls
s5p_mfc_alloc_memdev(), which allocates/initializes an internal struct
*device. Thus, this doesn't have the dev->dma_parms
allocated/assigned.

In other words, we would need to manage alloc/free for the
dev->dma_parms to have a complete fix. Maybe in
s5p_mfc_configure|unconfigure_2port_memory()!?

Additionally, I think reverting the offending commit, as discussed
above, could cause even more issues, as it's even included for
v5.6-stable kernels. I will go through all cases, more carefully this
time, of how ->dma_parms is managed, to be sure there are no more
conflicting cases.

Kind regards
Uffe