Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp671308ybk; Wed, 20 May 2020 09:05:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwre3/GIa9gjyCxlE2wh743bFRLIFy5PuAY+OXBmODhJqCvA8yM/EqukT8/p+siPkpNUTY X-Received: by 2002:a17:907:447c:: with SMTP id oo20mr4168404ejb.385.1589990705351; Wed, 20 May 2020 09:05:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589990705; cv=none; d=google.com; s=arc-20160816; b=gmeeAbzYbug5x3uLfJq66/e3TMZZCq+A6N2P5anOnpCe7PU44HvT22MyohHiTfKpJw 2REDazG8KkPZ5ie4f4u5e/PRh7MwSbb7H1oGXJmN5lWKeGXwAa8MM6e0ywEeOSlLSKvc R2dMcry9x0aROn7I7XUXWO7ppFCIHfoJ7GickF6AuLDeBq+Y3HOvM89tGC58F4+/Vg7n +f3TRpe3l5b38+9RZOfLkY4qx/KrE4JRlSodC8niDn1tydMpKpUK3qZ6c2HMvkPF3YEu Ln9SPipEQWUYwZLfK7qJkziISD8npMrp9YAzCOeD/cMqD+Nn6Pg66O179YKGO7DozTMy s1jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Oaxmms6S+D3RLKgoxkPRFXAUlOA5Vp3PgUPuvODNC54=; b=ruHjfFtx9BhXVPHciNkqH5KRpigdwV9dMLcxs4qSU4Vh3xovXc4XZLmjyVLa4AliNF m+Y8CloCoq/0AyqdUupwLPIdbBOTamfThnoKOoTqePrHRvHsMdS/5sNrTpM4BI00Ru6z FfLw7yCmbemKEt4nUaDG+Hp9qS1/Ua8w8rH27zjaxyJDlJog+bcnhvUgROqkiTiSgZ3F q82cfPOHOPxReNOvVYC3j0o8pEXb/erk07h1wuKOmy6ZyqhRMcSO+CrEKwo3dWtUx6kZ WILaDa/CFT8VBhIyeObj3Vaa5d5kn/WwvzReL31FcQP8ddEwKoEQnfgQhxZdocC28CHh Z0MQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=daN7Y6ZG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a4si1873907ejr.560.2020.05.20.09.04.26; Wed, 20 May 2020 09:05:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=daN7Y6ZG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726862AbgETQCk (ORCPT + 99 others); Wed, 20 May 2020 12:02:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42542 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726596AbgETQCk (ORCPT ); Wed, 20 May 2020 12:02:40 -0400 Received: from mail-vk1-xa44.google.com (mail-vk1-xa44.google.com [IPv6:2607:f8b0:4864:20::a44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB738C061A0E for ; Wed, 20 May 2020 09:02:39 -0700 (PDT) Received: by mail-vk1-xa44.google.com with SMTP id j28so885652vkn.8 for ; Wed, 20 May 2020 09:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Oaxmms6S+D3RLKgoxkPRFXAUlOA5Vp3PgUPuvODNC54=; b=daN7Y6ZGJMO9M3WF8cQSS/i6Zxqgdb6eb7NdI6SDB/DGM9ng92rAMgE8ZXnaSzqwtp gD8MZODcyzF8xprMQq6ewSXbIO687gYkr9E51sB8aOCMVDjlJqCTB3M5jyXt1TmuJoc+ ODyjcbBkQod3AkBXa0IuzaCZWHP1TcbXnafwVzBGQFNe9qiuqhKoeWVMbfsWi7+KudgI AOP/1mLtUZyGK5b/bd3tSVoLauPQCnK3QOAOxigyLPW2MF6amXGJiWVAXbM2/XHs7JDi lLfiR4hGoRt1bTlg9uiaEy7BzwHz2JGdKVtkYlqqF9BcC+X/2Ajp3HBLz4O32ZgCovWe O7WQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Oaxmms6S+D3RLKgoxkPRFXAUlOA5Vp3PgUPuvODNC54=; b=fPPsCqiLdjUTeoj3xnvoIJ7kPPIFt3QmVc16QMIsJxeMWgAu0UPTGpx+VD4K1XFJeJ EGCTLzesfPMYmKG177ddZ2fa9qa1WvY6AI5cqhBxR2J/NLIhbNWJzGjVjsvXFw/AElhB 5zzWr6wQQFt9VaouyQ7J6884Fl/N66+shmx0USmmyihDh0D4DTFfk/dTBR+j0hATfehE DIdQHTj+ACw2LiYGY1KvVETKy+DtenHSgBzXKH46qjAexVoM8HFhMkGymkuJDjIanMOy k06rwGYM18dfjhaoW7rpY2z4pUSlvVcdFHPzc/nXxgAQiJF2fZOPhnH/CPehPRVJ1dDG tCww== X-Gm-Message-State: AOAM530K5SunMD4I2uUxTHZufouuBXNO8XhByH9DuFhYKy7fGSKSb06J CMafQdjnJo804UTKdhAVmEwU9nCj0ZjriU39OPwJ7g== X-Received: by 2002:a1f:fc06:: with SMTP id a6mr4282634vki.101.1589990553231; Wed, 20 May 2020 09:02:33 -0700 (PDT) MIME-Version: 1.0 References: <227465a5-c6e6-5b4d-abbd-7789727843a6@ti.com> <29a21e64-a63f-6721-c938-d713488767c1@samsung.com> <9f72aeab-8d63-7fc1-d5ff-7d5c4f11012b@samsung.com> In-Reply-To: From: Ulf Hansson Date: Wed, 20 May 2020 18:01:56 +0200 Message-ID: Subject: Re: Bad kfree of dma_parms in v5.7-rc5 To: Marek Szyprowski , Tomi Valkeinen , Greg Kroah-Hartman Cc: Linux Media Mailing List , Mauro Carvalho Chehab , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Marek, Tomi, Greg On Wed, 20 May 2020 at 17:14, Ulf Hansson wrote: > > On Wed, 20 May 2020 at 15:28, Marek Szyprowski wrote: > > > > Hi Ulf, > > > > On 20.05.2020 15:12, Ulf Hansson wrote: > > > + Greg > > > > > > On Wed, 20 May 2020 at 14:54, Marek Szyprowski wrote: > > >> On 20.05.2020 14:43, Tomi Valkeinen wrote: > > >>> On 20/05/2020 12:22, Marek Szyprowski wrote: > > >>>> On 20.05.2020 11:18, Tomi Valkeinen wrote: > > >>>>> On 20/05/2020 12:13, Marek Szyprowski wrote: > > >>>>>> On 20.05.2020 11:00, Tomi Valkeinen wrote: > > >>>>>>> Commit 9495b7e92f716ab2bd6814fab5e97ab4a39adfdd ("driver core: > > >>>>>>> platform: Initialize dma_parms for platform devices") v5.7-rc5 causes > > >>>>>>> at least some v4l2 platform drivers to break when freeing resources. > > >>>>>>> > > >>>>>>> E.g. drivers/media/platform/ti-vpe/cal.c uses > > >>>>>>> vb2_dma_contig_set_max_seg_size() and > > >>>>>>> vb2_dma_contig_clear_max_seg_size() to manage the dma_params, and > > >>>>>>> similar pattern is seen in other drivers too. > > >>>>>>> > > >>>>>>> After 9495b7e92f716ab2, vb2_dma_contig_set_max_seg_size() will not > > >>>>>>> allocate anything, but vb2_dma_contig_clear_max_seg_size() will still > > >>>>>>> kfree the dma_params. > > >>>>>>> > > >>>>>>> I'm not sure what's the proper fix here. A flag somewhere to indicate > > >>>>>>> that vb2_dma_contig_set_max_seg_size() did allocate, and thus > > >>>>>>> vb2_dma_contig_clear_max_seg_size() must free? > > >>>>>>> > > >>>>>>> Or drop the kzalloc and kfree totally, if dma_params is now supposed > > >>>>>>> to always be there? > > >>>>>> Thanks for reporting this issue! > > >>>>>> > > >>>>>> Once the mentioned commit has been merged, the code should assume that > > >>>>>> the platform devices does have a struct dma_params allocated, so the > > >>>>>> proper fix is to alloc dma_params only if the bus is not a platform > > >>>>>> bus: > > >>>>>> > > >>>>>> if (!dev_is_platform(dev) && !dev->dma_parms) { > > >>>>>> dev->dma_parms = kzalloc(sizeof(*dev->dma_parms), GFP_KERNEL); > > >>>>>> > > >>>>>> same check for the free path. > > >>>>> There is also "amba: Initialize dma_parms for amba devices". And the > > >>>>> commit message says PCI devices do this too. > > >>>>> > > >>>>> Guessing this based on the device type doesn't sound like a good idea > > >>>>> to me. > > >>>> Indeed. Then replace the allocation with a simple check for NULL > > >>>> dma_parms and return an error in such case. This should be enough for > > >>>> v5.8. Later we can simply get rid of those helpers and inline setting > > >>>> max segment size directly to the drivers. > > > That seems like a good idea, in the long run. > > > > > >>> Is that valid either? Then we assume that dma_parms is always set up > > >>> by someone else. That's true for platform devices and apparently some > > >>> other devices, but is it true for all devices now? > > >> # git grep vb2_dma_contig_set_max_seg_size | wc -l > > >> > > >> 18 > > >> > > >> I've checked all clients of the vb2_dma_contig_set_max_seg_size > > >> function. There are only 9 drivers, all of them are platform device > > >> drivers. We don't care about off-tree users, so the proposed approach is > > >> imho fine. > > > Thanks for reporting and for looking into this. I apologize for the mess! > > > > > > There is one case, where the above solution could be a problem (unless > > > I am wrong). That is, s5p_mfc_configure_2port_memory() that calls > > > s5p_mfc_alloc_memdev(), which allocates/initializes an internal struct > > > *device. Thus, this doesn't have the dev->dma_parms > > > allocated/assigned. > > Indeed, this one will fail. > > > In other words, we would need to manage alloc/free for the > > > dev->dma_parms to have a complete fix. Maybe in > > > s5p_mfc_configure|unconfigure_2port_memory()!? > > That would be the best place to allocate it. > > > Additionally, I think reverting the offending commit, as discussed > > > above, could cause even more issues, as it's even included for > > > v5.6-stable kernels. I will go through all cases, more carefully this > > > time, of how ->dma_parms is managed, to be sure there are no more > > > conflicting cases. > > > > I've already posted a fix for ExynosDRM driver, which is also affected: > > https://patchwork.kernel.org/patch/11559965/ > > Alright, thanks for helping out! > > Please add a fixes/stable tag to it. > > Fixes: 9495b7e92f71 ("driver core: platform: Initialize dma_parms for > platform devices") > Cc: stable@vger.kernel.org > FYI: I have now double checked all cases where ->dma_params are being allocated/freed. Besides those you (Marek/Tomi) you have found and sent fixes for (many thanks!) - I haven't found any additional cases to worry about. However, of course there are cleanups and removal of redundant code that can be made, for some drivers/devices, which are based upon a platform device. For example, some have their own "struct device_dma_parameters", such as drivers/dma/dma-axi-dmac.c for example. This is not a problem, but deserves to be cleaned up. I have started to prepare patches for it. Kind regards Uffe