Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1690813pxj; Wed, 19 May 2021 11:33:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyW+qJ+Q0kPX27c1EgU6Z2/cxS5RKwvBdVpxOOik7/OQQxo7jjwrGvewIGyd26EPz40IeV1 X-Received: by 2002:a05:6638:44b:: with SMTP id r11mr334686jap.85.1621449203909; Wed, 19 May 2021 11:33:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621449203; cv=none; d=google.com; s=arc-20160816; b=I4itf4UedO8uUStsurRdLOC3uYLkQTVeamFDeNn6Y0kfRFW6pQCbgFX/xSCRtskjT1 xuTWhm2X1ZYrZ5JNyGBxednoyughkLC+3c6TaJG6VHnZAVjqosEovNeBvgV9fq/C9KhW SFY58xpfT8dQeYAE+quPvzfmmhTM9KzUbKAGsxJbHRPT+8KVXHusTWfCPcHZxXAxsecw tpS8O7dySP/KSYGGEvfXYhMcz6k5ithHmnwRg51mCQJjCgBFDx/CsnOrglP3VN2UAWTU vEg38mVsXwuZyYeHZ68oPL7XzxgButS87zrboE9z0lLcqBjoAXsHOSvXlJ2exnZkil9z j5xQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:user-agent:references:in-reply-to :subject:cc:to:from:date:content-transfer-encoding:mime-version :dkim-signature; bh=h0LHPW/w4IwpfoUIXaU9BCUDkKX5JEPEZ2uj7QpdpKw=; b=H1UwHN02/YL/lPsySFBAUaXxKqJlXvQ3JVTL9rHZxTDXTyqgKagkWewBxXTugCUl5u gJpknMikwLLhc2YilsNoBPz6jNfJQTM1rpgDobXUQ11dj4/dRLfPpprZmohZ66i6UrVz jSb656jckCTmJ+rRaMsGrHC8h1d+7CvEqdGaPAOX6Mj4DViw9OM425sWANTIWq3kodxA qEK41BWrwU3scrKupQqiZ3ipLWcUOquT8uBNQBX0PamWrm7K1ypW0DYdSvL8CAte03SA AcUWnzgGLN/70Ksymcu6uJeNFbHC8olmcRLyZrOASbblA8qW7RC3zIpYu4m5EnBb8rfK SKFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@walle.cc header.s=mail2016061301 header.b=oO4XsO81; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i17si17593jar.93.2021.05.19.11.33.11; Wed, 19 May 2021 11:33:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@walle.cc header.s=mail2016061301 header.b=oO4XsO81; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243024AbhERUDt (ORCPT + 99 others); Tue, 18 May 2021 16:03:49 -0400 Received: from ssl.serverraum.org ([176.9.125.105]:35137 "EHLO ssl.serverraum.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239208AbhERUDs (ORCPT ); Tue, 18 May 2021 16:03:48 -0400 Received: from ssl.serverraum.org (web.serverraum.org [172.16.0.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ssl.serverraum.org (Postfix) with ESMTPSA id D145222239; Tue, 18 May 2021 22:02:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walle.cc; s=mail2016061301; t=1621368148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=h0LHPW/w4IwpfoUIXaU9BCUDkKX5JEPEZ2uj7QpdpKw=; b=oO4XsO814zzxDvKliFmFSX1r0OtStVP6JrmFmpcEoyroQcR4EUyXi90OuBxJ6bV67QPGgn impBl6M+4Qh+QN9EV7VJg4R2tUuvo2pWk6xJB+8kI7wh8h9Mp1hWCGwjn8yF5PwH2AFsnG Xh538qco49irr8Qd/oXPiuSIPdpBdDo= MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 18 May 2021 22:02:27 +0200 From: Michael Walle To: Jon Hunter Cc: Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, linux-tegra@vger.kernel.org Subject: Re: [PATCH] mtd: core: Fix freeing of otp_info buffer In-Reply-To: <20210518185503.162787-1-jonathanh@nvidia.com> References: <20210424110608.15748-6-michael@walle.cc> <20210518185503.162787-1-jonathanh@nvidia.com> User-Agent: Roundcube Webmail/1.4.11 Message-ID: <016ead00625f91d1247190e7c68c2086@walle.cc> X-Sender: michael@walle.cc Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am 2021-05-18 20:55, schrieb Jon Hunter: > Commit 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") is > causing the following panic ... > > ------------[ cut here ]------------ > kernel BUG at /local/workdir/tegra/linux_next/kernel/mm/slab.c:2730! > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM > Modules linked in: > CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc2-next-20210518 #1 > Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) > PC is at ___cache_free+0x3f8/0x51c > ... > [] (___cache_free) from [] (kfree+0xac/0x1bc) > [] (kfree) from [] (mtd_otp_size+0xc4/0x108) > [] (mtd_otp_size) from [] > (mtd_device_parse_register+0xe4/0x2b4) > [] (mtd_device_parse_register) from [] > (spi_nor_probe+0x210/0x2c0) > [] (spi_nor_probe) from [] (spi_probe+0x88/0xac) > [] (spi_probe) from [] (really_probe+0x214/0x3a4) > [] (really_probe) from [] > (driver_probe_device+0x68/0xc0) > [] (driver_probe_device) from [] > (bus_for_each_drv+0x5c/0xbc) > [] (bus_for_each_drv) from [] > (__device_attach+0xe4/0x150) > [] (__device_attach) from [] > (bus_probe_device+0x84/0x8c) > [] (bus_probe_device) from [] > (device_add+0x48c/0x868) > [] (device_add) from [] > (spi_add_device+0xa0/0x168) > [] (spi_add_device) from [] > (spi_register_controller+0x8b8/0xb38) > [] (spi_register_controller) from [] > (devm_spi_register_controller+0x14/0x50) > [] (devm_spi_register_controller) from [] > (tegra_spi_probe+0x33c/0x450) > [] (tegra_spi_probe) from [] > (platform_probe+0x5c/0xb8) > [] (platform_probe) from [] > (really_probe+0x214/0x3a4) > [] (really_probe) from [] > (driver_probe_device+0x68/0xc0) > [] (driver_probe_device) from [] > (device_driver_attach+0x58/0x60) > [] (device_driver_attach) from [] > (__driver_attach+0x80/0xc8) > [] (__driver_attach) from [] > (bus_for_each_dev+0x78/0xb8) > [] (bus_for_each_dev) from [] > (bus_add_driver+0x164/0x1e8) > [] (bus_add_driver) from [] > (driver_register+0x7c/0x114) > [] (driver_register) from [] > (do_one_initcall+0x50/0x2b0) > [] (do_one_initcall) from [] > (kernel_init_freeable+0x1a8/0x1fc) > [] (kernel_init_freeable) from [] > (kernel_init+0x8/0x118) > [] (kernel_init) from [] (ret_from_fork+0x14/0x24) > ... > ---[ end trace 0f652dd222de75d7 ]--- > > In the function mtd_otp_size() a buffer is allocated by calling > kmalloc() and a pointer to the buffer is stored in a variable 'info'. > The pointer 'info' may then be incremented depending on the length > returned from mtd_get_user/fact_prot_info(). If 'info' is incremented, > when kfree() is called to free the buffer the above panic occurs > because > we are no longer passing the original address of the buffer allocated. > Fix this by indexing through the buffer allocated to avoid incrementing > the pointer. > > Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") > Signed-off-by: Jon Hunter uhm.. yes of course. Two fixes for this function. Not my best day :/ I'm wondering why CONFIG_SLUB_DEBUG_ON doesn't catch this, whereas slub_debug=f (or fzpu) as commandline parameter works as expected. Reviewed-by: Michael Walle Thanks, -michael