Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5184278pxj; Wed, 26 May 2021 05:02:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqSYt5EUQar0ZygfDAMSvel4Jp4YVjRN4ryyeG+onv70PkKPVbJHOVrE+Mh4UCwbGtMFv5 X-Received: by 2002:aa7:df11:: with SMTP id c17mr37361576edy.317.1622030539988; Wed, 26 May 2021 05:02:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622030539; cv=none; d=google.com; s=arc-20160816; b=KHiuKegBesye2qkwVgyURIMbGqS4mg+2teoSlDp4mPnwTuvFUfXAeSyJDEZUgTS9k7 kw/E1k0pzf5wHcRw9lJ3b1CVWnJu8d2I6rp82py8sguNx3YTucBwO00ZyYhmGH+CZh+N 4+SkSAtYIWknWCKGBlZFNfplGY7bveYjBMXgmRDgOC9NEr3xRupdw8UYFjQaR7Qk6iAx kFRnFmgeYGHlVXEzz4oYUYjur2gblVSqlAoKp4wNw2CbMy3Gl19K1y2bA6GaJElyFsIB 4Y/1Aa1DiQPEBevkk3mVrKczyPhFtXoYqfbx1/liuDTbt5yHeFHICKNyjpqMY02w+jCt vzSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=45ndMJijpUEYYyx380YOUUkKQL4oi9KOox4UBxJe21Y=; b=zJx/7Be6bcU6IqACXgyFM1Y3tn7hyI8gnQb4hPstzozBu46nnSLmJddPjV9AJOif5M hpRkXcC0hyfe977PNTZ0nSKARQ3vOjSDfanK0gccGY6BPxZMR0SsnTVcmB9VFdrQgra6 i421S38l2BoG0WiFFJ8xFGmw+lXupu9X3oCRKa4KHiFU2YVKNT2FLNhtQWfuI+vAQACJ N0Yw7BLcqOSVVtWkpZSZzCZkjVGmwmZ0GsmvtHEEOY3K9a9v8LI2AdcVDvFQGLGHPew+ 79Pgb3B+E5tmnirVG5s/zK1d3zCyzrxvyC/RXzI2sga5QG3watnbdGuNpQrtOBQVoxzd 9S6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m9si17908074eds.410.2021.05.26.05.01.52; Wed, 26 May 2021 05:02:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233327AbhEZJEv (ORCPT + 99 others); Wed, 26 May 2021 05:04:51 -0400 Received: from relay11.mail.gandi.net ([217.70.178.231]:38233 "EHLO relay11.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233609AbhEZJEi (ORCPT ); Wed, 26 May 2021 05:04:38 -0400 Received: (Authenticated sender: miquel.raynal@bootlin.com) by relay11.mail.gandi.net (Postfix) with ESMTPSA id 3ED6410000D; Wed, 26 May 2021 09:03:04 +0000 (UTC) From: Miquel Raynal To: Jon Hunter , Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , Michael Walle Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, linux-tegra@vger.kernel.org Subject: Re: [PATCH] mtd: core: Fix freeing of otp_info buffer Date: Wed, 26 May 2021 11:03:04 +0200 Message-Id: <20210526090304.180839-1-miquel.raynal@bootlin.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210518185503.162787-1-jonathanh@nvidia.com> References: MIME-Version: 1.0 X-linux-mtd-patch-notification: thanks X-linux-mtd-patch-commit: b'bc8e157fdb466536557b97b6c0df6d7b46a2b91b' Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2021-05-18 at 18:55:03 UTC, Jon Hunter wrote: > Commit 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") is > causing the following panic ... > > ------------[ cut here ]------------ > kernel BUG at /local/workdir/tegra/linux_next/kernel/mm/slab.c:2730! > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM > Modules linked in: > CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc2-next-20210518 #1 > Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) > PC is at ___cache_free+0x3f8/0x51c > ... > [] (___cache_free) from [] (kfree+0xac/0x1bc) > [] (kfree) from [] (mtd_otp_size+0xc4/0x108) > [] (mtd_otp_size) from [] (mtd_device_parse_register+0xe4/0x2b4) > [] (mtd_device_parse_register) from [] (spi_nor_probe+0x210/0x2c0) > [] (spi_nor_probe) from [] (spi_probe+0x88/0xac) > [] (spi_probe) from [] (really_probe+0x214/0x3a4) > [] (really_probe) from [] (driver_probe_device+0x68/0xc0) > [] (driver_probe_device) from [] (bus_for_each_drv+0x5c/0xbc) > [] (bus_for_each_drv) from [] (__device_attach+0xe4/0x150) > [] (__device_attach) from [] (bus_probe_device+0x84/0x8c) > [] (bus_probe_device) from [] (device_add+0x48c/0x868) > [] (device_add) from [] (spi_add_device+0xa0/0x168) > [] (spi_add_device) from [] (spi_register_controller+0x8b8/0xb38) > [] (spi_register_controller) from [] (devm_spi_register_controller+0x14/0x50) > [] (devm_spi_register_controller) from [] (tegra_spi_probe+0x33c/0x450) > [] (tegra_spi_probe) from [] (platform_probe+0x5c/0xb8) > [] (platform_probe) from [] (really_probe+0x214/0x3a4) > [] (really_probe) from [] (driver_probe_device+0x68/0xc0) > [] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) > [] (device_driver_attach) from [] (__driver_attach+0x80/0xc8) > [] (__driver_attach) from [] (bus_for_each_dev+0x78/0xb8) > [] (bus_for_each_dev) from [] (bus_add_driver+0x164/0x1e8) > [] (bus_add_driver) from [] (driver_register+0x7c/0x114) > [] (driver_register) from [] (do_one_initcall+0x50/0x2b0) > [] (do_one_initcall) from [] (kernel_init_freeable+0x1a8/0x1fc) > [] (kernel_init_freeable) from [] (kernel_init+0x8/0x118) > [] (kernel_init) from [] (ret_from_fork+0x14/0x24) > ... > ---[ end trace 0f652dd222de75d7 ]--- > > In the function mtd_otp_size() a buffer is allocated by calling > kmalloc() and a pointer to the buffer is stored in a variable 'info'. > The pointer 'info' may then be incremented depending on the length > returned from mtd_get_user/fact_prot_info(). If 'info' is incremented, > when kfree() is called to free the buffer the above panic occurs because > we are no longer passing the original address of the buffer allocated. > Fix this by indexing through the buffer allocated to avoid incrementing > the pointer. > > Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") > Signed-off-by: Jon Hunter > Reviewed-by: Michael Walle Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/next, thanks. Miquel