Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3601786pxb; Mon, 24 Jan 2022 13:15:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJyxQF1YrU6sMIYOicH2lfbo8JnkK7V15QOVA6KW+nUJ2DGX++mTbnTwK1T9oTNh6xwaE9ot X-Received: by 2002:a17:90b:4785:: with SMTP id hz5mr232523pjb.12.1643058844183; Mon, 24 Jan 2022 13:14:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643058844; cv=none; d=google.com; s=arc-20160816; b=BBz2giUzP787Kuq+LIDVFi0flfs1iIr6zC6z8Cym2WktjpkHTEUawKJX4PIflGtyf0 7g+AW7MdqsPG0iPY268WbiJs7eVH/TgnlDK3q5KWxQDLC+HoNLqdS5t+8VSOZsyL0HWS 1M3xdhvLqFqOq0WPLC76jkKnNn074Sc6G5kH9wwXsZ+FB5BLrB40meGhlvmMW9WnqOzT XVvSdGPmJDCbuf143hm+K6nEvi/20iP5XaIjMllY+Mxcni4BUjtiFLRqKV+5BC108Aev aPaXT4FxVEMaKRyQKdeGlGVHtWztQKfoUqOwjcGtlZRmJiSXGWQubYEV7DugXuifr4xy D5XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=RxGnGp68tdYJrFzF/TmeVzbeIPmmt5dGINT8tV7g/oM=; b=zJeeLxjpqFxK0WCKrrS/XuxFyzOL2cmowQx/Wx6MnBFtPu/AL8ZyzeDFnXFOAXdycL KNQTbUZ0tSwwICqy7lUCPI7JU5WUr5k07lUbXfDLUc5tP8tGDyYXDEt3vy/a30374Xoo AsF7T4V/SwoTH4uhhlNSVC4XkYnbDkkJ8AFHgP8X1nxC1IIKwIiUEwfwNHmq9I0Z7cZQ g2z2BK2a3xn9GaYO0SY6FNTToO51D60NTg+pPXX1TXMk13AVoOhYlGXI725/oj3EiQGx nCpiOxPubUL8OuGPQuhyINiTRwGd8EfhJwpxQqpJlLywZDAmr3MZtZMTTW5wmrOAzim0 bq2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TLeQaNHk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r186si15150999pgr.655.2022.01.24.13.13.51; Mon, 24 Jan 2022 13:14:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TLeQaNHk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1388725AbiAXUkB (ORCPT + 99 others); Mon, 24 Jan 2022 15:40:01 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:42868 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1380773AbiAXUQy (ORCPT ); Mon, 24 Jan 2022 15:16:54 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 52006611CD; Mon, 24 Jan 2022 20:16:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2C0D6C340E5; Mon, 24 Jan 2022 20:16:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643055413; bh=fDKZb5ZOGOoDpGNIT4AzWS/7B5dYfdm2X4IfhgXunug=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TLeQaNHkoDidG2B7Z5YbZ+9Qv3ald6qR9Lv54viNO0duV7LSl6Wcbq46szZba2j2n PWLhsYGfhvLSH3B5x25LnrIV7L3M5AIujks/FrI8ceUa3gZjawIxpn30aC3P8X2l6n gBg8eWHWnmY8c+YuP/EcMBhV7t7q+JwcrQcHbZyA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "George G. Davis" , Vignesh Raghavendra , Sasha Levin Subject: [PATCH 5.15 142/846] mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove Date: Mon, 24 Jan 2022 19:34:19 +0100 Message-Id: <20220124184105.881191629@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184100.867127425@linuxfoundation.org> References: <20220124184100.867127425@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: George G. Davis [ Upstream commit baaf965f94308301d2dc554d72a87d7432cd5ce6 ] The following KASAN BUG is observed when testing the rpc-if driver on rcar-gen3: root@rcar-gen3:~# modprobe -r rpc-if [ 101.930146] ================================================================== [ 101.937408] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x518/0x25d0 [ 101.944240] Read of size 8 at addr ffff0004c5be2750 by task modprobe/664 [ 101.950959] [ 101.952466] CPU: 2 PID: 664 Comm: modprobe Not tainted 5.14.0-rc1-00342-g1a1464d7aa31 #1 [ 101.960578] Hardware name: Renesas H3ULCB board based on r8a77951 (DT) [ 101.967120] Call trace: [ 101.969580] dump_backtrace+0x0/0x2c0 [ 101.973275] show_stack+0x1c/0x30 [ 101.976616] dump_stack_lvl+0x9c/0xd8 [ 101.980301] print_address_description.constprop.0+0x74/0x2b8 [ 101.986071] kasan_report+0x1f4/0x26c [ 101.989757] __asan_load8+0x98/0xd4 [ 101.993266] __lock_acquire+0x518/0x25d0 [ 101.997215] lock_acquire.part.0+0x18c/0x360 [ 102.001506] lock_acquire+0x74/0x90 [ 102.005013] _raw_spin_lock_irq+0x98/0x130 [ 102.009131] __pm_runtime_disable+0x30/0x210 [ 102.013427] rpcif_hb_remove+0x5c/0x70 [rpc_if] [ 102.018001] platform_remove+0x40/0x80 [ 102.021771] __device_release_driver+0x234/0x350 [ 102.026412] driver_detach+0x158/0x20c [ 102.030179] bus_remove_driver+0xa0/0x140 [ 102.034212] driver_unregister+0x48/0x80 [ 102.038153] platform_driver_unregister+0x18/0x24 [ 102.042879] rpcif_platform_driver_exit+0x1c/0x34 [rpc_if] [ 102.048400] __arm64_sys_delete_module+0x210/0x310 [ 102.053212] invoke_syscall+0x60/0x190 [ 102.056986] el0_svc_common+0x12c/0x144 [ 102.060844] do_el0_svc+0x88/0xac [ 102.064181] el0_svc+0x24/0x3c [ 102.067257] el0t_64_sync_handler+0x1a8/0x1b0 [ 102.071634] el0t_64_sync+0x198/0x19c [ 102.075315] [ 102.076815] Allocated by task 628: [ 102.080781] [ 102.082280] Last potentially related work creation: [ 102.087524] [ 102.089022] The buggy address belongs to the object at ffff0004c5be2000 [ 102.089022] which belongs to the cache kmalloc-2k of size 2048 [ 102.101555] The buggy address is located 1872 bytes inside of [ 102.101555] 2048-byte region [ffff0004c5be2000, ffff0004c5be2800) [ 102.113486] The buggy address belongs to the page: [ 102.118409] [ 102.119908] Memory state around the buggy address: [ 102.124711] ffff0004c5be2600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.131947] ffff0004c5be2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.139181] >ffff0004c5be2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.146412] ^ [ 102.152257] ffff0004c5be2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.159491] ffff0004c5be2800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.166723] ================================================================== The above bug is caused by use of the wrong pointer in the rpcif_disable_rpm() call. Fix the bug by using the correct pointer. Fixes: 5de15b610f78 ("mtd: hyperbus: add Renesas RPC-IF driver") Signed-off-by: George G. Davis Signed-off-by: Vignesh Raghavendra Link: https://lore.kernel.org/r/20210716204935.25859-1-george_davis@mentor.com Signed-off-by: Sasha Levin --- drivers/mtd/hyperbus/rpc-if.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c index 367b0d72bf622..dc164c18f8429 100644 --- a/drivers/mtd/hyperbus/rpc-if.c +++ b/drivers/mtd/hyperbus/rpc-if.c @@ -152,9 +152,9 @@ static int rpcif_hb_remove(struct platform_device *pdev) { struct rpcif_hyperbus *hyperbus = platform_get_drvdata(pdev); int error = hyperbus_unregister_device(&hyperbus->hbdev); - struct rpcif *rpc = dev_get_drvdata(pdev->dev.parent); - rpcif_disable_rpm(rpc); + rpcif_disable_rpm(&hyperbus->rpc); + return error; } -- 2.34.1