Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3697209pxb; Mon, 24 Jan 2022 15:39:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJys27AiX6qzSU58y32c0FmGasApTPfMQyEMOBfulPrS0J2w79K949/TLaCXYqGdrK8F1Nim X-Received: by 2002:a17:90a:4b8b:: with SMTP id i11mr659456pjh.148.1643067445132; Mon, 24 Jan 2022 15:37:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643067445; cv=none; d=google.com; s=arc-20160816; b=wSmNi61t7KOMgzaV4F2mCeKfNsr7mnqCLFPSmUGcRDQSpTTzhR8uuNtPCgqO8LIGCn 1XypNqMcydLe/qKL9ro9cDMm98jAD41agjGKRS4woR0BQbVyv5ShzrrjwVr50OoqRVFb ujJgSF54c+hqxPQfiLs2y27ciNVVP98LmlqpRampokWBpgeq+K60ihunvOlMlnT9Qi2I /HfY5sQ2GkovrUF/qDDvAIKcdkvlu0OuZIo9jfgWsqZGNnCS9MfOzSvmdZgo2fsFnv3N I0UGP6VTDYDAL6nrKAzj+i3yRmUyJrmaM4RT5gsF9m1cUfbBnlJcaQK/txmAnM1Dq8EA W5WA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=RxGnGp68tdYJrFzF/TmeVzbeIPmmt5dGINT8tV7g/oM=; b=quVCZ+q1yGofIuS25kqYvAbCtn70Q0fxKUfOuRuwd7MNWt3Til3HG5e87TNdz6XzYQ NPs7PrHUv7CUXnR5EUKBQ1WbbaotN+1v7No//QRoqiy1vyHX6/0VtHA4Rh1nUZdb9slg zBfKXflmPcog3N3Hl7JGDiCmz6Lb/EcloXeLUTwDfjSAtCo0Qg+GOYOmfC7CS3D3XOen IIuLFxM7BuT2/yHVboE0GAmRNHsB2e32Wisk469GxdUeNSGAqVuRZnICQKj7wl8kT05c cgw36NDmiPm/PqeYYPzp3U8ZeL+VfP+vjOgohQtjzkIbZhZjTKtRbirKVYjdZF7SIlRZ RizA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IaZdOLH2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v4si1275563pfu.184.2022.01.24.15.37.12; Mon, 24 Jan 2022 15:37:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IaZdOLH2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1851242AbiAXXcN (ORCPT + 99 others); Mon, 24 Jan 2022 18:32:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40992 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1836503AbiAXWjk (ORCPT ); Mon, 24 Jan 2022 17:39:40 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BDDAC05487C; Mon, 24 Jan 2022 13:02:34 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 648A2B811FB; Mon, 24 Jan 2022 21:02:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 91777C340E5; Mon, 24 Jan 2022 21:02:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643058152; bh=fDKZb5ZOGOoDpGNIT4AzWS/7B5dYfdm2X4IfhgXunug=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IaZdOLH2YghU9R0dAuy+FfNdTUkeCnLKD1uw+Ljrlqp/XQD3yWLT8iPfguFcjvTDt WsFGSGeKfo2OaGvwVXiH4nBNTkXUDEIWbF+Lh5LcYagpQ9k5vkQAarzc98+EGpAeNV H4Izb8sU8msTXkl08Boh6jG1799t24o3Hwz0XOP4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "George G. Davis" , Vignesh Raghavendra , Sasha Levin Subject: [PATCH 5.16 0164/1039] mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove Date: Mon, 24 Jan 2022 19:32:33 +0100 Message-Id: <20220124184130.734861750@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184125.121143506@linuxfoundation.org> References: <20220124184125.121143506@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: George G. Davis [ Upstream commit baaf965f94308301d2dc554d72a87d7432cd5ce6 ] The following KASAN BUG is observed when testing the rpc-if driver on rcar-gen3: root@rcar-gen3:~# modprobe -r rpc-if [ 101.930146] ================================================================== [ 101.937408] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x518/0x25d0 [ 101.944240] Read of size 8 at addr ffff0004c5be2750 by task modprobe/664 [ 101.950959] [ 101.952466] CPU: 2 PID: 664 Comm: modprobe Not tainted 5.14.0-rc1-00342-g1a1464d7aa31 #1 [ 101.960578] Hardware name: Renesas H3ULCB board based on r8a77951 (DT) [ 101.967120] Call trace: [ 101.969580] dump_backtrace+0x0/0x2c0 [ 101.973275] show_stack+0x1c/0x30 [ 101.976616] dump_stack_lvl+0x9c/0xd8 [ 101.980301] print_address_description.constprop.0+0x74/0x2b8 [ 101.986071] kasan_report+0x1f4/0x26c [ 101.989757] __asan_load8+0x98/0xd4 [ 101.993266] __lock_acquire+0x518/0x25d0 [ 101.997215] lock_acquire.part.0+0x18c/0x360 [ 102.001506] lock_acquire+0x74/0x90 [ 102.005013] _raw_spin_lock_irq+0x98/0x130 [ 102.009131] __pm_runtime_disable+0x30/0x210 [ 102.013427] rpcif_hb_remove+0x5c/0x70 [rpc_if] [ 102.018001] platform_remove+0x40/0x80 [ 102.021771] __device_release_driver+0x234/0x350 [ 102.026412] driver_detach+0x158/0x20c [ 102.030179] bus_remove_driver+0xa0/0x140 [ 102.034212] driver_unregister+0x48/0x80 [ 102.038153] platform_driver_unregister+0x18/0x24 [ 102.042879] rpcif_platform_driver_exit+0x1c/0x34 [rpc_if] [ 102.048400] __arm64_sys_delete_module+0x210/0x310 [ 102.053212] invoke_syscall+0x60/0x190 [ 102.056986] el0_svc_common+0x12c/0x144 [ 102.060844] do_el0_svc+0x88/0xac [ 102.064181] el0_svc+0x24/0x3c [ 102.067257] el0t_64_sync_handler+0x1a8/0x1b0 [ 102.071634] el0t_64_sync+0x198/0x19c [ 102.075315] [ 102.076815] Allocated by task 628: [ 102.080781] [ 102.082280] Last potentially related work creation: [ 102.087524] [ 102.089022] The buggy address belongs to the object at ffff0004c5be2000 [ 102.089022] which belongs to the cache kmalloc-2k of size 2048 [ 102.101555] The buggy address is located 1872 bytes inside of [ 102.101555] 2048-byte region [ffff0004c5be2000, ffff0004c5be2800) [ 102.113486] The buggy address belongs to the page: [ 102.118409] [ 102.119908] Memory state around the buggy address: [ 102.124711] ffff0004c5be2600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.131947] ffff0004c5be2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.139181] >ffff0004c5be2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.146412] ^ [ 102.152257] ffff0004c5be2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.159491] ffff0004c5be2800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 102.166723] ================================================================== The above bug is caused by use of the wrong pointer in the rpcif_disable_rpm() call. Fix the bug by using the correct pointer. Fixes: 5de15b610f78 ("mtd: hyperbus: add Renesas RPC-IF driver") Signed-off-by: George G. Davis Signed-off-by: Vignesh Raghavendra Link: https://lore.kernel.org/r/20210716204935.25859-1-george_davis@mentor.com Signed-off-by: Sasha Levin --- drivers/mtd/hyperbus/rpc-if.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c index 367b0d72bf622..dc164c18f8429 100644 --- a/drivers/mtd/hyperbus/rpc-if.c +++ b/drivers/mtd/hyperbus/rpc-if.c @@ -152,9 +152,9 @@ static int rpcif_hb_remove(struct platform_device *pdev) { struct rpcif_hyperbus *hyperbus = platform_get_drvdata(pdev); int error = hyperbus_unregister_device(&hyperbus->hbdev); - struct rpcif *rpc = dev_get_drvdata(pdev->dev.parent); - rpcif_disable_rpm(rpc); + rpcif_disable_rpm(&hyperbus->rpc); + return error; } -- 2.34.1