Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <85df3427-1dc8-aac0-71fc-1a8b81a731d9@huawei.com>
Date:   Tue, 24 May 2022 09:57:32 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.5.1
Subject: Re: [PATCH] ARM: 9192/1: amba: fix memory leak in
 amba_device_try_add()
Content-Language: en-US
To:     Guenter Roeck <linux@roeck-us.net>
CC:     Russell King <linux@armlinux.org.uk>,
        <linux-kernel@vger.kernel.org>
References: <20220523211700.GA236401@roeck-us.net>
From:   Kefeng Wang <wangkefeng.wang@huawei.com>
In-Reply-To: <20220523211700.GA236401@roeck-us.net>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
Precedence: bulk


On 2022/5/24 5:17, Guenter Roeck wrote:
> On Mon, Apr 18, 2022 at 07:07:14AM +0100, Wang Kefeng wrote:
>> If amba_device_try_add() return error code (not EPROBE_DEFER),
>> memory leak occurred when amba device fails to read periphid.
>>
> This patch results in a refcount underflow.
>
> NET: Registered PF_NETLINK/PF_ROUTE protocol family
> DMA: preallocated 256 KiB pool for atomic coherent allocations
> platform vga: Fixing up cyclic dependency with bridge
> OF: amba_device_add() failed (-19) for /amba/smc@10100000
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 1 at lib/refcount.c:28 of_platform_bus_create+0x33c/0x3dc
> refcount_t: underflow; use-after-free.
> Modules linked in:
> CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0-next-20220523 #1
> Hardware name: ARM-Versatile (Device Tree Support)
>   unwind_backtrace from show_stack+0x10/0x14
>   show_stack from dump_stack_lvl+0x38/0x5c
>   dump_stack_lvl from __warn+0xc8/0x1d4
>   __warn from warn_slowpath_fmt+0x90/0xc8
>   warn_slowpath_fmt from of_platform_bus_create+0x33c/0x3dc
>   of_platform_bus_create from of_platform_bus_create+0x1ec/0x3dc
>   of_platform_bus_create from of_platform_populate+0x68/0xd8
>   of_platform_populate from customize_machine+0x1c/0x30
>   customize_machine from do_one_initcall+0x8c/0x2fc
>   do_one_initcall from kernel_init_freeable+0x190/0x220
>   kernel_init_freeable from kernel_init+0x10/0x108
>   kernel_init from ret_from_fork+0x14/0x3c

Thank,  I use vexpress-v2p-ca15-tc1 and can't reproduce , but after 
check the code,

amba_device_try_add() is called amba_deferred_retry() and amba_device_add(),

1) for amba_device_add(), called by of_amba_device_create() and 
amba_handler_attach(),

which has called amba_device_put() to release resource when meet error, my

patch leads to the above issue.

2) for amba_deferred_retry(),  it only releases the  struct 
deferred_device, but forget

to call amba_device_put() to release amba device and device name

so we only need to call amba_device_put() in amba_deferred_retry(), 
could you

help me to try the following patch, thanks.


diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
index 0e3ed5eb367b..0cb20324da16 100644
--- a/drivers/amba/bus.c
+++ b/drivers/amba/bus.c
@@ -493,13 +493,8 @@ static int amba_device_try_add(struct amba_device 
*dev, struct resource *parent)
                 goto skip_probe;

         ret = amba_read_periphid(dev);
-       if (ret) {
-               if (ret != -EPROBE_DEFER) {
-                       amba_device_put(dev);
-                       goto err_out;
-               }
+       if (ret)
                 goto err_release;
-       }

  skip_probe:
         ret = device_add(&dev->dev);
@@ -546,6 +541,7 @@ static int amba_deferred_retry(void)
                         continue;

                 list_del_init(&ddev->node);
+               amba_device_put(ddev->dev);
                 kfree(ddev);
         }


>
> Guenter
>
> ---
> # bad: [cc63e8e92cb872081f249ea16e6c460642f3e4fb] Add linux-next specific files for 20220523
> # good: [4b0986a3613c92f4ec1bdc7f60ec66fea135991f] Linux 5.18
> git bisect start 'HEAD' 'v5.18'
> # bad: [a812cac8ff60a3f57d59225eaf668f574fd36a65] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
> git bisect bad a812cac8ff60a3f57d59225eaf668f574fd36a65
> # bad: [ad67b5f981704e575b24e3b650653bae607980dc] Merge branch 'for-next' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git
> git bisect bad ad67b5f981704e575b24e3b650653bae607980dc
> # bad: [793dd6392ef951ae61473acfc7e7016ea22c40f4] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc.git
> git bisect bad 793dd6392ef951ae61473acfc7e7016ea22c40f4
> # good: [00ad84f582be91dd03132c133917cc6b62d754e2] Merge branch 'arm/dt' into for-next
> git bisect good 00ad84f582be91dd03132c133917cc6b62d754e2
> # bad: [5c4a49fbe99c7c9b814d677ac99e3efcc43d019a] Merge branch 'for-next/core' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
> git bisect bad 5c4a49fbe99c7c9b814d677ac99e3efcc43d019a
> # good: [33cd6948f953ab47ffa493bac6c0f34feb191e0d] Merge branch 'clang-format' of https://github.com/ojeda/linux.git
> git bisect good 33cd6948f953ab47ffa493bac6c0f34feb191e0d
> # good: [d6fc5db0f82828c74742319cb6c988c4a8aac535] Merge branch 'for-next/kselftest' into for-next/core
> git bisect good d6fc5db0f82828c74742319cb6c988c4a8aac535
> # good: [d7015e50a9ed180dcc3947635bb2b5711c37f48b] perf intel-pt: Add support for emulated ptwrite
> git bisect good d7015e50a9ed180dcc3947635bb2b5711c37f48b
> # good: [5b86b659fa4b3dd45acbdce13f2e94f882a3d125] Merge branch 'for-next' of git://git.infradead.org/users/hch/dma-mapping.git
> git bisect good 5b86b659fa4b3dd45acbdce13f2e94f882a3d125
> # good: [945980a9ba0744038659769e9f04e83e8f6b494b] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic.git
> git bisect good 945980a9ba0744038659769e9f04e83e8f6b494b
> # bad: [b6f21d14f1ac1261579b691673a0c823275cbaf8] ARM: 9204/2: module: Add all unwind tables when load module
> git bisect bad b6f21d14f1ac1261579b691673a0c823275cbaf8
> # bad: [c4f486f1e7b34b27ec578494a236061b337d50ae] ARM: 9198/1: spectre-bhb: simplify BPIALL vector macro
> git bisect bad c4f486f1e7b34b27ec578494a236061b337d50ae
> # bad: [7719a68b2fa404fa8af6b0b7119a38c406c74858] ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
> git bisect bad 7719a68b2fa404fa8af6b0b7119a38c406c74858
> # good: [1f44de0f5e309e8699b569b49a8e89ef4e7527c7] ARM: 9193/1: amba: Add amba_read_periphid() helper
> git bisect good 1f44de0f5e309e8699b569b49a8e89ef4e7527c7
> # first bad commit: [7719a68b2fa404fa8af6b0b7119a38c406c74858] ARM: 9192/1: amba: fix memory leak in amba_device_try_add()
>
>
> .