From patchwork Fri May 19 23:03:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Walleij X-Patchwork-Id: 100216 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp534157qge; Fri, 19 May 2017 16:03:31 -0700 (PDT) X-Received: by 10.98.131.142 with SMTP id h136mr13144436pfe.138.1495235011281; Fri, 19 May 2017 16:03:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1495235011; cv=none; d=google.com; s=arc-20160816; b=yBmL3Pw+9XZhMENMqm+FiFrF2vJzFPEypf6iXV34e7lbNZ1mN0dnO/mPvqH2Ub/oNO QbJio5rb2icfN7MrYLOebOZc0WyPYMcoDQXmuHPk4a642HwJ8vBRHPOm1F81BwqriJIy 24z6g898TKz1yMq/9V1+I33F23fwEPW8/zTmdepfFFUOgBwX9Ccc2XjToREvT9MXphs5 oN9FJE81twl9yA7dyIHwhQaNTWpANnFvtf+mnxfDiKYI+TKuwMo/6GOBOjPBO7afb+NK F4sslL9sESLMJCEJaLjV2kC9mSBQlejsAtlUjJugg9BAQ5IGJeztcZvfaWobqEhXwsPQ R9Jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=D0BaOJ4rADXrei1cgfB/wMonnCH2NdmwLckgXQXYKkk=; b=KHo+WCi4dhyN33RGX1vmHfKwuzr76y5iyAW8RAm59bZwLTRo82oBUtLA6b0l28Do/f 5JXUEHHbxdMoyW5szWAJ1By2xBbn83z37lRVBAWBpOGBjQPmNPe58ygOvP2yeTo+TJvI nBgqmpnpvt050EUMjXnvhsgNTp+zpZ//bYeRD3hPMq6PKgs7A0o9c6+VFL2OL0wCjZ+E ZKYKBdQNmqzPQwzfOmxiYtCfXtWeWbJrY/iNSyUsHqEXOBki4qCRQKbPV9xRtUDfbxTw vQdiszCqWSnQ5oqj0Te4X0Ycq8GM0YdpKS5vd67qxMzFHnJVGUbiVqadoAbHw/cK3hmg fSwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 63si9214515pgc.384.2017.05.19.16.03.30; Fri, 19 May 2017 16:03:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753396AbdESXD3 (ORCPT + 6 others); Fri, 19 May 2017 19:03:29 -0400 Received: from mail-lf0-f47.google.com ([209.85.215.47]:36439 "EHLO mail-lf0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751208AbdESXD2 (ORCPT ); Fri, 19 May 2017 19:03:28 -0400 Received: by mail-lf0-f47.google.com with SMTP id h4so7955404lfj.3 for ; Fri, 19 May 2017 16:03:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=D0BaOJ4rADXrei1cgfB/wMonnCH2NdmwLckgXQXYKkk=; b=Ghh/lf88os3Vo6L/Nb0i58nuB+FsExYy5zfFQ0EFpHcSSsBb7eU6Izj28VYDns0Ner /TTgo0JfmkzMtQM8vK41Uvnax+bBAPujXLFmwIjW8ATXF2PACyg/TmNT0N3pobLAmwxy 8ETVlIjqrK861JGXpLXgiD+XPPm1lPeee9K0U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=D0BaOJ4rADXrei1cgfB/wMonnCH2NdmwLckgXQXYKkk=; b=LoDSNQj1QAb/bbf5pTYOgjuC/Qs7MVAX07+beaIJj//6B/DXNGTWPry1vF3F87X0FN t6PXMTPbqzJWVJcnE5eWr5Zq8cLVsWPK6FUK9hnGqbQBX4rApLFmbr0MtjQ4V4qSGMYD HG4n4fkVDy2PHgEJj3u11uckNH5iznO2h1iU6lchAJalXJ5ZwKZhSxxql43IPydrqOF/ 29i6OnvzzE1mQLrw2om1WZFXZQ6oe7OeDvvTg9PkIeQAMlyrZtyRKQnJN1rRfT9IoDv0 oQ8uXuu5nc1i2lsYmDiF2a/1OcYl+xX183FtmvVhOnRAbPKmGoNhqBhNPnjT56u0A2H+ 9NeA== X-Gm-Message-State: AODbwcA08wT8ke45/Vr7ER5DnLaYOrEc3xqcztGckFb92uuKxGrAraqQ K0Jxzb+NOCPWuXky X-Received: by 10.25.195.21 with SMTP id t21mr2781635lff.103.1495235006752; Fri, 19 May 2017 16:03:26 -0700 (PDT) Received: from fabina.bredbandsbolaget.se (c-787571d5.014-348-6c756e10.cust.bredbandsbolaget.se. [213.113.117.120]) by smtp.gmail.com with ESMTPSA id g42sm1750864ljg.35.2017.05.19.16.03.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 May 2017 16:03:25 -0700 (PDT) From: Linus Walleij To: Tejun Heo , Bartlomiej Zolnierkiewicz , linux-ide@vger.kernel.org Cc: Linus Walleij , stable@vger.kernel.org Subject: [PATCH] libata: Fix devres handling Date: Sat, 20 May 2017 01:03:14 +0200 Message-Id: <20170519230314.15718-1-linus.walleij@linaro.org> X-Mailer: git-send-email 2.9.4 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The ATA hosts are allocated using devres with: host = devres_alloc(ata_host_release, sz, GFP_KERNEL); However in the ata_host_release() function the host is retrieved using dev_get_drvdata() which is not what other devres handlers do, instead we should probably use the passed resource. Before this my kernel crashes badly when I fail to start a host in ata_host_start() and need to bail out, because dev_get_drvdata() gets the wrong-but-almost-correct pointer (so on some systems it may by chance be the right pointer what do I know). On ARMv4 Gemini it is not: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at ../lib/refcount.c:184 refcount_sub_and_test+0x9c/0xac refcount_t: underflow; use-after-free. CPU: 0 PID: 1 Comm: swapper Not tainted 4.12.0-rc1+ #657 Hardware name: Gemini (Device Tree) [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (__warn+0xcc/0xf4) [] (__warn) from [] (warn_slowpath_fmt+0x38/0x48) [] (warn_slowpath_fmt) from [] (refcount_sub_and_test+0x9c/0xac) [] (refcount_sub_and_test) from [] (kobject_put+0x28/0xe0) [] (kobject_put) from [] (ata_host_release+0xb0/0x144) [] (ata_host_release) from [] (release_nodes+0x178/0x1fc) [] (release_nodes) from [] (driver_probe_device+0xd0/0x2dc) [] (driver_probe_device) from [] (__driver_attach+0xbc/0xc0) [] (__driver_attach) from [] (bus_for_each_dev+0x70/0xa0) [] (bus_for_each_dev) from [] (bus_add_driver+0x178/0x200) [] (bus_add_driver) from [] (driver_register+0x78/0xf8) [] (driver_register) from [] (do_one_initcall+0xac/0x174) [] (do_one_initcall) from [] (kernel_init_freeable+0x114/0x1cc) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xf4) [] (kernel_init) from [] (ret_from_fork+0x14/0x24) ---[ end trace 0a4570446a019085 ]--- Then there is a second (worse) crash when it tries to iterate to the next port. But it is all because the host pointer is wrong. In this case, the host should be 0xc7a3f3d0 as it was when it got allocated but instead what dev_get_drvdata() returns is 0xc7a3f370. Using the passed resource gives the right pointer. Cc: stable@vger.kernel.org Signed-off-by: Linus Walleij --- drivers/ata/libata-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.9.4 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index 2d83b8c75965..5487c4a29bc3 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5921,7 +5921,7 @@ struct ata_port *ata_port_alloc(struct ata_host *host) static void ata_host_release(struct device *gendev, void *res) { - struct ata_host *host = dev_get_drvdata(gendev); + struct ata_host *host = res; int i; for (i = 0; i < host->n_ports; i++) {