From patchwork Tue May 21 16:26:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Garry X-Patchwork-Id: 164740 Delivered-To: patch@linaro.org Received: by 2002:a92:9e1a:0:0:0:0:0 with SMTP id q26csp1816747ili; Tue, 21 May 2019 09:28:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqy4xLEdUrSTXNufwGs8qFg9oYAcpki7rZ9EHg+/CkURqMubrMgkId5sVf1kICdrqU+m6szI X-Received: by 2002:aa7:8a87:: with SMTP id a7mr50738879pfc.53.1558456102140; Tue, 21 May 2019 09:28:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558456102; cv=none; d=google.com; s=arc-20160816; b=FPJPYio2dzC2uxqqh+UmX1Ls7yPRfr4siFCZMZP1SQ4sdMLx9P08uxrrNd9WWgExKu llG2pyWlBbdbdyxAkQfFbmcyOqJX9vn6eZVs0Ip3o9iHdI5kYB3d2pptAK/t8aBGWaHi pBb3+cCs/T93hWFIo5PsGpuPjMLt1em4Jp0I3isNQqEh64gGg+87ZuzE14MyXF2XNLTs C7rt1RlIMXVHDZSZK+NCBhWKYJfa08ka+u10QmoZh+oRL+nPUZ5yOk7jJk5qBmFOUtw3 qdiZE/7BNwoFrfjZEHklyzggfZyEGsia2qs9Urwb4iFAMTcPZenwNftRv5RTUkObfCEF 58ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=kyFAQFmDcM0z4DKM5xpLVR6XQKdTvtKl4qZ8tiEI7/Y=; b=vaHDaUgwiMQwOa66t+GEtWdtMiQaKi+dXfwBRforB+w0WPu6mlmijdrJLA/7axaH/Z PtHNHrXVSUQfRNNSqB3YWv41Gi2t2cpAjG5zCCX6PTabSwJHMpqdqkOoxItsSaUUyVL/ 5GUbikT1Kx3UlGfuCTa4L+u//TTxCU0BogOrDuHnmIFdvBu5jzwoLQAESNoGg1aTSAA2 o56SpQUQLDIz9QMWg9le+WZZDX1Waq/QWIak5Bjw746w7cYyS7gUj6TsO676VEEcL2CJ /84ZqEWOAbEq5Ns85JWBNFqKH1CnL9eyAsbkdPcvW0SBq6sgNizP3HHsnbVNUGeGue/L rwPA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u133si18161317pfc.72.2019.05.21.09.28.21; Tue, 21 May 2019 09:28:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728289AbfEUQ2V (ORCPT + 14 others); Tue, 21 May 2019 12:28:21 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:8228 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728273AbfEUQ2V (ORCPT ); Tue, 21 May 2019 12:28:21 -0400 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 3B87D98008AC68E1E6B5; Wed, 22 May 2019 00:28:19 +0800 (CST) Received: from localhost.localdomain (10.67.212.75) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Wed, 22 May 2019 00:27:16 +0800 From: John Garry To: CC: , , John Garry , Greg Kroah-Hartman Subject: [PATCH stable 4.20 - 5.1] driver core: Postpone DMA tear-down until after devres release for probe failure Date: Wed, 22 May 2019 00:26:22 +0800 Message-ID: <1558455982-17806-1-git-send-email-john.garry@huawei.com> X-Mailer: git-send-email 2.8.1 MIME-Version: 1.0 X-Originating-IP: [10.67.212.75] X-CFilter-Loop: Reflected Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org commit 0b777eee88d712256ba8232a9429edb17c4f9ceb upstream In commit 376991db4b64 ("driver core: Postpone DMA tear-down until after devres release"), we changed the ordering of tearing down the device DMA ops and releasing all the device's resources; this was because the DMA ops should be maintained until we release the device's managed DMA memories. However, we have seen another crash on an arm64 system when a device driver probe fails: hisi_sas_v3_hw 0000:74:02.0: Adding to iommu group 2 scsi host1: hisi_sas_v3_hw BUG: Bad page state in process swapper/0 pfn:313f5 page:ffff7e0000c4fd40 count:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0xfffe00000001000(reserved) raw: 0fffe00000001000 ffff7e0000c4fd48 ffff7e0000c4fd48 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set bad because of flags: 0x1000(reserved) Modules linked in: CPU: 49 PID: 1 Comm: swapper/0 Not tainted 5.1.0-rc1-43081-g22d97fd-dirty #1433 Hardware name: Huawei D06/D06, BIOS Hisilicon D06 UEFI RC0 - V1.12.01 01/29/2019 Call trace: dump_backtrace+0x0/0x118 show_stack+0x14/0x1c dump_stack+0xa4/0xc8 bad_page+0xe4/0x13c free_pages_check_bad+0x4c/0xc0 __free_pages_ok+0x30c/0x340 __free_pages+0x30/0x44 __dma_direct_free_pages+0x30/0x38 dma_direct_free+0x24/0x38 dma_free_attrs+0x9c/0xd8 dmam_release+0x20/0x28 release_nodes+0x17c/0x220 devres_release_all+0x34/0x54 really_probe+0xc4/0x2c8 driver_probe_device+0x58/0xfc device_driver_attach+0x68/0x70 __driver_attach+0x94/0xdc bus_for_each_dev+0x5c/0xb4 driver_attach+0x20/0x28 bus_add_driver+0x14c/0x200 driver_register+0x6c/0x124 __pci_register_driver+0x48/0x50 sas_v3_pci_driver_init+0x20/0x28 do_one_initcall+0x40/0x25c kernel_init_freeable+0x2b8/0x3c0 kernel_init+0x10/0x100 ret_from_fork+0x10/0x18 Disabling lock debugging due to kernel taint BUG: Bad page state in process swapper/0 pfn:313f6 page:ffff7e0000c4fd80 count:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 89.322983] flags: 0xfffe00000001000(reserved) raw: 0fffe00000001000 ffff7e0000c4fd88 ffff7e0000c4fd88 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 The crash occurs for the same reason. In this case, on the really_probe() failure path, we are still clearing the DMA ops prior to releasing the device's managed memories. This patch fixes this issue by reordering the DMA ops teardown and the call to devres_release_all() on the failure path. Reported-by: Xiang Chen Tested-by: Xiang Chen Signed-off-by: John Garry Cc: stable # 4.20.x - 5.1.x Reviewed-by: Robin Murphy Signed-off-by: Greg Kroah-Hartman Signed-off-by: John Garry -- 2.17.1 diff --git a/drivers/base/dd.c b/drivers/base/dd.c index b4ee11d6e665..b55d372e9aba 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -483,7 +483,7 @@ static int really_probe(struct device *dev, struct device_driver *drv) if (dev->bus->dma_configure) { ret = dev->bus->dma_configure(dev); if (ret) - goto dma_failed; + goto probe_failed; } if (driver_sysfs_add(dev)) { @@ -539,14 +539,13 @@ static int really_probe(struct device *dev, struct device_driver *drv) goto done; probe_failed: - arch_teardown_dma_ops(dev); -dma_failed: if (dev->bus) blocking_notifier_call_chain(&dev->bus->p->bus_notifier, BUS_NOTIFY_DRIVER_NOT_BOUND, dev); pinctrl_bind_failed: device_links_no_driver(dev); devres_release_all(dev); + arch_teardown_dma_ops(dev); driver_sysfs_remove(dev); dev->driver = NULL; dev_set_drvdata(dev, NULL);