PCI: rcar-gen2: Fix crash in resource_list_first_type()

Message ID	20200804120430.9253-1-geert+renesas@glider.be (mailing list archive)
State	Accepted, archived
Delegated to:	Lorenzo Pieralisi
Headers	show Return-Path: <SRS0=QtGK=BO=vger.kernel.org=linux-pci-owner@kernel.org> From: Geert Uytterhoeven <geert+renesas@glider.be> To: Rob Herring <robh@kernel.org>, Marek Vasut <marek.vasut+renesas@gmail.com>, Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>, Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>, Bjorn Helgaas <bhelgaas@google.com> Cc: linux-pci@vger.kernel.org, linux-renesas-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Geert Uytterhoeven <geert+renesas@glider.be> Subject: [PATCH] PCI: rcar-gen2: Fix crash in resource_list_first_type() Date: Tue, 4 Aug 2020 14:04:30 +0200 Message-Id: <20200804120430.9253-1-geert+renesas@glider.be> Sender: linux-pci-owner@vger.kernel.org Precedence: bulk
Series	PCI: rcar-gen2: Fix crash in resource_list_first_type() \| expand PCI: rcar-gen2: Fix crash in resource_list_first_type()

Message ID

20200804120430.9253-1-geert+renesas@glider.be (mailing list archive)

State

Accepted, archived

Delegated to:

Lorenzo Pieralisi

Headers

From: Geert Uytterhoeven <geert+renesas@glider.be>
To: Rob Herring <robh@kernel.org>,
        Marek Vasut <marek.vasut+renesas@gmail.com>,
        Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>,
        Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>,
        Bjorn Helgaas <bhelgaas@google.com>
Cc: linux-pci@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Geert Uytterhoeven <geert+renesas@glider.be>
Subject: [PATCH] PCI: rcar-gen2: Fix crash in resource_list_first_type()
Date: Tue,  4 Aug 2020 14:04:30 +0200
Message-Id: <20200804120430.9253-1-geert+renesas@glider.be>
Sender: linux-pci-owner@vger.kernel.org
Precedence: bulk

Series

PCI: rcar-gen2: Fix crash in resource_list_first_type() | expand

Commit Message

Geert Uytterhoeven Aug. 4, 2020, 12:04 p.m. UTC

The conversion to modern host bridge probing made the driver allocate
its private data using devm_pci_alloc_host_bridge(), but forgot to
remove the old allocation.  Hence part of the driver initialization is
done using the new instance, while another part is done using the old
instance, leading to a crash due to uninitialized bridge DMA ranges:

    Unable to handle kernel NULL pointer dereference at virtual address 00000008
    pgd = (ptrval)
    [00000008] *pgd=00000000
    Internal error: Oops: 5 [#1] SMP ARM
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-rc1-shmobile-00035-g92d69cc6275845a7 #645
    Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
    PC is at rcar_pci_probe+0x154/0x340
    LR is at _raw_spin_unlock_irqrestore+0x18/0x20

Fix this by dropping the old allocation.

Fixes: 92d69cc6275845a7 ("PCI: rcar-gen2: Convert to use modern host bridge probe functions")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
 drivers/pci/controller/pci-rcar-gen2.c | 4 ----
 1 file changed, 4 deletions(-)

Comments

Rob Herring (Arm) Aug. 4, 2020, 3:13 p.m. UTC | #1

On Tue, Aug 4, 2020 at 6:04 AM Geert Uytterhoeven
<geert+renesas@glider.be> wrote:
>
> The conversion to modern host bridge probing made the driver allocate
> its private data using devm_pci_alloc_host_bridge(), but forgot to
> remove the old allocation.  Hence part of the driver initialization is
> done using the new instance, while another part is done using the old
> instance, leading to a crash due to uninitialized bridge DMA ranges:
>
>     Unable to handle kernel NULL pointer dereference at virtual address 00000008
>     pgd = (ptrval)
>     [00000008] *pgd=00000000
>     Internal error: Oops: 5 [#1] SMP ARM
>     CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-rc1-shmobile-00035-g92d69cc6275845a7 #645
>     Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
>     PC is at rcar_pci_probe+0x154/0x340
>     LR is at _raw_spin_unlock_irqrestore+0x18/0x20
>
> Fix this by dropping the old allocation.
>
> Fixes: 92d69cc6275845a7 ("PCI: rcar-gen2: Convert to use modern host bridge probe functions")
> Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
> ---
>  drivers/pci/controller/pci-rcar-gen2.c | 4 ----
>  1 file changed, 4 deletions(-)

Acked-by: Rob Herring <robh@kernel.org>

Lorenzo Pieralisi Aug. 4, 2020, 4:13 p.m. UTC | #2

On Tue, Aug 04, 2020 at 02:04:30PM +0200, Geert Uytterhoeven wrote:
> The conversion to modern host bridge probing made the driver allocate
> its private data using devm_pci_alloc_host_bridge(), but forgot to
> remove the old allocation.  Hence part of the driver initialization is
> done using the new instance, while another part is done using the old
> instance, leading to a crash due to uninitialized bridge DMA ranges:
> 
>     Unable to handle kernel NULL pointer dereference at virtual address 00000008
>     pgd = (ptrval)
>     [00000008] *pgd=00000000
>     Internal error: Oops: 5 [#1] SMP ARM
>     CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-rc1-shmobile-00035-g92d69cc6275845a7 #645
>     Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
>     PC is at rcar_pci_probe+0x154/0x340
>     LR is at _raw_spin_unlock_irqrestore+0x18/0x20
> 
> Fix this by dropping the old allocation.
> 
> Fixes: 92d69cc6275845a7 ("PCI: rcar-gen2: Convert to use modern host bridge probe functions")
> Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
> ---
>  drivers/pci/controller/pci-rcar-gen2.c | 4 ----
>  1 file changed, 4 deletions(-)

Squashed in the initial commit, pushed out on pci/misc.

Thanks,
Lorenzo

> diff --git a/drivers/pci/controller/pci-rcar-gen2.c b/drivers/pci/controller/pci-rcar-gen2.c
> index 046965d284a6d54e..c9530038ca9a53fc 100644
> --- a/drivers/pci/controller/pci-rcar-gen2.c
> +++ b/drivers/pci/controller/pci-rcar-gen2.c
> @@ -302,10 +302,6 @@ static int rcar_pci_probe(struct platform_device *pdev)
>  	if (mem_res->start & 0xFFFF)
>  		return -EINVAL;
>  
> -	priv = devm_kzalloc(dev, sizeof(struct rcar_pci_priv), GFP_KERNEL);
> -	if (!priv)
> -		return -ENOMEM;
> -
>  	priv->mem_res = *mem_res;
>  	priv->cfg_res = cfg_res;
>  
> -- 
> 2.17.1
>

Bjorn Helgaas Aug. 4, 2020, 4:22 p.m. UTC | #3

On Tue, Aug 04, 2020 at 05:13:25PM +0100, Lorenzo Pieralisi wrote:
> On Tue, Aug 04, 2020 at 02:04:30PM +0200, Geert Uytterhoeven wrote:
> > The conversion to modern host bridge probing made the driver allocate
> > its private data using devm_pci_alloc_host_bridge(), but forgot to
> > remove the old allocation.  Hence part of the driver initialization is
> > done using the new instance, while another part is done using the old
> > instance, leading to a crash due to uninitialized bridge DMA ranges:
> > 
> >     Unable to handle kernel NULL pointer dereference at virtual address 00000008
> >     pgd = (ptrval)
> >     [00000008] *pgd=00000000
> >     Internal error: Oops: 5 [#1] SMP ARM
> >     CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-rc1-shmobile-00035-g92d69cc6275845a7 #645
> >     Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
> >     PC is at rcar_pci_probe+0x154/0x340
> >     LR is at _raw_spin_unlock_irqrestore+0x18/0x20
> > 
> > Fix this by dropping the old allocation.
> > 
> > Fixes: 92d69cc6275845a7 ("PCI: rcar-gen2: Convert to use modern host bridge probe functions")
> > Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
> > ---
> >  drivers/pci/controller/pci-rcar-gen2.c | 4 ----
> >  1 file changed, 4 deletions(-)
> 
> Squashed in the initial commit, pushed out on pci/misc.

I updated my 'next' branch with this.

Rob, are there any similar issues in other drivers that we should fix
before asking Linus to pull this?

> > diff --git a/drivers/pci/controller/pci-rcar-gen2.c b/drivers/pci/controller/pci-rcar-gen2.c
> > index 046965d284a6d54e..c9530038ca9a53fc 100644
> > --- a/drivers/pci/controller/pci-rcar-gen2.c
> > +++ b/drivers/pci/controller/pci-rcar-gen2.c
> > @@ -302,10 +302,6 @@ static int rcar_pci_probe(struct platform_device *pdev)
> >  	if (mem_res->start & 0xFFFF)
> >  		return -EINVAL;
> >  
> > -	priv = devm_kzalloc(dev, sizeof(struct rcar_pci_priv), GFP_KERNEL);
> > -	if (!priv)
> > -		return -ENOMEM;
> > -
> >  	priv->mem_res = *mem_res;
> >  	priv->cfg_res = cfg_res;
> >  
> > -- 
> > 2.17.1
> >

Rob Herring (Arm) Aug. 4, 2020, 4:48 p.m. UTC | #4

On Tue, Aug 4, 2020 at 10:22 AM Bjorn Helgaas <helgaas@kernel.org> wrote:
>
> On Tue, Aug 04, 2020 at 05:13:25PM +0100, Lorenzo Pieralisi wrote:
> > On Tue, Aug 04, 2020 at 02:04:30PM +0200, Geert Uytterhoeven wrote:
> > > The conversion to modern host bridge probing made the driver allocate
> > > its private data using devm_pci_alloc_host_bridge(), but forgot to
> > > remove the old allocation.  Hence part of the driver initialization is
> > > done using the new instance, while another part is done using the old
> > > instance, leading to a crash due to uninitialized bridge DMA ranges:
> > >
> > >     Unable to handle kernel NULL pointer dereference at virtual address 00000008
> > >     pgd = (ptrval)
> > >     [00000008] *pgd=00000000
> > >     Internal error: Oops: 5 [#1] SMP ARM
> > >     CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-rc1-shmobile-00035-g92d69cc6275845a7 #645
> > >     Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
> > >     PC is at rcar_pci_probe+0x154/0x340
> > >     LR is at _raw_spin_unlock_irqrestore+0x18/0x20
> > >
> > > Fix this by dropping the old allocation.
> > >
> > > Fixes: 92d69cc6275845a7 ("PCI: rcar-gen2: Convert to use modern host bridge probe functions")
> > > Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
> > > ---
> > >  drivers/pci/controller/pci-rcar-gen2.c | 4 ----
> > >  1 file changed, 4 deletions(-)
> >
> > Squashed in the initial commit, pushed out on pci/misc.
>
> I updated my 'next' branch with this.
>
> Rob, are there any similar issues in other drivers that we should fix
> before asking Linus to pull this?

I'd expect only different issues. :)

This commit is unique as it was using the old arm32 PCI functions and
the most complicated change of the lot.

Rob

diff --git a/drivers/pci/controller/pci-rcar-gen2.c b/drivers/pci/controller/pci-rcar-gen2.c
index 046965d284a6d54e..c9530038ca9a53fc 100644
--- a/drivers/pci/controller/pci-rcar-gen2.c
+++ b/drivers/pci/controller/pci-rcar-gen2.c
@@ -302,10 +302,6 @@  static int rcar_pci_probe(struct platform_device *pdev)
 	if (mem_res->start & 0xFFFF)
 		return -EINVAL;
 
-	priv = devm_kzalloc(dev, sizeof(struct rcar_pci_priv), GFP_KERNEL);
-	if (!priv)
-		return -ENOMEM;
-
 	priv->mem_res = *mem_res;
 	priv->cfg_res = cfg_res;

PCI: rcar-gen2: Fix crash in resource_list_first_type()

Commit Message

Comments

Patch