Re: [PATCH] driver core: platform: Fix the usage of platform device name(pdev->name)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Guenter Roeck <linux@roeck-us.net>
To: Venkata Narendra Kumar Gutta <vnkgutta@codeaurora.org>
Cc: gregkh@linuxfoundation.org, davem@davemloft.net,
	alexander.deucher@amd.com, tsoni@codeaurora.org,
	psodagud@codeaurora.org, jshriram@codeaurora.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] driver core: platform: Fix the usage of platform device name(pdev->name)
Date: Mon, 29 Apr 2019 11:20:58 -0700	[thread overview]
Message-ID: <20190429182058.GA31126@roeck-us.net> (raw)
In-Reply-To: <1555978589-4998-1-git-send-email-vnkgutta@codeaurora.org>

Hi,

On Mon, Apr 22, 2019 at 05:16:29PM -0700, Venkata Narendra Kumar Gutta wrote:
> Platform core is using pdev->name as the platform device name to do
> the binding of the devices with the drivers. But, when the platform
> driver overrides the platform device name with dev_set_name(),
> the pdev->name is pointing to a location which is freed and becomes
> an invalid parameter to do the binding match.
> 
> use-after-free instance:
> 
> [   33.325013] BUG: KASAN: use-after-free in strcmp+0x8c/0xb0
> [   33.330646] Read of size 1 at addr ffffffc10beae600 by task modprobe
> [   33.339068] CPU: 5 PID: 518 Comm: modprobe Tainted:
> 			G S      W  O      4.19.30+ #3
> [   33.346835] Hardware name: MTP (DT)
> [   33.350419] Call trace:
> [   33.352941]  dump_backtrace+0x0/0x3b8
> [   33.356713]  show_stack+0x24/0x30
> [   33.360119]  dump_stack+0x160/0x1d8
> [   33.363709]  print_address_description+0x84/0x2e0
> [   33.368549]  kasan_report+0x26c/0x2d0
> [   33.372322]  __asan_report_load1_noabort+0x2c/0x38
> [   33.377248]  strcmp+0x8c/0xb0
> [   33.380306]  platform_match+0x70/0x1f8
> [   33.384168]  __driver_attach+0x78/0x3a0
> [   33.388111]  bus_for_each_dev+0x13c/0x1b8
> [   33.392237]  driver_attach+0x4c/0x58
> [   33.395910]  bus_add_driver+0x350/0x560
> [   33.399854]  driver_register+0x23c/0x328
> [   33.403886]  __platform_driver_register+0xd0/0xe0
> 
> So, use dev_name(&pdev->dev), which fetches the platform device name from
> the kobject(dev->kobj->name) of the device instead of the pdev->name.
> 
> Signed-off-by: Venkata Narendra Kumar Gutta <vnkgutta@codeaurora.org>

This patch results in a large number of crashes (statistics: total: 349
pass: 244 fail: 105) in my boot tests (https://kerneltests.org/builders).
Affected architectures are (at least) arm, m68k, mips, ppc, and sh.
The reason for the crash is different for each architecture. Sometimes
the boot will stall, sometimes there is a crash, and sometimes the system
will fail to restart.

Here is an example for a log message, seen on arm (and m68k, but with ttyS
instead of ttySA).

WARNING: CPU: 0 PID: 1 at drivers/tty/tty_io.c:1349 tty_init_dev+0x14c/0x1a4
tty_init_dev: ttySA driver does not set tty->port. This will crash the kernel later. Fix the driver!

This is then indeed followed by a crash in tty_init_dev().

Bisect log for m68k attached below. Reverting this patch fixes the
problem at least for arm, m68k, and mips images.

Guenter

---
# bad: [3d17a1de96a233cf89bfbb5a77ebb1a05c420681] Add linux-next specific files for 20190429
# good: [085b7755808aa11f78ab9377257e1dad2e6fa4bb] Linux 5.1-rc6
git bisect start 'HEAD' 'v5.1-rc6'
# good: [48ea994d711ca2e66038741e549f3ebd3072e215] Merge remote-tracking branch 'crypto/master'
git bisect good 48ea994d711ca2e66038741e549f3ebd3072e215
# good: [2d49c5dbbd93045625927b6acf54bf43f86f97fd] Merge remote-tracking branch 'spi/for-next'
git bisect good 2d49c5dbbd93045625927b6acf54bf43f86f97fd
# bad: [7d38461c1c19569f7952c66913b38a78b2c51828] Merge remote-tracking branch 'staging/staging-next'
git bisect bad 7d38461c1c19569f7952c66913b38a78b2c51828
# bad: [b827800209cf30ed4e2d3a503044014b56f2b06f] Merge remote-tracking branch 'tty/tty-next'
git bisect bad b827800209cf30ed4e2d3a503044014b56f2b06f
# good: [e643fe145f03134a9de2b8996e11e03b8a0cd90a] Merge remote-tracking branch 'tip/auto-latest'
git bisect good e643fe145f03134a9de2b8996e11e03b8a0cd90a
# good: [cac573af020fbe8b16c1c769ed692126b8eceb69] Merge remote-tracking branch 'ipmi/for-next'
git bisect good cac573af020fbe8b16c1c769ed692126b8eceb69
# good: [ad74b8649beaf1a22cf8641324e3321fa0269d16] usb: typec: ucsi: Preliminary support for alternate modes
git bisect good ad74b8649beaf1a22cf8641324e3321fa0269d16
# bad: [9dc730c74af21b8403a9befba0f5f2e3bd9d6be4] Merge remote-tracking branch 'usb/usb-next'
git bisect bad 9dc730c74af21b8403a9befba0f5f2e3bd9d6be4
# good: [ab3a9f2ccc080d27873f76869c9a780be45e581e] acpi/hmat: fix an uninitialized memory_target
git bisect good ab3a9f2ccc080d27873f76869c9a780be45e581e
# good: [70283454c918f1d65de0ec50c45ef592d781bcae] livepatch: Replace klp_ktype_patch's default_attrs with groups
git bisect good 70283454c918f1d65de0ec50c45ef592d781bcae
# good: [33e39350ebd20fe6a77a51b8c21c3aa6b4a208cf] usb: xhci: add Immediate Data Transfer support
git bisect good 33e39350ebd20fe6a77a51b8c21c3aa6b4a208cf
# good: [5afa0a5ed3da85f64f27613a38daa1c4f69dd8ff] usb: xhci: add endpoint context tracing when an endpoint is added
git bisect good 5afa0a5ed3da85f64f27613a38daa1c4f69dd8ff
# bad: [a85b96e9e11d97a1fb4a683030d6aa98e1a872e8] Merge remote-tracking branch 'driver-core/driver-core-next'
git bisect bad a85b96e9e11d97a1fb4a683030d6aa98e1a872e8
# bad: [edb16da34b084c66763f29bee42b4e6bb33c3d66] driver core: platform: Fix the usage of platform device name(pdev->name)
git bisect bad edb16da34b084c66763f29bee42b4e6bb33c3d66
# first bad commit: [edb16da34b084c66763f29bee42b4e6bb33c3d66] driver core: platform: Fix the usage of platform device name(pdev->name)

next prev parent reply	other threads:[~2019-04-29 18:21 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-23  0:16 [PATCH] driver core: platform: Fix the usage of platform device name(pdev->name) Venkata Narendra Kumar Gutta
2019-04-29 15:07 ` Krzysztof Kozlowski
2019-04-29 15:07   ` Krzysztof Kozlowski
2019-04-29 17:50   ` Greg KH
2019-04-29 17:50     ` Greg KH
2019-04-29 18:20 ` Guenter Roeck [this message]
2019-04-30  7:24   ` Greg KH
2023-11-28  7:12 ` sparkhuang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190429182058.GA31126@roeck-us.net \
    --to=linux@roeck-us.net \
    --cc=alexander.deucher@amd.com \
    --cc=davem@davemloft.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=jshriram@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=psodagud@codeaurora.org \
    --cc=tsoni@codeaurora.org \
    --cc=vnkgutta@codeaurora.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.