From: Niklas Cassel <cassel@kernel.org>
To: Christian Bruel <christian.bruel@foss.st.com>
Cc: manivannan.sadhasivam@linaro.org, kw@linux.com,
kishon@kernel.org, bhelgaas@google.com, Frank.Li@nxp.com,
dlemoal@kernel.org, fabrice.gasnier@foss.st.com,
linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] PCI: endpoint: pci-epf-test: Fix double free Oops
Date: Fri, 17 Jan 2025 11:40:50 +0100 [thread overview]
Message-ID: <Z4ozsi_Le-Nk_25N@ryzen> (raw)
In-Reply-To: <20250117090903.3329039-1-christian.bruel@foss.st.com>
On Fri, Jan 17, 2025 at 10:09:03AM +0100, Christian Bruel wrote:
> Fixes an oops found while testing the stm32_pcie ep driver with handling
> of PERST# deassertion:
>
> [ 92.154549] ------------[ cut here ]------------
> [ 92.159093] Trying to vunmap() nonexistent vm area (0000000031e0f06f)
> ...
> [ 92.288763] vunmap+0x58/0x60 (P)
> [ 92.292096] dma_direct_free+0x88/0x18c
> [ 92.295932] dma_free_attrs+0x84/0xf8
> [ 92.299664] pci_epf_free_space+0x48/0x78
> [ 92.303698] pci_epf_test_epc_init+0x184/0x3c0 [pci_epf_test]
> [ 92.309446] pci_epc_init_notify+0x70/0xb4
> [ 92.313578] stm32_pcie_ep_perst_irq_thread+0xf8/0x24c
> ...
Personally, I would omit the stack trace.
>
> During EP initialization, pci_epf_test_alloc_space allocates all BARs,
> which are further freed if epc_set_bar fails (for instance, due to
> no free inbound window).
>
> However, when pci_epc_set_bar fails, the error path:
> pci_epc_set_bar -> pci_epf_free_space
> does not reset epf_test->reg[bar].
>
> Then, if the host reboots, PERST# deassertion restarts the BAR allocation
> sequence with the same allocation failure (no free inbound window).
>
> So, two subsequent calls to the sequence:
>
> if (!epf_test->reg[bar])
> continue;
>
> ret = pci_epc_set_bar(epc, epf->func_no, epf->vfunc_no, &epf->bar[bar]);
> if (ret) {
> pci_epf_free_space(epf, epf_test->reg[bar], bar, PRIMARY_INTERFACE);
> }
Personally, I would omit the copy pasted code.
>
> create a double free situation since epf_test->reg[bar] was deallocated
> and is still non-NULL.
>
> This patch makes pci_epf_alloc_space/pci_epf_free_space symmetric
> by resetting epf_test->reg[bar] when memory is deallocated.
>
> Signed-off-by: Christian Bruel <christian.bruel@foss.st.com>
> ---
Reviewed-by: Niklas Cassel <cassel@kernel.org>
next prev parent reply other threads:[~2025-01-17 10:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-17 9:09 [PATCH] PCI: endpoint: pci-epf-test: Fix double free Oops Christian Bruel
2025-01-17 10:40 ` Niklas Cassel [this message]
2025-01-24 7:48 ` Manivannan Sadhasivam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z4ozsi_Le-Nk_25N@ryzen \
--to=cassel@kernel.org \
--cc=Frank.Li@nxp.com \
--cc=bhelgaas@google.com \
--cc=christian.bruel@foss.st.com \
--cc=dlemoal@kernel.org \
--cc=fabrice.gasnier@foss.st.com \
--cc=kishon@kernel.org \
--cc=kw@linux.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=manivannan.sadhasivam@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.