* [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
@ 2015-07-20  8:20 Ian Munsie
  2015-07-20  8:25 ` Ian Munsie
  2015-07-21  2:45 ` Anton Blanchard
  0 siblings, 2 replies; 10+ messages in thread
From: Ian Munsie @ 2015-07-20  8:20 UTC (permalink / raw)
  To: Anton Blanchard
  Cc: sonal.santan, linuxppc-dev, Samuel Mendoza-Jonas, Jeremy Kerr,
	Michael Neuling, Ian Munsie
From: Ian Munsie <imunsie@au1.ibm.com>
If the system has a PCI device with a memory-controller device node,
kexec-lite would spew hundreds of double free warnings and eventually
segfault. This would result in a "kexec load failed" message from
petitboot.
This was due to kexec_memory_map() searching for "memory" nodes, but
actually matching any node that started with "memory", including these
"memory-controller" nodes. This patch changes the search to look for
nodes starting with "memory@", which should only match memory nodes.
An example of a device tree that can trigger this bug is as follows:
{
	pciex@3fffe40000000 {
		...
		pci@0 {
			#address-cells = <0x3>;
			#size-cells = <0x2>;
			...
			memory-controller@0 {
				reg = <0x10000 0x0 0x0 0x0 0x0>;
				...
			};
		};
	};
};
Signed-off-by: Ian Munsie <imunsie@au1.ibm.com>
---
 kexec_memory_map.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kexec_memory_map.c b/kexec_memory_map.c
index fc1b7af..7f18de7 100644
--- a/kexec_memory_map.c
+++ b/kexec_memory_map.c
@@ -192,7 +192,7 @@ void kexec_memory_map(void *fdt, int reserve_initrd)
 
 		name = fdt_get_name(fdt, nodeoffset, NULL);
 
-		if (!name || strncmp(name, "memory", strlen("memory")))
+		if (!name || strncmp(name, "memory@", strlen("memory@")))
 			continue;
 
 		reg = fdt_getprop(fdt, nodeoffset, "reg", &len);
-- 
2.1.4
^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-20  8:20 [PATCH] Fix crash due to processing "memory-controller" nodes as "memory" Ian Munsie
@ 2015-07-20  8:25 ` Ian Munsie
  2015-07-21  2:45 ` Anton Blanchard
  1 sibling, 0 replies; 10+ messages in thread
From: Ian Munsie @ 2015-07-20  8:25 UTC (permalink / raw)
  To: linuxppc-dev
Whoops - subject line was supposed to say "kexec-lite: ..."
-Ian
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-20  8:20 [PATCH] Fix crash due to processing "memory-controller" nodes as "memory" Ian Munsie
  2015-07-20  8:25 ` Ian Munsie
@ 2015-07-21  2:45 ` Anton Blanchard
  2015-07-21  2:54   ` Benjamin Herrenschmidt
  2015-07-21  3:06   ` Michael Ellerman
  1 sibling, 2 replies; 10+ messages in thread
From: Anton Blanchard @ 2015-07-21  2:45 UTC (permalink / raw)
  To: Ian Munsie, Benjamin Herrenschmidt
  Cc: sonal.santan, linuxppc-dev, Samuel Mendoza-Jonas, Jeremy Kerr,
	Michael Neuling
Hi Ian,
> From: Ian Munsie <imunsie@au1.ibm.com>
> 
> If the system has a PCI device with a memory-controller device node,
> kexec-lite would spew hundreds of double free warnings and eventually
> segfault. This would result in a "kexec load failed" message from
> petitboot.
> 
> This was due to kexec_memory_map() searching for "memory" nodes, but
> actually matching any node that started with "memory", including these
> "memory-controller" nodes. This patch changes the search to look for
> nodes starting with "memory@", which should only match memory nodes.
Nice catch! I wonder if we should be checking for device_type
"memory". Ben?
Anton
> An example of a device tree that can trigger this bug is as follows:
> 
> {
> 	pciex@3fffe40000000 {
> 		...
> 		pci@0 {
> 			#address-cells = <0x3>;
> 			#size-cells = <0x2>;
> 			...
> 			memory-controller@0 {
> 				reg = <0x10000 0x0 0x0 0x0 0x0>;
> 				...
> 			};
> 		};
> 	};
> };
> 
> Signed-off-by: Ian Munsie <imunsie@au1.ibm.com>
> ---
>  kexec_memory_map.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kexec_memory_map.c b/kexec_memory_map.c
> index fc1b7af..7f18de7 100644
> --- a/kexec_memory_map.c
> +++ b/kexec_memory_map.c
> @@ -192,7 +192,7 @@ void kexec_memory_map(void *fdt, int
> reserve_initrd) 
>  		name = fdt_get_name(fdt, nodeoffset, NULL);
>  
> -		if (!name || strncmp(name, "memory",
> strlen("memory")))
> +		if (!name || strncmp(name, "memory@",
> strlen("memory@"))) continue;
>  
>  		reg = fdt_getprop(fdt, nodeoffset, "reg", &len);
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-21  2:45 ` Anton Blanchard
@ 2015-07-21  2:54   ` Benjamin Herrenschmidt
  2015-07-21  3:06   ` Michael Ellerman
  1 sibling, 0 replies; 10+ messages in thread
From: Benjamin Herrenschmidt @ 2015-07-21  2:54 UTC (permalink / raw)
  To: Anton Blanchard
  Cc: Ian Munsie, sonal.santan, linuxppc-dev, Samuel Mendoza-Jonas,
	Jeremy Kerr, Michael Neuling
On Tue, 2015-07-21 at 12:45 +1000, Anton Blanchard wrote:
> Hi Ian,
> 
> > From: Ian Munsie <imunsie@au1.ibm.com>
> > 
> > If the system has a PCI device with a memory-controller device node,
> > kexec-lite would spew hundreds of double free warnings and eventually
> > segfault. This would result in a "kexec load failed" message from
> > petitboot.
> > 
> > This was due to kexec_memory_map() searching for "memory" nodes, but
> > actually matching any node that started with "memory", including these
> > "memory-controller" nodes. This patch changes the search to look for
> > nodes starting with "memory@", which should only match memory nodes.
> 
> Nice catch! I wonder if we should be checking for device_type
> "memory". Ben?
Or at least check for the nodes at the root of the DT only.
Cheers,
Ben.
> Anton
> 
> > An example of a device tree that can trigger this bug is as follows:
> > 
> > {
> > 	pciex@3fffe40000000 {
> > 		...
> > 		pci@0 {
> > 			#address-cells = <0x3>;
> > 			#size-cells = <0x2>;
> > 			...
> > 			memory-controller@0 {
> > 				reg = <0x10000 0x0 0x0 0x0 0x0>;
> > 				...
> > 			};
> > 		};
> > 	};
> > };
> > 
> > Signed-off-by: Ian Munsie <imunsie@au1.ibm.com>
> > ---
> >  kexec_memory_map.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/kexec_memory_map.c b/kexec_memory_map.c
> > index fc1b7af..7f18de7 100644
> > --- a/kexec_memory_map.c
> > +++ b/kexec_memory_map.c
> > @@ -192,7 +192,7 @@ void kexec_memory_map(void *fdt, int
> > reserve_initrd) 
> >  		name = fdt_get_name(fdt, nodeoffset, NULL);
> >  
> > -		if (!name || strncmp(name, "memory",
> > strlen("memory")))
> > +		if (!name || strncmp(name, "memory@",
> > strlen("memory@"))) continue;
> >  
> >  		reg = fdt_getprop(fdt, nodeoffset, "reg", &len);
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-21  2:45 ` Anton Blanchard
  2015-07-21  2:54   ` Benjamin Herrenschmidt
@ 2015-07-21  3:06   ` Michael Ellerman
  2015-07-21 23:18     ` Anton Blanchard
  1 sibling, 1 reply; 10+ messages in thread
From: Michael Ellerman @ 2015-07-21  3:06 UTC (permalink / raw)
  To: Anton Blanchard
  Cc: Ian Munsie, Benjamin Herrenschmidt, linuxppc-dev, Michael Neuling,
	sonal.santan, Jeremy Kerr, Samuel Mendoza-Jonas
On Tue, 2015-07-21 at 12:45 +1000, Anton Blanchard wrote:
> Hi Ian,
> 
> > From: Ian Munsie <imunsie@au1.ibm.com>
> > 
> > If the system has a PCI device with a memory-controller device node,
> > kexec-lite would spew hundreds of double free warnings and eventually
> > segfault. This would result in a "kexec load failed" message from
> > petitboot.
> > 
> > This was due to kexec_memory_map() searching for "memory" nodes, but
> > actually matching any node that started with "memory", including these
> > "memory-controller" nodes. This patch changes the search to look for
> > nodes starting with "memory@", which should only match memory nodes.
> 
> Nice catch! I wonder if we should be checking for device_type
> "memory". Ben?
Yes. That's what Linux does.
cheers
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-21  3:06   ` Michael Ellerman
@ 2015-07-21 23:18     ` Anton Blanchard
  2015-07-22  0:36       ` Ian Munsie
  2015-07-22  0:39       ` Jeremy Kerr
  0 siblings, 2 replies; 10+ messages in thread
From: Anton Blanchard @ 2015-07-21 23:18 UTC (permalink / raw)
  To: Michael Ellerman
  Cc: Ian Munsie, Benjamin Herrenschmidt, linuxppc-dev, Michael Neuling,
	sonal.santan, Jeremy Kerr, Samuel Mendoza-Jonas
Hi,
> > Nice catch! I wonder if we should be checking for device_type
> > "memory". Ben?
> 
> Yes. That's what Linux does.
Ian: I made that change, and slightly modified your commit message.
Look ok?
Anton
--
[PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
If the system has a PCI device with a memory-controller device node,
kexec-lite would spew hundreds of double free warnings and eventually
segfault. This would result in a "kexec load failed" message from
petitboot.
This was due to kexec_memory_map() searching for "memory" nodes, but
actually matching any node that started with "memory", including these
"memory-controller" nodes. This patch changes the search to look for
nodes with a device_type of "memory", which should only match memory
nodes.
An example of a device tree that can trigger this bug is as follows:
{
	pciex@3fffe40000000 {
		...
		pci@0 {
			#address-cells = <0x3>;
			#size-cells = <0x2>;
			...
			memory-controller@0 {
				reg = <0x10000 0x0 0x0 0x0 0x0>;
				...
			};
		};
	};
};
Signed-off-by: Ian Munsie <imunsie@au1.ibm.com>
Signed-off-by: Anton Blanchard <anton@samba.org>
---
 kexec_memory_map.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kexec_memory_map.c b/kexec_memory_map.c
index fc1b7af..6103590 100644
--- a/kexec_memory_map.c
+++ b/kexec_memory_map.c
@@ -182,7 +182,7 @@ void kexec_memory_map(void *fdt, int reserve_initrd)
 	}
 
 	while (1) {
-		const char *name;
+		const char *type;
 		int len;
 		const fdt64_t *reg;
 
@@ -190,9 +190,9 @@ void kexec_memory_map(void *fdt, int reserve_initrd)
 		if (nodeoffset < 0)
 			break;
 
-		name = fdt_get_name(fdt, nodeoffset, NULL);
+		type = fdt_getprop(fdt, nodeoffset, "device_type", NULL);
 
-		if (!name || strncmp(name, "memory", strlen("memory")))
+		if (!type || strcmp(type, "memory"))
 			continue;
 
 		reg = fdt_getprop(fdt, nodeoffset, "reg", &len);
-- 
2.1.0
^ permalink raw reply related	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-21 23:18     ` Anton Blanchard
@ 2015-07-22  0:36       ` Ian Munsie
  2015-07-22  5:15         ` Anton Blanchard
  2015-07-22  0:39       ` Jeremy Kerr
  1 sibling, 1 reply; 10+ messages in thread
From: Ian Munsie @ 2015-07-22  0:36 UTC (permalink / raw)
  To: Anton Blanchard
  Cc: Michael Ellerman, Benjamin Herrenschmidt, linuxppc-dev,
	Michael Neuling, sonal.santan, Jeremy Kerr, Samuel Mendoza-Jonas
Excerpts from Anton Blanchard's message of 2015-07-22 09:18:44 +1000:
> Hi,
> 
> > > Nice catch! I wonder if we should be checking for device_type
> > > "memory". Ben?
> > 
> > Yes. That's what Linux does.
> 
> Ian: I made that change, and slightly modified your commit message.
> Look ok?
Looks good to me :)
Cheers,
-Ian
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-21 23:18     ` Anton Blanchard
  2015-07-22  0:36       ` Ian Munsie
@ 2015-07-22  0:39       ` Jeremy Kerr
  2015-07-22  1:32         ` Michael Neuling
  1 sibling, 1 reply; 10+ messages in thread
From: Jeremy Kerr @ 2015-07-22  0:39 UTC (permalink / raw)
  To: Anton Blanchard, Michael Ellerman
  Cc: Ian Munsie, Benjamin Herrenschmidt, linuxppc-dev, Michael Neuling,
	sonal.santan, Samuel Mendoza-Jonas
Hi Anton,
> [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
Looks good to me. If you apply this to your kexec-lite repo, I'll update
op-build to use the new version, and send the merge requests for op-build.
I'd expect we'd have those changes upstream in the next couple of days.
Xilinx folks: how are you consuming op-build? Do you need a new PNOR
image, or are you constructing those yourself?
Regards,
Jeremy
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-22  0:39       ` Jeremy Kerr
@ 2015-07-22  1:32         ` Michael Neuling
  0 siblings, 0 replies; 10+ messages in thread
From: Michael Neuling @ 2015-07-22  1:32 UTC (permalink / raw)
  To: jeremy
  Cc: Anton Blanchard, Michael Ellerman, ian, benh, linuxppc-dev,
	sonal.santan, sam
On Wed, 2015-07-22 at 08:39 +0800, jeremy@ozlabs.au.ibm.com wrote:
> Hi Anton,
>=20
> > [PATCH] Fix crash due to processing "memory-controller" nodes as "memor=
y"
>=20
> Looks good to me. If you apply this to your kexec-lite repo, I'll update
> op-build to use the new version, and send the merge requests for op-build=
.
>=20
> I'd expect we'd have those changes upstream in the next couple of days.
> Xilinx folks: how are you consuming op-build? Do you need a new PNOR
> image, or are you constructing those yourself?
jk, Sonal (from Xilinx) is on a Tulleta not an openpower box.  So we
need to go through the IBM process to get the firmware updated rather
than op-build.
Mikey
^ permalink raw reply	[flat|nested] 10+ messages in thread
* Re: [PATCH] Fix crash due to processing "memory-controller" nodes as "memory"
  2015-07-22  0:36       ` Ian Munsie
@ 2015-07-22  5:15         ` Anton Blanchard
  0 siblings, 0 replies; 10+ messages in thread
From: Anton Blanchard @ 2015-07-22  5:15 UTC (permalink / raw)
  To: Ian Munsie
  Cc: Michael Ellerman, Benjamin Herrenschmidt, linuxppc-dev,
	Michael Neuling, sonal.santan, Jeremy Kerr, Samuel Mendoza-Jonas
Hi Ian,
> > > > Nice catch! I wonder if we should be checking for device_type
> > > > "memory". Ben?
> > > 
> > > Yes. That's what Linux does.
> > 
> > Ian: I made that change, and slightly modified your commit message.
> > Look ok?
> 
> Looks good to me :)
Excellent, I just pushed the fix.
Anton
^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-07-22  5:15 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-20  8:20 [PATCH] Fix crash due to processing "memory-controller" nodes as "memory" Ian Munsie
2015-07-20  8:25 ` Ian Munsie
2015-07-21  2:45 ` Anton Blanchard
2015-07-21  2:54   ` Benjamin Herrenschmidt
2015-07-21  3:06   ` Michael Ellerman
2015-07-21 23:18     ` Anton Blanchard
2015-07-22  0:36       ` Ian Munsie
2015-07-22  5:15         ` Anton Blanchard
2015-07-22  0:39       ` Jeremy Kerr
2015-07-22  1:32         ` Michael Neuling
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).