| Message ID | 1426756933-19290-1-git-send-email-srinivas.kandagatla@linaro.org |
|---|---|
| State | New |
| Headers | show |
On 19 March 2015 at 10:22, Srinivas Kandagatla <srinivas.kandagatla@linaro.org> wrote: > This bug was noticed by accident when I build kernel without a gpio > driver resulting in exercising the error path. > In the error handing path the index could go below zero resulting in > infinite loop. This patch adds a check to fix the issue. > > Without this patch I hit the below kernel crash or kernel hang: > > Unable to handle kernel NULL pointer dereference at virtual address 00000002 > pgd = c0204000 > [00000002] *pgd=00000000 > Internal error: Oops: 5 [#1] SMP ARM > Modules linked in: > CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.0.0-rc4-00100-gda80c89-dirty #3 > Hardware name: Qualcomm (Flattened Device Tree) > task: ed858000 ti: ed842000 task.ti: ed842000 > PC is at gpiod_unexport+0x14/0xc8 > LR is at gpiod_unexport+0x14/0xc8 > pc : [<c04bc368>] lr : [<c04bc368>] psr: 60000113 > sp : ed843db0 ip : 00000000 fp : 00000000 > r10: ed927c00 r9 : fffffdfb r8 : ed9a8e80 > r7 : ed958610 r6 : 00000002 r5 : fffffffe r4 : fffffffe > r3 : ed858000 r2 : ed843da8 r1 : 60000113 r0 : c0ea6ac8 > Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel > Control: 10c5787d Table: 8020406a DAC: 00000015 > Process swapper/0 (pid: 1, stack limit = 0xed842220) > Stack: (0xed843db0 to 0xed844000) > 3da0: fffffffe fffffffe 00000002 c04ba420 > 3dc0: fffffffe fffffffe 00000002 ed958610 ed9a8e80 c04bb29c ed9a8e88 c07ec514 > 3de0: ed927c00 00000000 c0ee58a4 ed958600 ed9a8e10 00000000 c0ee5c28 c07ec1dc > 3e00: 00000001 ed927c00 ee7edeb0 00000000 00000000 c07e2e94 00000000 ed843e27 > 3e20: 00000000 00007200 00000004 00000000 ed927c00 ed957200 ee7edeb0 c07f1868 > 3e40: ee7edeb0 c082eb70 ed858000 00000000 60000113 ed957200 fffffffe c0ee5a50 > 3e60: ed957200 c0ee5944 00000000 ed9572c4 c0de5564 00000000 00000000 c050d67c > 3e80: ed957200 c0f6d59c 00000000 c0ee5944 00000000 c05eacf4 ed957200 c0ee5944 > 3ea0: ed957234 00000000 c0daed5c c05eaea0 00000000 c0ee5944 c05eae14 c05e9524 > 3ec0: ed82b95c ed9438b4 c0ee5944 edd3b700 c0ea9d74 c05ea4f4 c0ca8dd4 c0e29710 > 3ee0: c0ee5944 c0ee5944 c0e33818 edd3d200 c0f2f180 c05eb4e8 00000000 c0e33818 > 3f00: c0e33818 c0209a44 0000006a 00000000 c0c93134 c0d1c21c 00000000 ed843f30 > 3f20: c02622d0 c046c260 20000013 ffffffff ef7fcc75 c09d0408 00000118 c02624d0 > 3f40: c0d1bb7c 00000006 ef7fcc8d 00000006 c0e6d70c ef7fcbc0 c0e29710 00000006 > 3f60: c0de5558 c0f2f180 00000118 c0de5564 c0d65598 c0d65d6c 00000006 00000006 > 3f80: c0d65598 c09a5154 00000000 c09a5154 00000000 00000000 00000000 00000000 > 3fa0: 00000000 c09a515c 00000000 c020f6c0 00000000 00000000 00000000 00000000 > 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 > 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 e5fdff45 9929cfe7 > [<c04bc368>] (gpiod_unexport) from [<c04ba420>] (__gpiod_free+0xc/0xe0) > [<c04ba420>] (__gpiod_free) from [<c04bb29c>] (gpiod_free+0x10/0x28) > [<c04bb29c>] (gpiod_free) from [<c07ec514>] (mmc_pwrseq_simple_alloc+0xe0/0x128) > [<c07ec514>] (mmc_pwrseq_simple_alloc) from [<c07ec1dc>] (mmc_pwrseq_alloc+0x90/0xb8) > [<c07ec1dc>] (mmc_pwrseq_alloc) from [<c07e2e94>] (mmc_of_parse+0x3b0/0x4f0) > [<c07e2e94>] (mmc_of_parse) from [<c07f1868>] (mmci_probe+0x50/0x828) > [<c07f1868>] (mmci_probe) from [<c050d67c>] (amba_probe+0xcc/0x148) > [<c050d67c>] (amba_probe) from [<c05eacf4>] (driver_probe_device+0x10c/0x22c) > [<c05eacf4>] (driver_probe_device) from [<c05eaea0>] (__driver_attach+0x8c/0x90) > [<c05eaea0>] (__driver_attach) from [<c05e9524>] (bus_for_each_dev+0x54/0x88) > [<c05e9524>] (bus_for_each_dev) from [<c05ea4f4>] (bus_add_driver+0xd4/0x1d0) > [<c05ea4f4>] (bus_add_driver) from [<c05eb4e8>] (driver_register+0x78/0xf4) > [<c05eb4e8>] (driver_register) from [<c0209a44>] (do_one_initcall+0x80/0x1d0) > [<c0209a44>] (do_one_initcall) from [<c0d65d6c>] (kernel_init_freeable+0x10c/0x1d8) > [<c0d65d6c>] (kernel_init_freeable) from [<c09a515c>] (kernel_init+0x8/0xec) > [<c09a515c>] (kernel_init) from [<c020f6c0>] (ret_from_fork+0x14/0x34) > Code: e2504000 0a000025 e59f00a0 eb13c440 (e5943004) > ---[ end trace 80b84017d7c9e7e5 ]--- > > Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> I have already applied a patch [1] for this issue in my next branch. Now, you made me realize that I should of course have sent this as fix for v4.0. Therefore, I added you as "Reported-by" to the below commit and just sent a PR for rc4. Sorry for the inconvenience this may have caused you. Kind regards Uffe [1] http://comments.gmane.org/gmane.linux.kernel.mmc/31241 > --- > drivers/mmc/core/pwrseq_simple.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/mmc/core/pwrseq_simple.c b/drivers/mmc/core/pwrseq_simple.c > index e9f1d8d..6f0a875 100644 > --- a/drivers/mmc/core/pwrseq_simple.c > +++ b/drivers/mmc/core/pwrseq_simple.c > @@ -124,8 +124,8 @@ int mmc_pwrseq_simple_alloc(struct mmc_host *host, struct device *dev) > PTR_ERR(pwrseq->reset_gpios[i]) != -ENOSYS) { > ret = PTR_ERR(pwrseq->reset_gpios[i]); > > - while (--i) > - gpiod_put(pwrseq->reset_gpios[i]); > + while (i > 0) > + gpiod_put(pwrseq->reset_gpios[--i]); > > goto clk_put; > } > -- > 1.9.1 > -- To unsubscribe from this list: send the line "unsubscribe linux-mmc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/mmc/core/pwrseq_simple.c b/drivers/mmc/core/pwrseq_simple.c index e9f1d8d..6f0a875 100644 --- a/drivers/mmc/core/pwrseq_simple.c +++ b/drivers/mmc/core/pwrseq_simple.c @@ -124,8 +124,8 @@ int mmc_pwrseq_simple_alloc(struct mmc_host *host, struct device *dev) PTR_ERR(pwrseq->reset_gpios[i]) != -ENOSYS) { ret = PTR_ERR(pwrseq->reset_gpios[i]); - while (--i) - gpiod_put(pwrseq->reset_gpios[i]); + while (i > 0) + gpiod_put(pwrseq->reset_gpios[--i]); goto clk_put; }
This bug was noticed by accident when I build kernel without a gpio driver resulting in exercising the error path. In the error handing path the index could go below zero resulting in infinite loop. This patch adds a check to fix the issue. Without this patch I hit the below kernel crash or kernel hang: Unable to handle kernel NULL pointer dereference at virtual address 00000002 pgd = c0204000 [00000002] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.0.0-rc4-00100-gda80c89-dirty #3 Hardware name: Qualcomm (Flattened Device Tree) task: ed858000 ti: ed842000 task.ti: ed842000 PC is at gpiod_unexport+0x14/0xc8 LR is at gpiod_unexport+0x14/0xc8 pc : [<c04bc368>] lr : [<c04bc368>] psr: 60000113 sp : ed843db0 ip : 00000000 fp : 00000000 r10: ed927c00 r9 : fffffdfb r8 : ed9a8e80 r7 : ed958610 r6 : 00000002 r5 : fffffffe r4 : fffffffe r3 : ed858000 r2 : ed843da8 r1 : 60000113 r0 : c0ea6ac8 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5787d Table: 8020406a DAC: 00000015 Process swapper/0 (pid: 1, stack limit = 0xed842220) Stack: (0xed843db0 to 0xed844000) 3da0: fffffffe fffffffe 00000002 c04ba420 3dc0: fffffffe fffffffe 00000002 ed958610 ed9a8e80 c04bb29c ed9a8e88 c07ec514 3de0: ed927c00 00000000 c0ee58a4 ed958600 ed9a8e10 00000000 c0ee5c28 c07ec1dc 3e00: 00000001 ed927c00 ee7edeb0 00000000 00000000 c07e2e94 00000000 ed843e27 3e20: 00000000 00007200 00000004 00000000 ed927c00 ed957200 ee7edeb0 c07f1868 3e40: ee7edeb0 c082eb70 ed858000 00000000 60000113 ed957200 fffffffe c0ee5a50 3e60: ed957200 c0ee5944 00000000 ed9572c4 c0de5564 00000000 00000000 c050d67c 3e80: ed957200 c0f6d59c 00000000 c0ee5944 00000000 c05eacf4 ed957200 c0ee5944 3ea0: ed957234 00000000 c0daed5c c05eaea0 00000000 c0ee5944 c05eae14 c05e9524 3ec0: ed82b95c ed9438b4 c0ee5944 edd3b700 c0ea9d74 c05ea4f4 c0ca8dd4 c0e29710 3ee0: c0ee5944 c0ee5944 c0e33818 edd3d200 c0f2f180 c05eb4e8 00000000 c0e33818 3f00: c0e33818 c0209a44 0000006a 00000000 c0c93134 c0d1c21c 00000000 ed843f30 3f20: c02622d0 c046c260 20000013 ffffffff ef7fcc75 c09d0408 00000118 c02624d0 3f40: c0d1bb7c 00000006 ef7fcc8d 00000006 c0e6d70c ef7fcbc0 c0e29710 00000006 3f60: c0de5558 c0f2f180 00000118 c0de5564 c0d65598 c0d65d6c 00000006 00000006 3f80: c0d65598 c09a5154 00000000 c09a5154 00000000 00000000 00000000 00000000 3fa0: 00000000 c09a515c 00000000 c020f6c0 00000000 00000000 00000000 00000000 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 e5fdff45 9929cfe7 [<c04bc368>] (gpiod_unexport) from [<c04ba420>] (__gpiod_free+0xc/0xe0) [<c04ba420>] (__gpiod_free) from [<c04bb29c>] (gpiod_free+0x10/0x28) [<c04bb29c>] (gpiod_free) from [<c07ec514>] (mmc_pwrseq_simple_alloc+0xe0/0x128) [<c07ec514>] (mmc_pwrseq_simple_alloc) from [<c07ec1dc>] (mmc_pwrseq_alloc+0x90/0xb8) [<c07ec1dc>] (mmc_pwrseq_alloc) from [<c07e2e94>] (mmc_of_parse+0x3b0/0x4f0) [<c07e2e94>] (mmc_of_parse) from [<c07f1868>] (mmci_probe+0x50/0x828) [<c07f1868>] (mmci_probe) from [<c050d67c>] (amba_probe+0xcc/0x148) [<c050d67c>] (amba_probe) from [<c05eacf4>] (driver_probe_device+0x10c/0x22c) [<c05eacf4>] (driver_probe_device) from [<c05eaea0>] (__driver_attach+0x8c/0x90) [<c05eaea0>] (__driver_attach) from [<c05e9524>] (bus_for_each_dev+0x54/0x88) [<c05e9524>] (bus_for_each_dev) from [<c05ea4f4>] (bus_add_driver+0xd4/0x1d0) [<c05ea4f4>] (bus_add_driver) from [<c05eb4e8>] (driver_register+0x78/0xf4) [<c05eb4e8>] (driver_register) from [<c0209a44>] (do_one_initcall+0x80/0x1d0) [<c0209a44>] (do_one_initcall) from [<c0d65d6c>] (kernel_init_freeable+0x10c/0x1d8) [<c0d65d6c>] (kernel_init_freeable) from [<c09a515c>] (kernel_init+0x8/0xec) [<c09a515c>] (kernel_init) from [<c020f6c0>] (ret_from_fork+0x14/0x34) Code: e2504000 0a000025 e59f00a0 eb13c440 (e5943004) ---[ end trace 80b84017d7c9e7e5 ]--- Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> --- drivers/mmc/core/pwrseq_simple.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)