lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3fda46eb-7fcc-4c27-98b6-7d822cce1405@arm.com>
Date:   Tue, 18 Apr 2017 10:12:16 +0100
From:   Andre Przywara <andre.przywara@....com>
To:     Tejun Heo <tj@...nel.org>
Cc:     Icenowy Zheng <icenowy@...c.xyz>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Adam Borowski <kilobyte@...band.pl>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: sun50i-a64-pinctrl WARN_ON drivers/base/dd.c:349

Hi,

On 18/04/17 08:25, Tejun Heo wrote:
> Hello,
> 
> On Mon, Apr 03, 2017 at 12:48:16AM +0100, André Przywara wrote:
>> So I see this problem easily now - on every boot - with an unpatched
>> 4.11-rc3 kernel and the (arm64) defconfig on a Pine64 or BananaPi M64.
>> I enabled devres.log and see that pinctrl probes early, but apparently
>> gets deferred, pretty late actually (after 43 ADDs).
>>
>> Now what sticks out from the sequence (see the attached log) is that
>> there are two un-matches ADDs with a devm_kmalloc of size 0:
>> sun50i-a64-pinctrl 1c20800.pinctrl: DEVRES ADD ffff80007bd84200
>> devm_kzalloc_release (0 bytes)
>> sun50i-a64-pinctrl 1c20800.pinctrl: DEVRES ADD ffff80007bd84100
>> devm_kzalloc_release (0 bytes)
>>
>> While all the other ADDs have a matching REL, those two have not. I
>> guess it's due to the size being 0. Does that ring a bell?
> 
> AFAICS, 0 size allocs should be fine.
> 
>> Or is due to the fact that these two ADDs are after the RELs have
>> already started, so at a point where the driver is already cleaned up?
> 
> But this sounds problematic to me.  So, these zero length allocations
> are happening after release of the device is initiated?  Where are
> they coming from?

Yeah, so I stack-dumped on the zero allocations and indeed they are
called from cleanup functions:
drivers/pinctrl/pinmux.c:pinmux_generic_free_functions():
	devm_kzalloc(sizeof(*indices) * pctldev->num_functions, ...)
(and another one I don't know from the top of the my head, logs at home)

So my hunch was that once EPROBE_DEFER triggers the devres cleanup, it
uses some reverse list traversal to release all allocated resources
(backwards!), so missing those which get (appended) during the process.
But I don't think that would not work with the locking.
So I have to dig deeper tonight in my logs.

Just curious why this does (or did) not happen for other users, because
the affected code paths seem rather generic to me.
Is that due to probing order being unfortunate in our case and the
pinctrl driver is never released due to DEFER anywhere else?

Cheers,
Andre.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ