[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240924055850.GN38742@google.com>
Date: Tue, 24 Sep 2024 14:58:50 +0900
From: Sergey Senozhatsky <senozhatsky@...omium.org>
To: Christophe JAILLET <christophe.jaillet@...adoo.fr>
Cc: Andrey Skvortsov <andrej.skvortzov@...il.com>,
Venkat Rao Bagalkote <venkat88@...ux.vnet.ibm.com>,
Minchan Kim <minchan@...nel.org>, Jens Axboe <axboe@...nel.dk>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org, linux-block@...r.kernel.org,
stable@...r.kernel.org,
Sergey Senozhatsky <senozhatsky@...omium.org>
Subject: Re: [PATCH v3] zram: don't free statically defined names
On (24/09/24 14:49), Sergey Senozhatsky wrote:
> On (24/09/24 07:21), Christophe JAILLET wrote:
> [..]
> > > kfree_const() will not work if zram is built as a module. It works
> > > only for .rodata for kernel image. [1]
> > >
> > > 1. https://elixir.bootlin.com/linux/v6.11/source/include/asm-generic/sections.h#L177
> > >
> >
> > If so, then it is likely that it is not correctly used elsewhere.
> >
> > https://elixir.bootlin.com/linux/v6.11/source/drivers/dax/kmem.c#L289
> > https://elixir.bootlin.com/linux/v6.11/source/drivers/firmware/arm_scmi/bus.c#L341
> > https://elixir.bootlin.com/linux/v6.11/source/drivers/input/touchscreen/chipone_icn8505.c#L379
>
> icn8505_probe_acpi() uses kfree_const(subsys)...
>
> subsys is returned from acpi_get_subsystem_id() which only
> does
> sub = kstrdup(obj->string.pointer, GFP_KERNEL);
>
> However, if acpi_get_subsystem_id() returns an error then
> icn8505_probe_acpi() does
>
> subsys = "unknown";
>
> and I suspect that kfree_const(subsys) can, in fact, explode?
A trivial test to replicate icn8505_probe_acpi() error path
(zram built as a module)
---
diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
index d3329a67e805..5cd65dd7dafa 100644
--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -2719,11 +2719,21 @@ static void destroy_devices(void)
cpuhp_remove_multi_state(CPUHP_ZCOMP_PREPARE);
}
+static void boom(void)
+{
+ char *str = "unknown";
+
+ pr_err(":: kfree_const() %s\n", str);
+ kfree_const(str);
+}
+
static int __init zram_init(void)
{
struct zram_table_entry zram_te;
int ret;
+ boom();
+
BUILD_BUG_ON(__NR_ZRAM_PAGEFLAGS > sizeof(zram_te.flags) * 8);
ret = cpuhp_setup_state_multi(CPUHP_ZCOMP_PREPARE, "block/zram:prepare",
---
[ 15.494947] zram: :: kfree_const() unknown
[..]
[ 15.498085] WARNING: CPU: 5 PID: 420 at mm/slub.c:4690 free_large_kmalloc+0x18/0xb0
[ 15.500393] Modules linked in: zram(+) 842_decompress 842_compress zsmalloc zstd_compress lz4hc_compress lz4_compress zlib_deflate
[ 15.503405] CPU: 5 UID: 0 PID: 420 Comm: modprobe Tainted: G N 6.11.0-next-20240920+ #727
[ 15.506013] Tainted: [N]=TEST
[ 15.506792] RIP: 0010:free_large_kmalloc+0x18/0xb0
[..]
[ 15.531487] Call Trace:
[ 15.532102] <TASK>
[ 15.532616] ? __warn+0x12d/0x340
[ 15.533409] ? free_large_kmalloc+0x18/0xb0
[ 15.534397] ? free_large_kmalloc+0x18/0xb0
[ 15.535426] ? report_bug+0x170/0x380
[ 15.536365] ? handle_bug+0x5c/0xa0
[ 15.537206] ? exc_invalid_op+0x16/0x40
[ 15.538155] ? asm_exc_invalid_op+0x16/0x20
[ 15.539189] ? free_large_kmalloc+0x18/0xb0
[ 15.540194] init_module+0x25/0xffb [zram]
[ 15.541173] do_one_initcall+0x130/0x450
[ 15.542143] ? __cfi_init_module+0x5/0x5 [zram]
[ 15.543282] ? stack_depot_save_flags+0x25/0x700
[ 15.544413] ? stack_trace_save+0xb3/0x150
[ 15.545428] ? kasan_save_track+0x3c/0x60
[ 15.546401] ? kasan_save_track+0x2b/0x60
[ 15.547364] ? __kasan_kmalloc+0x6e/0x80
[ 15.548350] ? do_init_module+0x16e/0x890
[ 15.549348] ? __se_sys_finit_module+0x513/0x7e0
[ 15.550437] ? do_syscall_64+0x71/0x110
[ 15.551385] ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 15.552662] ? stack_depot_save_flags+0x25/0x700
[ 15.553751] ? stack_trace_save+0xb3/0x150
[ 15.554754] ? __create_object+0x62/0x110
[ 15.555767] ? do_raw_spin_unlock+0x5a/0x950
[ 15.556778] ? __create_object+0x62/0x110
[ 15.557727] ? _raw_spin_unlock_irqrestore+0x31/0x40
[ 15.558928] ? __create_object+0x62/0x110
[ 15.559947] ? kasan_unpoison+0x49/0x70
[ 15.560855] ? __asan_register_globals+0x54/0x70
[ 15.561976] do_init_module+0x36a/0x890
[ 15.562940] __se_sys_finit_module+0x513/0x7e0
[ 15.564034] do_syscall_64+0x71/0x110
[ 15.564948] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[..]
[ 15.894538] kernel BUG at include/linux/mm.h:1140!
[ 15.895727] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
[ 15.897003] CPU: 5 UID: 0 PID: 420 Comm: modprobe Tainted: G B W N 6.11.0-next-20240920+ #727
[ 15.899215] Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST
[ 15.900395] RIP: 0010:free_large_kmalloc+0xaa/0xb0
[..]
[ 15.924239] Call Trace:
[ 15.924836] <TASK>
[ 15.925343] ? __die_body+0x66/0xb0
[ 15.926183] ? die+0xa0/0xc0
[ 15.926873] ? do_trap+0xf4/0x2e0
[ 15.927671] ? free_large_kmalloc+0xaa/0xb0
[ 15.928665] ? do_error_trap+0xfc/0x180
[ 15.929567] ? free_large_kmalloc+0xaa/0xb0
[ 15.930550] ? handle_invalid_op+0x4f/0x60
[ 15.931529] ? free_large_kmalloc+0xaa/0xb0
[ 15.932513] ? exc_invalid_op+0x2f/0x40
[ 15.933422] ? asm_exc_invalid_op+0x16/0x20
[ 15.934413] ? free_large_kmalloc+0xaa/0xb0
[ 15.935410] init_module+0x25/0xffb [zram]
[ 15.936375] do_one_initcall+0x130/0x450
[ 15.937306] ? __cfi_init_module+0x5/0x5 [zram]
[ 15.938550] ? stack_depot_save_flags+0x25/0x700
[ 15.939799] ? stack_trace_save+0xb3/0x150
[ 15.940786] ? kasan_save_track+0x3c/0x60
[ 15.941755] ? kasan_save_track+0x2b/0x60
[ 15.942729] ? __kasan_kmalloc+0x6e/0x80
[ 15.943697] ? do_init_module+0x16e/0x890
[ 15.944665] ? __se_sys_finit_module+0x513/0x7e0
[ 15.945782] ? do_syscall_64+0x71/0x110
[ 15.946716] ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 15.947978] ? stack_depot_save_flags+0x25/0x700
[ 15.949091] ? stack_trace_save+0xb3/0x150
[ 15.950082] ? __create_object+0x62/0x110
[ 15.951052] ? do_raw_spin_unlock+0x5a/0x950
[ 15.952094] ? __create_object+0x62/0x110
[ 15.953064] ? _raw_spin_unlock_irqrestore+0x31/0x40
[ 15.954255] ? __create_object+0x62/0x110
[ 15.955221] ? kasan_unpoison+0x49/0x70
[ 15.956154] ? __asan_register_globals+0x54/0x70
[ 15.957261] do_init_module+0x36a/0x890
[ 15.958199] __se_sys_finit_module+0x513/0x7e0
[ 15.959282] do_syscall_64+0x71/0x110
[ 15.960172] entry_SYSCALL_64_after_hwframe+0x4b/0x53
Powered by blists - more mailing lists