From patchwork Sat Jun 29 12:42:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Niklas Cassel X-Patchwork-Id: 1954241 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=WDSScS9B; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org; envelope-from=linux-ide+bounces-1762-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org [IPv6:2604:1380:45d1:ec00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WBBm06RDpz20Xg for ; Sat, 29 Jun 2024 22:42:40 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1A69C1C21032 for ; Sat, 29 Jun 2024 12:42:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 78DFF7D08F; Sat, 29 Jun 2024 12:42:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WDSScS9B" X-Original-To: linux-ide@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E6DD2574B; Sat, 29 Jun 2024 12:42:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719664953; cv=none; b=kyrZvNKIldXMqVGawLhQ55I2oESZOH8LNpvytaz2srLkZYy0wblePTln//rJZSeoc3YR1DW5USRSCDFP58YsKY3/Kz8dG1yAYDS+tUpr4RoaJ8/2PRyImW41iaTo3SgKH6wDVT6ykdZdyVNwUGGDy13x3Gr8Ff4dk2yaQ8O3MS8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719664953; c=relaxed/simple; bh=Ghd/27ioPdGmjCXPDms5m/c98Lu6QS0GgtZMrPyqh2U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JAzH/PtvkFgv9iN+Oey2h10uhkUaLviY2bzSOQrBQzpEfx3OUyHBY7P/Y/hvBlDtstJ79dAKplBUT4hlJZmpa1W1TKYETGlVujFeVJGCUeOiWtIkG5Ac+wNQd8xHvNL50e4zrkcmsV11bkfZCSqeeoLWlj1+hh7tehUoK4nvLNg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WDSScS9B; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 322C0C32789; Sat, 29 Jun 2024 12:42:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1719664952; bh=Ghd/27ioPdGmjCXPDms5m/c98Lu6QS0GgtZMrPyqh2U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WDSScS9B4SQTGU7CHPWsbAeOpbWdQSeR7T+Z2/+SnxaV4eOPAMU8I9bogTQsVj+Bp br22NwiUul28tPJbdJq79KwykkaKdJiZXOYpOyo/shVQgs63icJJBLj6MY78DoCpEO EezUEy+CJ0gC76IxMC7QYyDW1O3C/4Q97u8nXYEz/3zZTaMkeL/rsXqelum/D02XSY dSRi6gTn3JtAZgUYYUFk129eHgszsbEZORcVK3QfAdwI+oGb34hz0ChI16GfJsv40p IbmqlCKhg8iO2L3jPFprFVD2g28D642CIItSW4/nNoak9HNwa3Z5P8Fjucrahxy7If vvp24KrXrDIPg== From: Niklas Cassel To: Damien Le Moal , Niklas Cassel , Tejun Heo , Jeff Garzik Cc: linux-scsi@vger.kernel.org, John Garry , Jason Yan , "Martin K. Petersen" , "James E.J. Bottomley" , stable@vger.kernel.org, Hannes Reinecke , linux-ide@vger.kernel.org Subject: [PATCH 1/4] ata: libata-core: Fix null pointer dereference on error Date: Sat, 29 Jun 2024 14:42:11 +0200 Message-ID: <20240629124210.181537-7-cassel@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240629124210.181537-6-cassel@kernel.org> References: <20240629124210.181537-6-cassel@kernel.org> Precedence: bulk X-Mailing-List: linux-ide@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2474; i=cassel@kernel.org; h=from:subject; bh=Ghd/27ioPdGmjCXPDms5m/c98Lu6QS0GgtZMrPyqh2U=; b=owGbwMvMwCV2MsVw8cxjvkWMp9WSGNIaGNUv7WD5IHLR78WWv4nPrTjUnszSl7RPF3H7HXAi6 39COPe3jlIWBjEuBlkxRRbfHy77i7vdpxxXvGMDM4eVCWQIAxenAExE5gDDHz65e8r741YsWy/0 /FxjYEemrsoP26/LmfXzF+48pdK3OYThr8DOKfMPXZs6fbNe37GbPrWnHS51Pj3oVyF754KRbJw 8Bw8A X-Developer-Key: i=cassel@kernel.org; a=openpgp; fpr=5ADE635C0E631CBBD5BE065A352FE6582ED9B5DA If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") Cc: stable@vger.kernel.org Reviewed-by: Damien Le Moal Reviewed-by: Hannes Reinecke Signed-off-by: Niklas Cassel Reviewed-by: John Garry --- drivers/ata/libata-core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index e1bf8a19b3c8..f47838da75d7 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5518,6 +5518,9 @@ static void ata_host_release(struct kref *kref) for (i = 0; i < host->n_ports; i++) { struct ata_port *ap = host->ports[i]; + if (!ap) + continue; + kfree(ap->pmp_link); kfree(ap->slave_link); kfree(ap->ncq_sense_buf); From patchwork Sat Jun 29 12:42:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Niklas Cassel X-Patchwork-Id: 1954242 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=IlMrCYGy; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=linux-ide+bounces-1763-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WBBm26n6gz20Xg for ; Sat, 29 Jun 2024 22:42:42 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 752B1282DDB for ; Sat, 29 Jun 2024 12:42:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A615D78C9D; Sat, 29 Jun 2024 12:42:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="IlMrCYGy" X-Original-To: linux-ide@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6443E2574B; Sat, 29 Jun 2024 12:42:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719664956; cv=none; b=WZ77I7AN+v6vTaF/LTrqiYirl7nOKQ/Dg5fcfC7N0H4EsdzMHGGVbEO1yjs4jBcVyMWg4p/AS7ooy8NkCPSGxG5d9+tIXD42W0xUME+g4D+RdmmAOOrXAEY+P29JOJMqCfPpzCXTrtTIIMX3LQ0zS0+r8UfQuzyP6ZneCkbnb/E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719664956; c=relaxed/simple; bh=8/B0SvslXTxTjDhfLJIfaceE22N2ftGQShVYBG/PkYg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=N8toYTkgVAbjJ7WbqH/MoT9EniFPzwt3+YpvNSN78haC5FtFjcW2EpSCJXsiuiuOuqrXcD+EINvFs54MQOuzbrpXxxqv4CwClOvbWRzd767RnfcOsZJcexmWXs9cCHF4M2KrLE4F/lPHbirv/+lYLFmv1ywGyag1pVOmJg5Bgz0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=IlMrCYGy; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id AF925C2BBFC; Sat, 29 Jun 2024 12:42:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1719664955; bh=8/B0SvslXTxTjDhfLJIfaceE22N2ftGQShVYBG/PkYg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IlMrCYGywLO/9jMbUNfLr83dbMZ2eCAJNPoiAL2MULX3cihaWaxOc2ONCW1vjoKZA NLDTMsCC+0AC+8gXR6tPQ6gzfv5xMd3TqB+uujh4XRIyyTgdkbM1qUF7VNIZ7vTGQe 3mOPax4TyugOtRQ/WacG1vDZ6zdhqfhGsyiSUnKyr4Xb8V6F0UqMikeu87WST5WKNO xyYp9TLz2jyRW5vHB4032/VzOV9lwd9CPaVzhQZyQPcCMGBaPhgPITfR+COccpbdF/ 9X85pEd+aEh4sQ7B+UI5KjZuF30qr8Z4SOSY1X7zyihKdChwq56SARl8/Ybs6JjIyn 0ECq2XH810bUA== From: Niklas Cassel To: Damien Le Moal , Niklas Cassel , John Garry , Jason Yan , "James E.J. Bottomley" , "Martin K. Petersen" , Hannes Reinecke Cc: linux-scsi@vger.kernel.org, Niklas Cassel , linux-ide@vger.kernel.org Subject: [PATCH 2/4] ata,scsi: libata-core: Do not leak memory for ata_port struct members Date: Sat, 29 Jun 2024 14:42:12 +0200 Message-ID: <20240629124210.181537-8-cassel@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240629124210.181537-6-cassel@kernel.org> References: <20240629124210.181537-6-cassel@kernel.org> Precedence: bulk X-Mailing-List: linux-ide@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3737; i=cassel@kernel.org; h=from:subject; bh=8/B0SvslXTxTjDhfLJIfaceE22N2ftGQShVYBG/PkYg=; b=owGbwMvMwCV2MsVw8cxjvkWMp9WSGNIaGNWvfKvhOvXBaHqo0jmXm8dCb81JS4hddOSiII/O4 QVLah6HdZSyMIhxMciKKbL4/nDZX9ztPuW44h0bmDmsTCBDGLg4BWAi134xMhxY9LAsq/O55Rxb hS7fcxbnlic+ezVtx70JFisT+xm3euxj+O96+G78O35d/Rnr3S0dn96eGVCS7J8U+WKrrGO13a7 gEh4A X-Developer-Key: i=cassel@kernel.org; a=openpgp; fpr=5ADE635C0E631CBBD5BE065A352FE6582ED9B5DA libsas is currently not freeing all the struct ata_port struct members, e.g. ncq_sense_buf for a driver supporting Command Duration Limits (CDL). Add a function, ata_port_free(), that is used to free a ata_port, including its struct members. It makes sense to keep the code related to freeing a ata_port in its own function, which will also free all the struct members of struct ata_port. Fixes: 18bd7718b5c4 ("scsi: ata: libata: Handle completion of CDL commands using policy 0xD") Signed-off-by: Niklas Cassel Reviewed-by: John Garry Reviewed-by: Hannes Reinecke --- drivers/ata/libata-core.c | 24 ++++++++++++++---------- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/libsas/sas_discover.c | 2 +- include/linux/libata.h | 1 + 4 files changed, 17 insertions(+), 12 deletions(-) diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index f47838da75d7..481baa55ebfc 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5490,6 +5490,18 @@ struct ata_port *ata_port_alloc(struct ata_host *host) return ap; } +void ata_port_free(struct ata_port *ap) +{ + if (!ap) + return; + + kfree(ap->pmp_link); + kfree(ap->slave_link); + kfree(ap->ncq_sense_buf); + kfree(ap); +} +EXPORT_SYMBOL_GPL(ata_port_free); + static void ata_devres_release(struct device *gendev, void *res) { struct ata_host *host = dev_get_drvdata(gendev); @@ -5516,15 +5528,7 @@ static void ata_host_release(struct kref *kref) int i; for (i = 0; i < host->n_ports; i++) { - struct ata_port *ap = host->ports[i]; - - if (!ap) - continue; - - kfree(ap->pmp_link); - kfree(ap->slave_link); - kfree(ap->ncq_sense_buf); - kfree(ap); + ata_port_free(host->ports[i]); host->ports[i] = NULL; } kfree(host); @@ -5907,7 +5911,7 @@ int ata_host_register(struct ata_host *host, const struct scsi_host_template *sh * allocation time. */ for (i = host->n_ports; host->ports[i]; i++) - kfree(host->ports[i]); + ata_port_free(host->ports[i]); /* give ports names and add SCSI hosts */ for (i = 0; i < host->n_ports; i++) { diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c index 4c69fc63c119..1f247a8cd185 100644 --- a/drivers/scsi/libsas/sas_ata.c +++ b/drivers/scsi/libsas/sas_ata.c @@ -618,7 +618,7 @@ int sas_ata_init(struct domain_device *found_dev) return 0; destroy_port: - kfree(ap); + ata_port_free(ap); free_host: ata_host_put(ata_host); return rc; diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c index 8fb7c41c0962..48d975c6dbf2 100644 --- a/drivers/scsi/libsas/sas_discover.c +++ b/drivers/scsi/libsas/sas_discover.c @@ -301,7 +301,7 @@ void sas_free_device(struct kref *kref) if (dev_is_sata(dev) && dev->sata_dev.ap) { ata_sas_tport_delete(dev->sata_dev.ap); - kfree(dev->sata_dev.ap); + ata_port_free(dev->sata_dev.ap); ata_host_put(dev->sata_dev.ata_host); dev->sata_dev.ata_host = NULL; dev->sata_dev.ap = NULL; diff --git a/include/linux/libata.h b/include/linux/libata.h index 13fb41d25da6..7d3bd7c9664a 100644 --- a/include/linux/libata.h +++ b/include/linux/libata.h @@ -1249,6 +1249,7 @@ extern int ata_slave_link_init(struct ata_port *ap); extern struct ata_port *ata_sas_port_alloc(struct ata_host *, struct ata_port_info *, struct Scsi_Host *); extern void ata_port_probe(struct ata_port *ap); +extern void ata_port_free(struct ata_port *ap); extern int ata_sas_tport_add(struct device *parent, struct ata_port *ap); extern void ata_sas_tport_delete(struct ata_port *ap); int ata_sas_device_configure(struct scsi_device *sdev, struct queue_limits *lim, From patchwork Sat Jun 29 12:42:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Niklas Cassel X-Patchwork-Id: 1954243 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=rBroWHsp; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:40f1:3f00::1; helo=sy.mirrors.kernel.org; envelope-from=linux-ide+bounces-1764-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org [IPv6:2604:1380:40f1:3f00::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WBBm672bYz20Xg for ; Sat, 29 Jun 2024 22:42:46 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 10E1CB21CEC for ; Sat, 29 Jun 2024 12:42:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E51E07CF18; Sat, 29 Jun 2024 12:42:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="rBroWHsp" X-Original-To: linux-ide@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C7102574B; Sat, 29 Jun 2024 12:42:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719664959; cv=none; b=SeQlNyWJfsalCyuxDMJSR502fYx8H97n7RNFX2joyJMgdTxHJEdWtQ12+xAcK35aDTUQ0fpJUUnj1aZYNXKjpVJa0STUE880mKfwG3z1OvOvoYwM1TQheqieV2NLul5Kuw3AIH4SiThkf6AYd1d22GTSilxR9HJAIHBJeuzz/h0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719664959; c=relaxed/simple; bh=f4Qe+uisdyi95QeN2VZXvu3hEOAuQmhtk4sPU4vbjOM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Wn9PlmE1W/6SN5X5ZO8h0ay08DeiDeJAdyRXFQkoUfU8tRUdiQ9cJagxUjz+4Lcy0pcARPharkBUVRooUbctHZ1k1fTl6JvdI57gHSYpMMmPmCyza1qN2BDq88b2t9hBJ3MY9x0CZmsqKWWW2dqDypT+yaX7C1zhSU98YXbit+E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=rBroWHsp; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 983FFC32789; Sat, 29 Jun 2024 12:42:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1719664959; bh=f4Qe+uisdyi95QeN2VZXvu3hEOAuQmhtk4sPU4vbjOM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rBroWHsp9iWHnv0yrZAlAhYYQ9z9TqkRWZVh8x7uppXVYdeAdf31S+yP5xpz5nzYY bOJDOA7n6cDiU6DsnlKcmVJd1bh2ayQQyC7G2SnZshYwD3yqI0aObuRZCeOaT+QvBX vemJfiAfmV3uDhn2g76snSeQsfZA23+cSARXyYFeiXiuE3IZrgUtOQ1dJSGVB+KN9W 6YvaKgJODXvOM6pwYjqiAVd2jv1lq4h6WjRGgRxFxWlVmTsWbELy4tBSmZ7MXe/S0X ROOhEbmOVaTiGAM4Y4isipWdQyJNb4goHRcL/jCw42Sh8c0wOWBig7Sy/9k5FS0yOi 8oVvT2VGLVdBw== From: Niklas Cassel To: Damien Le Moal , Niklas Cassel , Tejun Heo , Colin Ian King Cc: linux-scsi@vger.kernel.org, John Garry , Jason Yan , "Martin K. Petersen" , "James E.J. Bottomley" , stable@vger.kernel.org, Hannes Reinecke , linux-ide@vger.kernel.org Subject: [PATCH 3/4] ata: libata-core: Fix double free on error Date: Sat, 29 Jun 2024 14:42:13 +0200 Message-ID: <20240629124210.181537-9-cassel@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240629124210.181537-6-cassel@kernel.org> References: <20240629124210.181537-6-cassel@kernel.org> Precedence: bulk X-Mailing-List: linux-ide@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2946; i=cassel@kernel.org; h=from:subject; bh=f4Qe+uisdyi95QeN2VZXvu3hEOAuQmhtk4sPU4vbjOM=; b=owGbwMvMwCV2MsVw8cxjvkWMp9WSGNIaGDUCp52+Z9jquec0Zxa//YSQ8McSO3YYPl2VIHJVg e+wUurUjlIWBjEuBlkxRRbfHy77i7vdpxxXvGMDM4eVCWQIAxenAExEtZeRYfqFmjMPZuzKaDa3 E5x4WHlHs8CF0qqYfW5fvvZr1drfmMfI0NScOqN0leKF3f8OPA9NL+Yt+BAUf/rFLLMnMtW/rmx X5wEA X-Developer-Key: i=cassel@kernel.org; a=openpgp; fpr=5ADE635C0E631CBBD5BE065A352FE6582ED9B5DA If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump to the err_out label, which will call devres_release_group(). devres_release_group() will trigger a call to ata_host_release(). ata_host_release() calls kfree(host), so executing the kfree(host) in ata_host_alloc() will lead to a double free: kernel BUG at mm/slub.c:553! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:kfree+0x2cf/0x2f0 Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: ? __die_body.cold+0x19/0x27 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x6a/0x90 ? kfree+0x2cf/0x2f0 ? exc_invalid_op+0x50/0x70 ? kfree+0x2cf/0x2f0 ? asm_exc_invalid_op+0x1a/0x20 ? ata_host_alloc+0xf5/0x120 [libata] ? ata_host_alloc+0xf5/0x120 [libata] ? kfree+0x2cf/0x2f0 ata_host_alloc+0xf5/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Ensure that we will not call kfree(host) twice, by performing the kfree() only if the devres_open_group() call failed. Fixes: dafd6c496381 ("libata: ensure host is free'd on error exit paths") Cc: stable@vger.kernel.org Reviewed-by: Damien Le Moal Reviewed-by: Hannes Reinecke Signed-off-by: Niklas Cassel --- drivers/ata/libata-core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index 481baa55ebfc..e0455a182af7 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5578,8 +5578,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports) if (!host) return NULL; - if (!devres_open_group(dev, NULL, GFP_KERNEL)) - goto err_free; + if (!devres_open_group(dev, NULL, GFP_KERNEL)) { + kfree(host); + return NULL; + } dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL); if (!dr) @@ -5611,8 +5613,6 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports) err_out: devres_release_group(dev, NULL); - err_free: - kfree(host); return NULL; } EXPORT_SYMBOL_GPL(ata_host_alloc); From patchwork Sat Jun 29 12:42:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Niklas Cassel X-Patchwork-Id: 1954244 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=T8w3vZIh; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:45e3:2400::1; helo=sv.mirrors.kernel.org; envelope-from=linux-ide+bounces-1765-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [IPv6:2604:1380:45e3:2400::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WBBmB2fvsz20Xg for ; Sat, 29 Jun 2024 22:42:50 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D76A6280E81 for ; Sat, 29 Jun 2024 12:42:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4703C7D3F1; Sat, 29 Jun 2024 12:42:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="T8w3vZIh" X-Original-To: linux-ide@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F33552574B; Sat, 29 Jun 2024 12:42:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719664963; cv=none; b=YmrVjhshtDMBEwAPN29yvWJjc+flLHRStivM+vb5te5seFtaLEXXK1CWL3rGud+WtXgbyjB+7oevAuGNhWrK0GBRS4jskgqs2fRz9uBdjdmTUp3mBb0W0eMpaCoHaQWHDL8gAO+ppczUQNYOEUZ4O5MkH6/jadkhCpORxkLatxU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719664963; c=relaxed/simple; bh=YE2wYJ2kCjz6uRVo49Ho3nZ45FD637M/W1oPclhVsow=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VbxRLc6cf21JAlvaQ3aSe0QXzsVXAZ75bLjBaexxVlBr7xzZ8FoVDKk5Sve8e+lurGxCp/YZ3yyzytAWbC3kDaaJJ22qqjUbRkHg0lML4ngcrs3kArW39gXDCfAd1jqQ0gr13MbOaZpqhPyN374iGMcZTu6Qr/3Q+pHIfDtGg44= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=T8w3vZIh; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id DD8B8C4AF09; Sat, 29 Jun 2024 12:42:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1719664962; bh=YE2wYJ2kCjz6uRVo49Ho3nZ45FD637M/W1oPclhVsow=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=T8w3vZIhVu84/AEdu/0R2YPl32MebtlulpnoUTsf1nKLxns3JUWjUkxaHWs1uQobJ N89mEY7Mm06y7NsJIxhA0RMikpI4/+CBAhLi9Xnl1AUZE6OFQrOIoJOiwtui3YTRCB VhKyRC4JynbB2azhAJpslgYQixJPJ6PzTihhHzuWjLS+f2u33kMnW33bRYkeKij9oh ZTjR01/kzWMK0Evr6oW8pK+t+d6/MTaGE3az/InsRB3LhI2UQTkZZHd1uePgitSGfV Arijomt4jRcwujVnk/Y9r4hC/dgXXvLpmkK+FQiz/cm0KanxZCFTxD3hR79FFr5GbC sSo1qDiuVUJdQ== From: Niklas Cassel To: Damien Le Moal , Niklas Cassel , Jens Axboe , Kai-Heng Feng Cc: linux-scsi@vger.kernel.org, John Garry , Jason Yan , "Martin K. Petersen" , "James E.J. Bottomley" , stable@vger.kernel.org, Hannes Reinecke , linux-ide@vger.kernel.org Subject: [PATCH 4/4] ata: ahci: Clean up sysfs file on error Date: Sat, 29 Jun 2024 14:42:14 +0200 Message-ID: <20240629124210.181537-10-cassel@kernel.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240629124210.181537-6-cassel@kernel.org> References: <20240629124210.181537-6-cassel@kernel.org> Precedence: bulk X-Mailing-List: linux-ide@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2648; i=cassel@kernel.org; h=from:subject; bh=YE2wYJ2kCjz6uRVo49Ho3nZ45FD637M/W1oPclhVsow=; b=owGbwMvMwCV2MsVw8cxjvkWMp9WSGNIaGDUiIxckPH6ezttj94BvWV/kp9Cdb48lvc5PlO+Lm v3vZLdxRykLgxgXg6yYIovvD5f9xd3uU44r3rGBmcPKBDKEgYtTACbStJ/hn8UBW1l/0Yf3JnJ5 /lvLUDFxwbLTud/PamQfZrhdfddE9wUjwya772YeLnuaL8czB2w++sY5bXnJyg+3dn2717FHSOb gB14A X-Developer-Key: i=cassel@kernel.org; a=openpgp; fpr=5ADE635C0E631CBBD5BE065A352FE6582ED9B5DA .probe() (ahci_init_one()) calls sysfs_add_file_to_group(), however, if probe() fails after this call, we currently never call sysfs_remove_file_from_group(). (The sysfs_remove_file_from_group() call in .remove() (ahci_remove_one()) does not help, as .remove() is not called on .probe() error.) Thus, if probe() fails after the sysfs_add_file_to_group() call, the next time we insmod the module we will get: sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:04.0/remapped_nvme' CPU: 11 PID: 954 Comm: modprobe Not tainted 6.10.0-rc5 #43 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: dump_stack_lvl+0x5d/0x80 sysfs_warn_dup.cold+0x17/0x23 sysfs_add_file_mode_ns+0x11a/0x130 sysfs_add_file_to_group+0x7e/0xc0 ahci_init_one+0x31f/0xd40 [ahci] Fixes: 894fba7f434a ("ata: ahci: Add sysfs attribute to show remapped NVMe device count") Cc: stable@vger.kernel.org Reviewed-by: Damien Le Moal Reviewed-by: Hannes Reinecke Signed-off-by: Niklas Cassel --- drivers/ata/ahci.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c index 5eb38fbbbecd..fc6fd583faf8 100644 --- a/drivers/ata/ahci.c +++ b/drivers/ata/ahci.c @@ -1975,8 +1975,10 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) n_ports = max(ahci_nr_ports(hpriv->cap), fls(hpriv->port_map)); host = ata_host_alloc_pinfo(&pdev->dev, ppi, n_ports); - if (!host) - return -ENOMEM; + if (!host) { + rc = -ENOMEM; + goto err_rm_sysfs_file; + } host->private_data = hpriv; if (ahci_init_msi(pdev, n_ports, hpriv) < 0) { @@ -2031,11 +2033,11 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) /* initialize adapter */ rc = ahci_configure_dma_masks(pdev, hpriv); if (rc) - return rc; + goto err_rm_sysfs_file; rc = ahci_pci_reset_controller(host); if (rc) - return rc; + goto err_rm_sysfs_file; ahci_pci_init_controller(host); ahci_pci_print_info(host); @@ -2044,10 +2046,15 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) rc = ahci_host_activate(host, &ahci_sht); if (rc) - return rc; + goto err_rm_sysfs_file; pm_runtime_put_noidle(&pdev->dev); return 0; + +err_rm_sysfs_file: + sysfs_remove_file_from_group(&pdev->dev.kobj, + &dev_attr_remapped_nvme.attr, NULL); + return rc; } static void ahci_shutdown_one(struct pci_dev *pdev)