releases/3.16.3/mtd-ftl-fix-the-double-free-of-the-buffers-allocated-in-build_maps.patch

   1 From a152056c912db82860a8b4c23d0bd3a5aa89e363 Mon Sep 17 00:00:00 2001
   2 From: Kevin Hao <haokexin@gmail.com>
   3 Date: Thu, 3 Jul 2014 10:35:26 +0800
   4 Subject: mtd/ftl: fix the double free of the buffers allocated in build_maps()
   5
   6 From: Kevin Hao <haokexin@gmail.com>
   7
   8 commit a152056c912db82860a8b4c23d0bd3a5aa89e363 upstream.
   9
  10 I got the following panic on my fsl p5020ds board.
  11
  12   Unable to handle kernel paging request for data at address 0x7375627379737465
  13   Faulting instruction address: 0xc000000000100778
  14   Oops: Kernel access of bad area, sig: 11 [#1]
  15   SMP NR_CPUS=24 CoreNet Generic
  16   Modules linked in:
  17   CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.15.0-next-20140613 #145
  18   task: c0000000fe080000 ti: c0000000fe088000 task.ti: c0000000fe088000
  19   NIP: c000000000100778 LR: c00000000010073c CTR: 0000000000000000
  20   REGS: c0000000fe08aa00 TRAP: 0300   Not tainted  (3.15.0-next-20140613)
  21   MSR: 0000000080029000 <CE,EE,ME>  CR: 24ad2e24  XER: 00000000
  22   DEAR: 7375627379737465 ESR: 0000000000000000 SOFTE: 1
  23   GPR00: c0000000000c99b0 c0000000fe08ac80 c0000000009598e0 c0000000fe001d80
  24   GPR04: 00000000000000d0 0000000000000913 c000000007902b20 0000000000000000
  25   GPR08: c0000000feaae888 0000000000000000 0000000007091000 0000000000200200
  26   GPR12: 0000000028ad2e28 c00000000fff4000 c0000000007abe08 0000000000000000
  27   GPR16: c0000000007ab160 c0000000007aaf98 c00000000060ba68 c0000000007abda8
  28   GPR20: c0000000007abde8 c0000000feaea6f8 c0000000feaea708 c0000000007abd10
  29   GPR24: c000000000989370 c0000000008c6228 00000000000041ed c0000000fe00a400
  30   GPR28: c00000000017c1cc 00000000000000d0 7375627379737465 c0000000fe001d80
  31   NIP [c000000000100778] .__kmalloc_track_caller+0x70/0x168
  32   LR [c00000000010073c] .__kmalloc_track_caller+0x34/0x168
  33   Call Trace:
  34   [c0000000fe08ac80] [c00000000087e6b8] uevent_sock_list+0x0/0x10 (unreliable)
  35   [c0000000fe08ad20] [c0000000000c99b0] .kstrdup+0x44/0x90
  36   [c0000000fe08adc0] [c00000000017c1cc] .__kernfs_new_node+0x4c/0x130
  37   [c0000000fe08ae70] [c00000000017d7e4] .kernfs_new_node+0x2c/0x64
  38   [c0000000fe08aef0] [c00000000017db00] .kernfs_create_dir_ns+0x34/0xc8
  39   [c0000000fe08af80] [c00000000018067c] .sysfs_create_dir_ns+0x58/0xcc
  40   [c0000000fe08b010] [c0000000002c711c] .kobject_add_internal+0xc8/0x384
  41   [c0000000fe08b0b0] [c0000000002c7644] .kobject_add+0x64/0xc8
  42   [c0000000fe08b140] [c000000000355ebc] .device_add+0x11c/0x654
  43   [c0000000fe08b200] [c0000000002b5988] .add_disk+0x20c/0x4b4
  44   [c0000000fe08b2c0] [c0000000003a21d4] .add_mtd_blktrans_dev+0x340/0x514
  45   [c0000000fe08b350] [c0000000003a3410] .mtdblock_add_mtd+0x74/0xb4
  46   [c0000000fe08b3e0] [c0000000003a32cc] .blktrans_notify_add+0x64/0x94
  47   [c0000000fe08b470] [c00000000039b5b4] .add_mtd_device+0x1d4/0x368
  48   [c0000000fe08b520] [c00000000039b830] .mtd_device_parse_register+0xe8/0x104
  49   [c0000000fe08b5c0] [c0000000003b8408] .of_flash_probe+0x72c/0x734
  50   [c0000000fe08b750] [c00000000035ba40] .platform_drv_probe+0x38/0x84
  51   [c0000000fe08b7d0] [c0000000003599a4] .really_probe+0xa4/0x29c
  52   [c0000000fe08b870] [c000000000359d3c] .__driver_attach+0x100/0x104
  53   [c0000000fe08b900] [c00000000035746c] .bus_for_each_dev+0x84/0xe4
  54   [c0000000fe08b9a0] [c0000000003593c0] .driver_attach+0x24/0x38
  55   [c0000000fe08ba10] [c000000000358f24] .bus_add_driver+0x1c8/0x2ac
  56   [c0000000fe08bab0] [c00000000035a3a4] .driver_register+0x8c/0x158
  57   [c0000000fe08bb30] [c00000000035b9f4] .__platform_driver_register+0x6c/0x80
  58   [c0000000fe08bba0] [c00000000084e080] .of_flash_driver_init+0x1c/0x30
  59   [c0000000fe08bc10] [c000000000001864] .do_one_initcall+0xbc/0x238
  60   [c0000000fe08bd00] [c00000000082cdc0] .kernel_init_freeable+0x188/0x268
  61   [c0000000fe08bdb0] [c0000000000020a0] .kernel_init+0x1c/0xf7c
  62   [c0000000fe08be30] [c000000000000884] .ret_from_kernel_thread+0x58/0xd4
  63   Instruction dump:
  64   41bd0010 480000c8 4bf04eb5 60000000 e94d0028 e93f0000 7cc95214 e8a60008
  65   7fc9502a 2fbe0000 419e00c8 e93f0022 <7f7e482a> 39200000 88ed06b2 992d06b2
  66   ---[ end trace b4c9a94804a42d40 ]---
  67
  68 It seems that the corrupted partition header on my mtd device triggers
  69 a bug in the ftl. In function build_maps() it will allocate the buffers
  70 needed by the mtd partition, but if something goes wrong such as kmalloc
  71 failure, mtd read error or invalid partition header parameter, it will
  72 free all allocated buffers and then return non-zero. In my case, it
  73 seems that partition header parameter 'NumTransferUnits' is invalid.
  74
  75 And the ftl_freepart() is a function which free all the partition
  76 buffers allocated by build_maps(). Given the build_maps() is a self
  77 cleaning function, so there is no need to invoke this function even
  78 if build_maps() return with error. Otherwise it will causes the
  79 buffers to be freed twice and then weird things would happen.
  80
  81 Signed-off-by: Kevin Hao <haokexin@gmail.com>
  82 Signed-off-by: Brian Norris <computersforpeace@gmail.com>
  83 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  84
  85 ---
  86  drivers/mtd/ftl.c |    1 -
  87  1 file changed, 1 deletion(-)
  88
  89 --- a/drivers/mtd/ftl.c
  90 +++ b/drivers/mtd/ftl.c
  91 @@ -1075,7 +1075,6 @@ static void ftl_add_mtd(struct mtd_blktr
  92                         return;
  93         }
  94
  95 -       ftl_freepart(partition);
  96         kfree(partition);
  97  }
  98