1 From 0b777eee88d712256ba8232a9429edb17c4f9ceb Mon Sep 17 00:00:00 2001
2 From: John Garry <john.garry@huawei.com>
3 Date: Thu, 28 Mar 2019 18:08:05 +0800
4 Subject: driver core: Postpone DMA tear-down until after devres release for probe failure
6 From: John Garry <john.garry@huawei.com>
8 commit 0b777eee88d712256ba8232a9429edb17c4f9ceb upstream.
10 In commit 376991db4b64 ("driver core: Postpone DMA tear-down until after
11 devres release"), we changed the ordering of tearing down the device DMA
12 ops and releasing all the device's resources; this was because the DMA ops
13 should be maintained until we release the device's managed DMA memories.
15 However, we have seen another crash on an arm64 system when a
16 device driver probe fails:
18 hisi_sas_v3_hw 0000:74:02.0: Adding to iommu group 2
19 scsi host1: hisi_sas_v3_hw
20 BUG: Bad page state in process swapper/0 pfn:313f5
21 page:ffff7e0000c4fd40 count:1 mapcount:0
22 mapping:0000000000000000 index:0x0
23 flags: 0xfffe00000001000(reserved)
24 raw: 0fffe00000001000 ffff7e0000c4fd48 ffff7e0000c4fd48
26 raw: 0000000000000000 0000000000000000 00000001ffffffff
28 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
29 bad because of flags: 0x1000(reserved)
31 CPU: 49 PID: 1 Comm: swapper/0 Not tainted
32 5.1.0-rc1-43081-g22d97fd-dirty #1433
33 Hardware name: Huawei D06/D06, BIOS Hisilicon D06 UEFI
34 RC0 - V1.12.01 01/29/2019
36 dump_backtrace+0x0/0x118
40 free_pages_check_bad+0x4c/0xc0
41 __free_pages_ok+0x30c/0x340
42 __free_pages+0x30/0x44
43 __dma_direct_free_pages+0x30/0x38
44 dma_direct_free+0x24/0x38
45 dma_free_attrs+0x9c/0xd8
46 dmam_release+0x20/0x28
47 release_nodes+0x17c/0x220
48 devres_release_all+0x34/0x54
49 really_probe+0xc4/0x2c8
50 driver_probe_device+0x58/0xfc
51 device_driver_attach+0x68/0x70
52 __driver_attach+0x94/0xdc
53 bus_for_each_dev+0x5c/0xb4
54 driver_attach+0x20/0x28
55 bus_add_driver+0x14c/0x200
56 driver_register+0x6c/0x124
57 __pci_register_driver+0x48/0x50
58 sas_v3_pci_driver_init+0x20/0x28
59 do_one_initcall+0x40/0x25c
60 kernel_init_freeable+0x2b8/0x3c0
61 kernel_init+0x10/0x100
62 ret_from_fork+0x10/0x18
63 Disabling lock debugging due to kernel taint
64 BUG: Bad page state in process swapper/0 pfn:313f6
65 page:ffff7e0000c4fd80 count:1 mapcount:0
66 mapping:0000000000000000 index:0x0
67 [ 89.322983] flags: 0xfffe00000001000(reserved)
68 raw: 0fffe00000001000 ffff7e0000c4fd88 ffff7e0000c4fd88
70 raw: 0000000000000000 0000000000000000 00000001ffffffff
73 The crash occurs for the same reason.
75 In this case, on the really_probe() failure path, we are still clearing
76 the DMA ops prior to releasing the device's managed memories.
78 This patch fixes this issue by reordering the DMA ops teardown and the
79 call to devres_release_all() on the failure path.
81 Reported-by: Xiang Chen <chenxiang66@hisilicon.com>
82 Tested-by: Xiang Chen <chenxiang66@hisilicon.com>
83 Signed-off-by: John Garry <john.garry@huawei.com>
84 Reviewed-by: Robin Murphy <robin.murphy@arm.com>
85 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
88 drivers/base/dd.c | 5 ++---
89 1 file changed, 2 insertions(+), 3 deletions(-)
91 --- a/drivers/base/dd.c
92 +++ b/drivers/base/dd.c
93 @@ -486,7 +486,7 @@ re_probe:
94 if (dev->bus->dma_configure) {
95 ret = dev->bus->dma_configure(dev);
101 if (driver_sysfs_add(dev)) {
102 @@ -542,14 +542,13 @@ re_probe:
106 - arch_teardown_dma_ops(dev);
109 blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
110 BUS_NOTIFY_DRIVER_NOT_BOUND, dev);
112 device_links_no_driver(dev);
113 devres_release_all(dev);
114 + arch_teardown_dma_ops(dev);
115 driver_sysfs_remove(dev);
117 dev_set_drvdata(dev, NULL);
projects / thirdparty / kernel / stable-queue.git / blob