linux-stable.git/drivers/uio, branch v3.16.78 Linux kernel stable tree uio: Fix an Oops on load 2019-02-11T17:54:00+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-10-26T07:19:51+00:00 63f8d901158cd19e7531b36c403d82f97f48ff1b commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream. I was trying to solve a double free but I introduced a more serious NULL dereference bug. The problem is that if there is an IRQ which triggers immediately, then we need "info->uio_dev" but it's not set yet. This patch puts the original initialization back to how it was and just sets info->uio_dev to NULL on the error path so it should solve both the Oops and the double free. Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails") Reported-by: Mathias Thore <Mathias.Thore@infinera.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Tested-by: Mathias Thore <Mathias.Thore@infinera.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream.

I was trying to solve a double free but I introduced a more serious
NULL dereference bug.  The problem is that if there is an IRQ which
triggers immediately, then we need "info->uio_dev" but it's not set yet.

This patch puts the original initialization back to how it was and just
sets info->uio_dev to NULL on the error path so it should solve both
the Oops and the double free.

Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails")
Reported-by: Mathias Thore <Mathias.Thore@infinera.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Mathias Thore <Mathias.Thore@infinera.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
uio: potential double frees if __uio_register_device() fails 2018-12-16T22:08:32+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-08-02T08:24:47+00:00 618a41aecf23b5eefc1d6200cacb22d5beb3debc commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 upstream. The uio_unregister_device() function assumes that if "info->uio_dev" is non-NULL that means "info" is fully allocated. Setting info->uio_de has to be the last thing in the function. In the current code, if request_threaded_irq() fails then we return with info->uio_dev set to non-NULL but info is not fully allocated and it can lead to double frees. Fixes: beafc54c4e2f ("UIO: Add the User IO core code") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 upstream.

The uio_unregister_device() function assumes that if "info->uio_dev" is
non-NULL that means "info" is fully allocated.  Setting info->uio_de
has to be the last thing in the function.

In the current code, if request_threaded_irq() fails then we return with
info->uio_dev set to non-NULL but info is not fully allocated and it can
lead to double frees.

Fixes: beafc54c4e2f ("UIO: Add the User IO core code")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
uio: fix incorrect memory leak cleanup 2017-09-15T17:29:40+00:00 Suman Anna s-anna@ti.com 2017-05-09T23:58:24+00:00 6c4538cfb15e6d979c37f02a854cf05502661a6b commit 0d83539092ddb1ab79b4d65bccb866bf07ea2ccd upstream. Commit 75f0aef6220d ("uio: fix memory leak") has fixed up some memory leaks during the failure paths of the addition of uio attributes, but still is not correct entirely. A kobject_uevent() failure still needs a kobject_put() and the kobject container structure allocation failure before the kobject_init() doesn't need a kobject_put(). Fix this properly. Fixes: 75f0aef6220d ("uio: fix memory leak") Signed-off-by: Suman Anna <s-anna@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 0d83539092ddb1ab79b4d65bccb866bf07ea2ccd upstream.

Commit 75f0aef6220d ("uio: fix memory leak") has fixed up some
memory leaks during the failure paths of the addition of uio
attributes, but still is not correct entirely. A kobject_uevent()
failure still needs a kobject_put() and the kobject container
structure allocation failure before the kobject_init() doesn't
need a kobject_put(). Fix this properly.

Fixes: 75f0aef6220d ("uio: fix memory leak")
Signed-off-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
uio: add missing error codes 2017-09-15T17:29:39+00:00 Dan Carpenter dan.carpenter@oracle.com 2016-04-01T11:04:23+00:00 128866edb60af3918559b130b56df5108acffd76 commit 0320a278b9ef80cfa44f74b7f9bb36781695f3ee upstream. My static checker complains that "ret" could be uninitialized at the end, which is true but it's more likely that it would be set to zero. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 0320a278b9ef80cfa44f74b7f9bb36781695f3ee upstream.

My static checker complains that "ret" could be uninitialized at the
end, which is true but it's more likely that it would be set to zero.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
uio: fix dmem_region_start computation 2017-02-23T03:53:56+00:00 Jan Viktorin viktorin@rehivetech.com 2016-05-17T09:22:17+00:00 3ab4b2989ec51a7b1f8ac2568380a05592fafd2b commit 4d31a2588ae37a5d0f61f4d956454e9504846aeb upstream. The variable i contains a total number of resources (including IORESOURCE_IRQ). However, we want the dmem_region_start to point after the last resource of type IORESOURCE_MEM. The original behaviour leads (very likely) to skipping several UIO mapping regions and makes them useless. Fix this by computing dmem_region_start from the uiomem which points to the last used UIO mapping. Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation") Signed-off-by: Jan Viktorin <viktorin@rehivetech.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 4d31a2588ae37a5d0f61f4d956454e9504846aeb upstream.

The variable i contains a total number of resources (including
IORESOURCE_IRQ). However, we want the dmem_region_start to point
after the last resource of type IORESOURCE_MEM. The original behaviour
leads (very likely) to skipping several UIO mapping regions and makes
them useless. Fix this by computing dmem_region_start from the uiomem
which points to the last used UIO mapping.

Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation")

Signed-off-by: Jan Viktorin <viktorin@rehivetech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Revert "uio: fix vma io range check in mmap" 2014-06-17T23:07:08+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2014-06-17T23:07:08+00:00 b29f680c4fe305902d02c1d5aa4968fe13a45fe6 This reverts commit ddb09754e6c7239e302c7b675df9bbd415f8de5d. Linus objected to this originally, I can see why it might be needed, but given that no one spoke up defending this patch, I'm going to revert it. If you have hardware that requires this change, please speak up in the future and defend the patch. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Bin Wang <binw@marvell.com> Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Cc: Norbert Ciosek <norbertciosek@gmail.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This reverts commit ddb09754e6c7239e302c7b675df9bbd415f8de5d.

Linus objected to this originally, I can see why it might be needed, but
given that no one spoke up defending this patch, I'm going to revert it.

If you have hardware that requires this change, please speak up in the
future and defend the patch.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Bin Wang <binw@marvell.com>
Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Cc: Norbert Ciosek <norbertciosek@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uio: fix vma io range check in mmap 2014-05-27T21:11:06+00:00 Bin Wang binw@marvell.com 2014-03-25T05:52:06+00:00 ddb09754e6c7239e302c7b675df9bbd415f8de5d the vma range size is always page size aligned in mmap, while the real io space range may not be page aligned, thus leading to range check failure in the uio_mmap_physical(). for example, in a case of io range size "mem->size == 1KB", and we have (vma->vm_end - vma->vm_start) == 4KB, due to "len" is aligned to page size in do_mmap_pgoff(). now fix this issue by align mem->size to page size in the check. Signed-off-by: Bin Wang <binw@marvell.com> Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
the vma range size is always page size aligned in mmap, while the
real io space range may not be page aligned, thus leading to range
check failure in the uio_mmap_physical().

for example, in a case of io range size "mem->size == 1KB", and we
have (vma->vm_end - vma->vm_start) == 4KB, due to "len" is aligned
to page size in do_mmap_pgoff().

now fix this issue by align mem->size to page size in the check.

Signed-off-by: Bin Wang <binw@marvell.com>
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers: uio_dmem_genirq: Fix memory leak in uio_dmem_genirq_probe() 2014-05-27T21:11:06+00:00 Daeseok Youn daeseok.youn@gmail.com 2014-05-22T00:46:12+00:00 ca3c61f358d8e5a4b2732d6aa81ac46f677e69f0 When platform_get_irq() is failed after "priv" allocated, it need to free "priv". But the label of bad0 doesn't try to free about "priv". So this patch changes that lable to "bad1". But "bad1" has pm_runtime_disable() call, this function should be called when uio_register_device() is failed. So it is moved into handling error for uio_register_device(). Signed-off-by: Daeseok Youn <daeseok.youn@gmail.com> Signed-off-by: Hans J. Koch <hjk@hansjkoch.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
When platform_get_irq() is failed after "priv" allocated,
it need to free "priv". But the label of bad0 doesn't try
to free about "priv". So this patch changes that lable to "bad1".
But "bad1" has pm_runtime_disable() call, this function should
be called when uio_register_device() is failed. So it is moved
into handling error for uio_register_device().

Signed-off-by: Daeseok Youn <daeseok.youn@gmail.com>
Signed-off-by: Hans J. Koch <hjk@hansjkoch.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uio: fix devm_request_irq usage 2013-12-20T16:49:17+00:00 Aaro Koskinen aaro.koskinen@nsn.com 2013-12-20T14:19:47+00:00 632fefaf1fff7c344191c363e08a43cf006fe60e Commit e6789cd3dfb553077606ccafeb05e0043f072481 (uio: Simplify uio error path by using devres functions) converted uio to use devm_request_irq(). This introduced a change in behaviour since the IRQ is associated with the parent device instead of the created UIO device. The IRQ will remain active after uio_unregister_device() is called, and some drivers will crash because of this. The patch fixes this. Signed-off-by: Aaro Koskinen <aaro.koskinen@nsn.com> Cc: stable <stable@vger.kernel.org> # 3.13 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Commit e6789cd3dfb553077606ccafeb05e0043f072481 (uio: Simplify uio error
path by using devres functions) converted uio to use devm_request_irq().
This introduced a change in behaviour since the IRQ is associated with
the parent device instead of the created UIO device. The IRQ will remain
active after uio_unregister_device() is called, and some drivers will
crash because of this. The patch fixes this.

Signed-off-by: Aaro Koskinen <aaro.koskinen@nsn.com>
Cc: stable <stable@vger.kernel.org> # 3.13
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge 3.13-rc4 into char-misc-next 2013-12-17T00:11:28+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-12-17T00:11:28+00:00 138a6d7ea2deb3080116a4f99019e181b62e5ce5 We want these fixes in here. 
We want these fixes in here.