linux-stable.git/drivers/uio, branch v3.18.136 Linux kernel stable tree uio: Fix an Oops on load 2018-11-27T15:05:37+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-10-26T07:19:51+00:00 5221513ba055c771e15fc6618650aa105d39c4fe commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream. I was trying to solve a double free but I introduced a more serious NULL dereference bug. The problem is that if there is an IRQ which triggers immediately, then we need "info->uio_dev" but it's not set yet. This patch puts the original initialization back to how it was and just sets info->uio_dev to NULL on the error path so it should solve both the Oops and the double free. Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails") Reported-by: Mathias Thore <Mathias.Thore@infinera.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable <stable@vger.kernel.org> Tested-by: Mathias Thore <Mathias.Thore@infinera.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream.

I was trying to solve a double free but I introduced a more serious
NULL dereference bug.  The problem is that if there is an IRQ which
triggers immediately, then we need "info->uio_dev" but it's not set yet.

This patch puts the original initialization back to how it was and just
sets info->uio_dev to NULL on the error path so it should solve both
the Oops and the double free.

Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails")
Reported-by: Mathias Thore <Mathias.Thore@infinera.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Tested-by: Mathias Thore <Mathias.Thore@infinera.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uio: ensure class is registered before devices 2018-11-22T06:32:43+00:00 Alexandre Belloni alexandre.belloni@bootlin.com 2018-08-16T07:39:41+00:00 97b7b0e404e3c8860a1c697d2395e9c6a481f9e9 [ Upstream commit ae61cf5b9913027c6953a79ed3894da4f47061bd ] When both uio and the uio drivers are built in the kernel, it is possible for a driver to register devices before the uio class is registered. This may result in a NULL pointer dereference later on in get_device_parent() when accessing the class glue_dirs spinlock. The trace looks like that: Unable to handle kernel NULL pointer dereference at virtual address 00000140 [...] [<ffff0000089cc234>] _raw_spin_lock+0x14/0x48 [<ffff0000084f56bc>] device_add+0x154/0x6a0 [<ffff0000084f5e48>] device_create_groups_vargs+0x120/0x128 [<ffff0000084f5edc>] device_create+0x54/0x60 [<ffff0000086e72c0>] __uio_register_device+0x120/0x4a8 [<ffff000008528b7c>] jaguar2_pci_probe+0x2d4/0x558 [<ffff0000083fc18c>] local_pci_probe+0x3c/0xb8 [<ffff0000083fd81c>] pci_device_probe+0x11c/0x180 [<ffff0000084f88bc>] driver_probe_device+0x22c/0x2d8 [<ffff0000084f8a24>] __driver_attach+0xbc/0xc0 [<ffff0000084f69fc>] bus_for_each_dev+0x4c/0x98 [<ffff0000084f81b8>] driver_attach+0x20/0x28 [<ffff0000084f7d08>] bus_add_driver+0x1b8/0x228 [<ffff0000084f93c0>] driver_register+0x60/0xf8 [<ffff0000083fb918>] __pci_register_driver+0x40/0x48 Return EPROBE_DEFER in that case so the driver can register the device later. Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit ae61cf5b9913027c6953a79ed3894da4f47061bd ]

When both uio and the uio drivers are built in the kernel, it is possible
for a driver to register devices before the uio class is registered.

This may result in a NULL pointer dereference later on in
get_device_parent() when accessing the class glue_dirs spinlock.

The trace looks like that:

Unable to handle kernel NULL pointer dereference at virtual address 00000140
[...]
[<ffff0000089cc234>] _raw_spin_lock+0x14/0x48
[<ffff0000084f56bc>] device_add+0x154/0x6a0
[<ffff0000084f5e48>] device_create_groups_vargs+0x120/0x128
[<ffff0000084f5edc>] device_create+0x54/0x60
[<ffff0000086e72c0>] __uio_register_device+0x120/0x4a8
[<ffff000008528b7c>] jaguar2_pci_probe+0x2d4/0x558
[<ffff0000083fc18c>] local_pci_probe+0x3c/0xb8
[<ffff0000083fd81c>] pci_device_probe+0x11c/0x180
[<ffff0000084f88bc>] driver_probe_device+0x22c/0x2d8
[<ffff0000084f8a24>] __driver_attach+0xbc/0xc0
[<ffff0000084f69fc>] bus_for_each_dev+0x4c/0x98
[<ffff0000084f81b8>] driver_attach+0x20/0x28
[<ffff0000084f7d08>] bus_add_driver+0x1b8/0x228
[<ffff0000084f93c0>] driver_register+0x60/0xf8
[<ffff0000083fb918>] __pci_register_driver+0x40/0x48

Return EPROBE_DEFER in that case so the driver can register the device
later.

Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uio: potential double frees if __uio_register_device() fails 2018-09-26T06:33:53+00:00 Dan Carpenter dan.carpenter@oracle.com 2018-08-02T08:24:47+00:00 9b48a687f1764d5fa301209927626c221ab01909 [ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ] The uio_unregister_device() function assumes that if "info->uio_dev" is non-NULL that means "info" is fully allocated. Setting info->uio_de has to be the last thing in the function. In the current code, if request_threaded_irq() fails then we return with info->uio_dev set to non-NULL but info is not fully allocated and it can lead to double frees. Fixes: beafc54c4e2f ("UIO: Add the User IO core code") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ]

The uio_unregister_device() function assumes that if "info->uio_dev" is
non-NULL that means "info" is fully allocated.  Setting info->uio_de
has to be the last thing in the function.

In the current code, if request_threaded_irq() fails then we return with
info->uio_dev set to non-NULL but info is not fully allocated and it can
lead to double frees.

Fixes: beafc54c4e2f ("UIO: Add the User IO core code")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uio: Export definition of struct uio_device 2014-10-03T04:35:54+00:00 Andy Grover agrover@redhat.com 2014-10-01T23:07:03+00:00 f14bb039a4e8206439d3e9abd92bc76bd142f243 In order to prevent a O(n) search of the filesystem to link up its uio node with its target configuration, TCMU needs to know the minor number that UIO assigned. Expose the definition of this struct so TCMU can access this field. Signed-off-by: Andy Grover <agrover@redhat.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org> 
In order to prevent a O(n) search of the filesystem to link up its uio
node with its target configuration, TCMU needs to know the minor number
that UIO assigned. Expose the definition of this struct so TCMU can
access this field.

Signed-off-by: Andy Grover <agrover@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Merge 3.16-rc5 into char-misc-next 2014-07-13T22:26:47+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2014-07-13T22:26:47+00:00 9f48c89862e39b7f33b44123fc425cf901c89428 This resolves a number of merge issues with changes in this tree and Linus's tree at the same time. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This resolves a number of merge issues with changes in this tree and
Linus's tree at the same time.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uio: uio_pruss: use struct device 2014-07-10T00:32:06+00:00 Andre Heider a.heider@gmail.com 2014-06-29T16:21:35+00:00 4719ebfd89f0a93bb3fd7f251ecd5d0acbc8bdf1 Get rid of the repeating &dev->dev constructs and prevent introducing new ones. Signed-off-by: Andre Heider <a.heider@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Get rid of the repeating &dev->dev constructs and prevent introducing
new ones.

Signed-off-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "uio: fix vma io range check in mmap" 2014-06-17T23:07:08+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2014-06-17T23:07:08+00:00 b29f680c4fe305902d02c1d5aa4968fe13a45fe6 This reverts commit ddb09754e6c7239e302c7b675df9bbd415f8de5d. Linus objected to this originally, I can see why it might be needed, but given that no one spoke up defending this patch, I'm going to revert it. If you have hardware that requires this change, please speak up in the future and defend the patch. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Bin Wang <binw@marvell.com> Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Cc: Norbert Ciosek <norbertciosek@gmail.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This reverts commit ddb09754e6c7239e302c7b675df9bbd415f8de5d.

Linus objected to this originally, I can see why it might be needed, but
given that no one spoke up defending this patch, I'm going to revert it.

If you have hardware that requires this change, please speak up in the
future and defend the patch.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Bin Wang <binw@marvell.com>
Cc: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Cc: Norbert Ciosek <norbertciosek@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uio: fix vma io range check in mmap 2014-05-27T21:11:06+00:00 Bin Wang binw@marvell.com 2014-03-25T05:52:06+00:00 ddb09754e6c7239e302c7b675df9bbd415f8de5d the vma range size is always page size aligned in mmap, while the real io space range may not be page aligned, thus leading to range check failure in the uio_mmap_physical(). for example, in a case of io range size "mem->size == 1KB", and we have (vma->vm_end - vma->vm_start) == 4KB, due to "len" is aligned to page size in do_mmap_pgoff(). now fix this issue by align mem->size to page size in the check. Signed-off-by: Bin Wang <binw@marvell.com> Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
the vma range size is always page size aligned in mmap, while the
real io space range may not be page aligned, thus leading to range
check failure in the uio_mmap_physical().

for example, in a case of io range size "mem->size == 1KB", and we
have (vma->vm_end - vma->vm_start) == 4KB, due to "len" is aligned
to page size in do_mmap_pgoff().

now fix this issue by align mem->size to page size in the check.

Signed-off-by: Bin Wang <binw@marvell.com>
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers: uio_dmem_genirq: Fix memory leak in uio_dmem_genirq_probe() 2014-05-27T21:11:06+00:00 Daeseok Youn daeseok.youn@gmail.com 2014-05-22T00:46:12+00:00 ca3c61f358d8e5a4b2732d6aa81ac46f677e69f0 When platform_get_irq() is failed after "priv" allocated, it need to free "priv". But the label of bad0 doesn't try to free about "priv". So this patch changes that lable to "bad1". But "bad1" has pm_runtime_disable() call, this function should be called when uio_register_device() is failed. So it is moved into handling error for uio_register_device(). Signed-off-by: Daeseok Youn <daeseok.youn@gmail.com> Signed-off-by: Hans J. Koch <hjk@hansjkoch.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
When platform_get_irq() is failed after "priv" allocated,
it need to free "priv". But the label of bad0 doesn't try
to free about "priv". So this patch changes that lable to "bad1".
But "bad1" has pm_runtime_disable() call, this function should
be called when uio_register_device() is failed. So it is moved
into handling error for uio_register_device().

Signed-off-by: Daeseok Youn <daeseok.youn@gmail.com>
Signed-off-by: Hans J. Koch <hjk@hansjkoch.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uio: fix devm_request_irq usage 2013-12-20T16:49:17+00:00 Aaro Koskinen aaro.koskinen@nsn.com 2013-12-20T14:19:47+00:00 632fefaf1fff7c344191c363e08a43cf006fe60e Commit e6789cd3dfb553077606ccafeb05e0043f072481 (uio: Simplify uio error path by using devres functions) converted uio to use devm_request_irq(). This introduced a change in behaviour since the IRQ is associated with the parent device instead of the created UIO device. The IRQ will remain active after uio_unregister_device() is called, and some drivers will crash because of this. The patch fixes this. Signed-off-by: Aaro Koskinen <aaro.koskinen@nsn.com> Cc: stable <stable@vger.kernel.org> # 3.13 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Commit e6789cd3dfb553077606ccafeb05e0043f072481 (uio: Simplify uio error
path by using devres functions) converted uio to use devm_request_irq().
This introduced a change in behaviour since the IRQ is associated with
the parent device instead of the created UIO device. The IRQ will remain
active after uio_unregister_device() is called, and some drivers will
crash because of this. The patch fixes this.

Signed-off-by: Aaro Koskinen <aaro.koskinen@nsn.com>
Cc: stable <stable@vger.kernel.org> # 3.13
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>