linux-stable.git/drivers/vme, branch linux-4.9.y Linux kernel stable tree vme: Fix error not catched in fake_init() 2023-01-07T11:07:26+00:00 Chen Zhongjin chenzhongjin@huawei.com 2022-12-05T08:48:05+00:00 e831fdd60e5863ee03173baf5a0f7c5450b44381 [ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ] In fake_init(), __root_device_register() is possible to fail but it's ignored, which can cause unregistering vme_root fail when exit. general protection fault, probably for non-canonical address 0xdffffc000000008c KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467] RIP: 0010:root_device_unregister+0x26/0x60 Call Trace: <TASK> __x64_sys_delete_module+0x34f/0x540 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Return error when __root_device_register() fails. Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com> Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ]

In fake_init(), __root_device_register() is possible to fail but it's
ignored, which can cause unregistering vme_root fail when exit.

 general protection fault,
 probably for non-canonical address 0xdffffc000000008c
 KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467]
 RIP: 0010:root_device_unregister+0x26/0x60
 Call Trace:
  <TASK>
  __x64_sys_delete_module+0x34f/0x540
  do_syscall_64+0x38/0x90
  entry_SYSCALL_64_after_hwframe+0x63/0xcd

Return error when __root_device_register() fails.

Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
staging: vme_user: Fix possible UAF in tsi148_dma_list_add 2023-01-07T11:07:25+00:00 Gaosheng Cui cuigaosheng1@huawei.com 2022-11-17T03:59:14+00:00 5cc4eea715a3fcf4e516662f736dfee63979465f [ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ] Smatch report warning as follows: drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: '&entry->list' not removed from list In tsi148_dma_list_add(), the error path "goto err_dma" will not remove entry->list from list->entries, but entry will be freed, then list traversal may cause UAF. Fix by removeing it from list->entries before free(). Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ]

Smatch report warning as follows:

drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:
  '&entry->list' not removed from list

In tsi148_dma_list_add(), the error path "goto err_dma" will not
remove entry->list from list->entries, but entry will be freed,
then list traversal may cause UAF.

Fix by removeing it from list->entries before free().

Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
vme: bridges: reduce stack usage 2020-02-28T14:42:33+00:00 Arnd Bergmann arnd@arndb.de 2020-01-07T20:05:43+00:00 f426db8c072286b77f2fc9049dd63d522a1f28bc [ Upstream commit 7483e7a939c074d887450ef1c4d9ccc5909405f8 ] With CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3, the stack usage in vme_fake grows above the warning limit: drivers/vme/bridges/vme_fake.c: In function 'fake_master_read': drivers/vme/bridges/vme_fake.c:610:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] drivers/vme/bridges/vme_fake.c: In function 'fake_master_write': drivers/vme/bridges/vme_fake.c:797:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] The problem is that in some configurations, each call to fake_vmereadX() puts another variable on the stack. Reduce the amount of inlining to get back to the previous state, with no function using more than 200 bytes each. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20200107200610.3482901-1-arnd@arndb.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 7483e7a939c074d887450ef1c4d9ccc5909405f8 ]

With CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3, the stack usage in vme_fake
grows above the warning limit:

drivers/vme/bridges/vme_fake.c: In function 'fake_master_read':
drivers/vme/bridges/vme_fake.c:610:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
drivers/vme/bridges/vme_fake.c: In function 'fake_master_write':
drivers/vme/bridges/vme_fake.c:797:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]

The problem is that in some configurations, each call to
fake_vmereadX() puts another variable on the stack.

Reduce the amount of inlining to get back to the previous state,
with no function using more than 200 bytes each.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20200107200610.3482901-1-arnd@arndb.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
VME: restore bus_remove function causing incomplete module unload 2017-03-12T05:41:50+00:00 Stefano Babic sbabic@denx.de 2017-01-20T15:38:20+00:00 5af94e637fd8b2b89ea49bfd112b37137fbecb0e commit 9797484ba83d68f18fe1cbd964b7cd830f78f0f7 upstream. Commit 050c3d52cc7810d9d17b8cd231708609af6876ae ("vme: make core vme support explicitly non-modular") dropped the remove function because it appeared as if it was for removal of the bus, which is not supported. However, vme_bus_remove() is called when a VME device is removed from the bus and not when the bus is removed; as it calls the VME device driver's cleanup function. Without this function, the remove() in the VME device driver is never called and VME device drivers cannot be reloaded again. Here we restore the remove function that was deleted in that commit, and the reference to the function in the bus structure. Fixes: 050c3d52cc78 ("vme: make core vme support explicitly non-modular") Cc: Manohar Vanga <manohar.vanga@gmail.com> Acked-by: Martyn Welch <martyn@welchs.me.uk> Cc: devel@driverdev.osuosl.org Signed-off-by: Stefano Babic <sbabic@denx.de> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 9797484ba83d68f18fe1cbd964b7cd830f78f0f7 upstream.

Commit 050c3d52cc7810d9d17b8cd231708609af6876ae ("vme: make core
vme support explicitly non-modular") dropped the remove function
because it appeared as if it was for removal of the bus, which is
not supported.

However, vme_bus_remove() is called when a VME device is removed
from the bus and not when the bus is removed; as it calls the VME
device driver's cleanup function.  Without this function, the
remove() in the VME device driver is never called and VME device
drivers cannot be reloaded again.

Here we restore the remove function that was deleted in that
commit, and the reference to the function in the bus structure.

Fixes: 050c3d52cc78 ("vme: make core vme support explicitly non-modular")
Cc: Manohar Vanga <manohar.vanga@gmail.com>
Acked-by: Martyn Welch <martyn@welchs.me.uk>
Cc: devel@driverdev.osuosl.org
Signed-off-by: Stefano Babic <sbabic@denx.de>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-19T19:18:02+00:00 Augusto Mecking Caringi augustocaringi@gmail.com 2017-01-10T10:45:00+00:00 57bfd5a3710bff25e35974de6db8816103d44973 commit c8a6a09c1c617402cc9254b2bc8da359a0347d75 upstream. In ca91cx42_slave_get function, the value pointed by vme_base pointer is set through: *vme_base = ioread32(bridge->base + CA91CX42_VSI_BS[i]); So it must be dereferenced to be used in calculation of pci_base: *pci_base = (dma_addr_t)*vme_base + pci_offset; This bug was caught thanks to the following gcc warning: drivers/vme/bridges/vme_ca91cx42.c: In function ‘ca91cx42_slave_get’: drivers/vme/bridges/vme_ca91cx42.c:467:14: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] *pci_base = (dma_addr_t)vme_base + pci_offset; Signed-off-by: Augusto Mecking Caringi <augustocaringi@gmail.com> Acked-By: Martyn Welch <martyn@welchs.me.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit c8a6a09c1c617402cc9254b2bc8da359a0347d75 upstream.

In ca91cx42_slave_get function, the value pointed by vme_base pointer is
set through:

*vme_base = ioread32(bridge->base + CA91CX42_VSI_BS[i]);

So it must be dereferenced to be used in calculation of pci_base:

*pci_base = (dma_addr_t)*vme_base + pci_offset;

This bug was caught thanks to the following gcc warning:

drivers/vme/bridges/vme_ca91cx42.c: In function ‘ca91cx42_slave_get’:
drivers/vme/bridges/vme_ca91cx42.c:467:14: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
*pci_base = (dma_addr_t)vme_base + pci_offset;

Signed-off-by: Augusto Mecking Caringi <augustocaringi@gmail.com>
Acked-By: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
vme: vme_get_size potentially returning incorrect value on failure 2016-10-28T12:25:18+00:00 Martyn Welch martyn@welchs.me.uk 2016-10-21T16:36:19+00:00 6ad37567b6b886121e250036e489d82cde5e5e94 The function vme_get_size returns the size of the window to the caller, however it doesn't check the return value of the call to vme_master_get. Return 0 on failure rather than anything else. Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The function vme_get_size returns the size of the window to the caller,
however it doesn't check the return value of the call to vme_master_get.

Return 0 on failure rather than anything else.

Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
vme: fake: remove unexpected unlock in fake_master_set() 2016-09-27T10:43:35+00:00 Wei Yongjun weiyongjun1@huawei.com 2016-09-17T01:57:34+00:00 db08948b97180a3c9f49ce91caf1fb643a8110be image->lock is unlocked in some error handling path without take the lock, so remove those unexpected unlock. Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
image->lock is unlocked in some error handling path without take the
lock, so remove those unexpected unlock.

Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
vme: fake: mark symbols static where possible 2016-09-27T10:43:34+00:00 Baoyou Xie baoyou.xie@linaro.org 2016-09-23T13:38:28+00:00 58ccaae30322b13c587596adb39408fca2a5ef7f We get 4 warnings when building kernel with W=1: drivers/vme/bridges/vme_fake.c:384:6: warning: no previous prototype for 'fake_lm_check' [-Wmissing-prototypes] drivers/vme/bridges/vme_fake.c:619:6: warning: no previous prototype for 'fake_vmewrite8' [-Wmissing-prototypes] drivers/vme/bridges/vme_fake.c:649:6: warning: no previous prototype for 'fake_vmewrite16' [-Wmissing-prototypes] drivers/vme/bridges/vme_fake.c:679:6: warning: no previous prototype for 'fake_vmewrite32' [-Wmissing-prototypes] In fact, these functions are only used in the file in which they are declared and don't need a declaration, but can be made static. so this patch marks these functions with 'static'. Signed-off-by: Baoyou Xie <baoyou.xie@linaro.org> Acked-by: Martyn Welch <martyn@welchs.me.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
We get 4 warnings when building kernel with W=1:
drivers/vme/bridges/vme_fake.c:384:6: warning: no previous prototype for 'fake_lm_check' [-Wmissing-prototypes]
drivers/vme/bridges/vme_fake.c:619:6: warning: no previous prototype for 'fake_vmewrite8' [-Wmissing-prototypes]
drivers/vme/bridges/vme_fake.c:649:6: warning: no previous prototype for 'fake_vmewrite16' [-Wmissing-prototypes]
drivers/vme/bridges/vme_fake.c:679:6: warning: no previous prototype for 'fake_vmewrite32' [-Wmissing-prototypes]

In fact, these functions are only used in the file in which they are
declared and don't need a declaration, but can be made static.
so this patch marks these functions with 'static'.

Signed-off-by: Baoyou Xie <baoyou.xie@linaro.org>
Acked-by: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
vme: fake: fix build for 64-bit dma_addr_t 2016-09-13T15:30:17+00:00 Arnd Bergmann arnd@arndb.de 2016-09-06T12:59:41+00:00 4b7b948b1fcde59d9a0085237be0060e825216fc casting between dma_addr_t and a pointer is generally tricky, as they might not be the same size and almost never point into the same address space. With 32-bit ARM systems and LPAE, we get this warning for the vme_fake driver that stores a pointer in a dma_addr_t variable: drivers/vme/bridges/vme_fake.c: In function 'fake_slave_set': drivers/vme/bridges/vme_fake.c:204:29: error: assignment makes pointer from integer without a cast [-Werror=int-conversion] To make this clearer while fixing the warning, I'm adding a set of helper functions for the type conversion. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Martyn Welch <martyn@welchs.me.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
casting between dma_addr_t and a pointer is generally tricky,
as they might not be the same size and almost never point into
the same address space. With 32-bit ARM systems and LPAE, we
get this warning for the vme_fake driver that stores a pointer
in a dma_addr_t variable:

drivers/vme/bridges/vme_fake.c: In function 'fake_slave_set':
drivers/vme/bridges/vme_fake.c:204:29: error: assignment makes pointer from integer without a cast [-Werror=int-conversion]

To make this clearer while fixing the warning, I'm adding
a set of helper functions for the type conversion.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
vme: Adding Fake VME driver 2016-08-31T11:21:12+00:00 Martyn Welch martyn@welchs.me.uk 2016-07-07T18:51:52+00:00 658bcdae9c6755806e66b33e29d56b33a3ff421a This patch introduces a fake VME bridge driver. This driver currently emulates a subset of the VME bridge functionality. This allows some VME subsystem development and even some VME device driver development to be carried out in the absence of a proper VME bus. Signed-off-by: Martyn Welch <martyn@welchs.me.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This patch introduces a fake VME bridge driver. This driver currently
emulates a subset of the VME bridge functionality. This allows some VME
subsystem development and even some VME device driver development to be
carried out in the absence of a proper VME bus.

Signed-off-by: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>