June 2024 - greybus-dev - lists.linaro.org

[PATCH v2] greybus: add missing MODULE_DESCRIPTION() macros

by Jeff Johnson

make allmodconfig && make W=1 C=1 reports: WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/greybus/greybus.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/greybus/gb-es2.o Add all missing invocations of the MODULE_DESCRIPTION() macro. Acked-by: Alex Elder <elder(a)kernel.org> Signed-off-by: Jeff Johnson <quic_jjohnson(a)quicinc.com> --- Changes in v2: - Dropped the single quotes at the suggestion of Alex and pulled in his Acked-by tag - Link to v1: https://lore.kernel.org/r/20240607-md-drivers-greybus-v1-1-31faa0b21105@qui… --- drivers/greybus/core.c | 1 + drivers/greybus/es2.c | 1 + 2 files changed, 2 insertions(+) diff --git a/drivers/greybus/core.c b/drivers/greybus/core.c index 95c09d4f3a86..33a47e73f0fa 100644 --- a/drivers/greybus/core.c +++ b/drivers/greybus/core.c @@ -375,5 +375,6 @@ static void __exit gb_exit(void) tracepoint_synchronize_unregister(); } module_exit(gb_exit); +MODULE_DESCRIPTION("Greybus core driver"); MODULE_LICENSE("GPL v2"); MODULE_AUTHOR("Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>"); diff --git a/drivers/greybus/es2.c b/drivers/greybus/es2.c index 1ee78d0d90b4..69e46b1dff1f 100644 --- a/drivers/greybus/es2.c +++ b/drivers/greybus/es2.c @@ -1456,5 +1456,6 @@ static struct usb_driver es2_ap_driver = { module_usb_driver(es2_ap_driver); +MODULE_DESCRIPTION("Greybus AP USB driver for ES2 controller chips"); MODULE_LICENSE("GPL v2"); MODULE_AUTHOR("Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>"); --- base-commit: 19ca0d8a433ff37018f9429f7e7739e9f3d3d2b4 change-id: 20240607-md-drivers-greybus-a13b64e41256

3 months, 3 weeks

1
0
0 0

[PATCH] greybus: add missing MODULE_DESCRIPTION() macros

by Jeff Johnson

make allmodconfig && make W=1 C=1 reports: WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/greybus/greybus.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/greybus/gb-es2.o Add all missing invocations of the MODULE_DESCRIPTION() macro. Signed-off-by: Jeff Johnson <quic_jjohnson(a)quicinc.com> --- drivers/greybus/core.c | 1 + drivers/greybus/es2.c | 1 + 2 files changed, 2 insertions(+) diff --git a/drivers/greybus/core.c b/drivers/greybus/core.c index 95c09d4f3a86..c28bb973f67c 100644 --- a/drivers/greybus/core.c +++ b/drivers/greybus/core.c @@ -375,5 +375,6 @@ static void __exit gb_exit(void) tracepoint_synchronize_unregister(); } module_exit(gb_exit); +MODULE_DESCRIPTION("Greybus 'core' driver"); MODULE_LICENSE("GPL v2"); MODULE_AUTHOR("Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>"); diff --git a/drivers/greybus/es2.c b/drivers/greybus/es2.c index 1ee78d0d90b4..db4d033925e6 100644 --- a/drivers/greybus/es2.c +++ b/drivers/greybus/es2.c @@ -1456,5 +1456,6 @@ static struct usb_driver es2_ap_driver = { module_usb_driver(es2_ap_driver); +MODULE_DESCRIPTION("Greybus 'AP' USB driver for 'ES2' controller chips"); MODULE_LICENSE("GPL v2"); MODULE_AUTHOR("Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>"); --- base-commit: 19ca0d8a433ff37018f9429f7e7739e9f3d3d2b4 change-id: 20240607-md-drivers-greybus-a13b64e41256

3 months, 3 weeks

2
3
0 0

[PATCH] gpiolib: Remove data-less gpiochip_add() function

by Andrew Davis

GPIO chips should be added with driver-private data associated with the chip. If none is needed, NULL can be used. All users already do this except one, fix that here. With no more users of the base gpiochip_add() we can drop this function so no more users show up later. Signed-off-by: Andrew Davis <afd(a)ti.com> --- Documentation/driver-api/gpio/driver.rst | 5 ++--- drivers/staging/greybus/gpio.c | 2 +- include/linux/gpio/driver.h | 4 ---- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/Documentation/driver-api/gpio/driver.rst b/Documentation/driver-api/gpio/driver.rst index e541bd2e898b5..ae433261e11a0 100644 --- a/Documentation/driver-api/gpio/driver.rst +++ b/Documentation/driver-api/gpio/driver.rst @@ -69,9 +69,8 @@ driver code: The code implementing a gpio_chip should support multiple instances of the controller, preferably using the driver model. That code will configure each -gpio_chip and issue gpiochip_add(), gpiochip_add_data(), or -devm_gpiochip_add_data(). Removing a GPIO controller should be rare; use -gpiochip_remove() when it is unavoidable. +gpio_chip and issue gpiochip_add_data() or devm_gpiochip_add_data(). Removing +a GPIO controller should be rare; use gpiochip_remove() when it is unavoidable. Often a gpio_chip is part of an instance-specific structure with states not exposed by the GPIO interfaces, such as addressing, power management, and more. diff --git a/drivers/staging/greybus/gpio.c b/drivers/staging/greybus/gpio.c index 2a115a8fc263f..5217aacfcf54c 100644 --- a/drivers/staging/greybus/gpio.c +++ b/drivers/staging/greybus/gpio.c @@ -579,7 +579,7 @@ static int gb_gpio_probe(struct gbphy_device *gbphy_dev, if (ret) goto exit_line_free; - ret = gpiochip_add(gpio); + ret = gpiochip_add_data(gpio, NULL); if (ret) { dev_err(&gbphy_dev->dev, "failed to add gpio chip: %d\n", ret); goto exit_line_free; diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h index 0032bb6e7d8fe..6d31388dde0ab 100644 --- a/include/linux/gpio/driver.h +++ b/include/linux/gpio/driver.h @@ -632,10 +632,6 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data, devm_gpiochip_add_data_with_key(dev, gc, data, NULL, NULL) #endif /* CONFIG_LOCKDEP */ -static inline int gpiochip_add(struct gpio_chip *gc) -{ - return gpiochip_add_data(gc, NULL); -} void gpiochip_remove(struct gpio_chip *gc); int devm_gpiochip_add_data_with_key(struct device *dev, struct gpio_chip *gc, void *data, struct lock_class_key *lock_key, -- 2.39.2

4 months, 1 week

3
2
0 0

[PATCH] staging: greybus: add missing MODULE_DESCRIPTION() macros

by Jeff Johnson

make allmodconfig && make W=1 C=1 reports: WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-bootrom.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-spilib.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-hid.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-light.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-log.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-loopback.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-power-supply.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-raw.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-vibrator.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-audio-manager.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-gbphy.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-gpio.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-i2c.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-pwm.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-sdio.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-spi.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-uart.o WARNING: modpost: missing MODULE_DESCRIPTION() in drivers/staging/greybus/gb-usb.o Add all missing invocations of the MODULE_DESCRIPTION() macro. Signed-off-by: Jeff Johnson <quic_jjohnson(a)quicinc.com> --- drivers/staging/greybus/audio_manager.c | 1 + drivers/staging/greybus/bootrom.c | 1 + drivers/staging/greybus/camera.c | 1 + drivers/staging/greybus/gbphy.c | 1 + drivers/staging/greybus/gpio.c | 1 + drivers/staging/greybus/hid.c | 1 + drivers/staging/greybus/i2c.c | 1 + drivers/staging/greybus/light.c | 1 + drivers/staging/greybus/log.c | 1 + drivers/staging/greybus/loopback.c | 1 + drivers/staging/greybus/power_supply.c | 1 + drivers/staging/greybus/pwm.c | 1 + drivers/staging/greybus/raw.c | 1 + drivers/staging/greybus/sdio.c | 1 + drivers/staging/greybus/spi.c | 1 + drivers/staging/greybus/spilib.c | 1 + drivers/staging/greybus/uart.c | 1 + drivers/staging/greybus/usb.c | 1 + drivers/staging/greybus/vibrator.c | 1 + 19 files changed, 19 insertions(+) diff --git a/drivers/staging/greybus/audio_manager.c b/drivers/staging/greybus/audio_manager.c index fa43d35bbcec..27ca5f796c5f 100644 --- a/drivers/staging/greybus/audio_manager.c +++ b/drivers/staging/greybus/audio_manager.c @@ -182,5 +182,6 @@ static void __exit manager_exit(void) module_init(manager_init); module_exit(manager_exit); +MODULE_DESCRIPTION("Greybus audio operations manager"); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Svetlin Ankov <ankov_svetlin(a)projectara.com>"); diff --git a/drivers/staging/greybus/bootrom.c b/drivers/staging/greybus/bootrom.c index c0d338db6b52..d4d86b3898de 100644 --- a/drivers/staging/greybus/bootrom.c +++ b/drivers/staging/greybus/bootrom.c @@ -522,4 +522,5 @@ static struct greybus_driver gb_bootrom_driver = { module_greybus_driver(gb_bootrom_driver); +MODULE_DESCRIPTION("BOOTROM Greybus driver"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c index b8b2bdfa59e5..ca71023df447 100644 --- a/drivers/staging/greybus/camera.c +++ b/drivers/staging/greybus/camera.c @@ -1374,4 +1374,5 @@ static struct greybus_driver gb_camera_driver = { module_greybus_driver(gb_camera_driver); +MODULE_DESCRIPTION("Greybus Camera protocol driver."); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/gbphy.c b/drivers/staging/greybus/gbphy.c index d827f03f5253..d992db8d45cb 100644 --- a/drivers/staging/greybus/gbphy.c +++ b/drivers/staging/greybus/gbphy.c @@ -354,4 +354,5 @@ static void __exit gbphy_exit(void) } module_exit(gbphy_exit); +MODULE_DESCRIPTION("Greybus Bridged-Phy Bus driver"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/gpio.c b/drivers/staging/greybus/gpio.c index 2a115a8fc263..4f940b0595e8 100644 --- a/drivers/staging/greybus/gpio.c +++ b/drivers/staging/greybus/gpio.c @@ -631,4 +631,5 @@ static struct gbphy_driver gpio_driver = { }; module_gbphy_driver(gpio_driver); +MODULE_DESCRIPTION("GPIO Greybus driver"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c index 15335c38cb26..63c77a3df591 100644 --- a/drivers/staging/greybus/hid.c +++ b/drivers/staging/greybus/hid.c @@ -516,4 +516,5 @@ static struct greybus_driver gb_hid_driver = { }; module_greybus_driver(gb_hid_driver); +MODULE_DESCRIPTION("HID class driver for the Greybus"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/i2c.c b/drivers/staging/greybus/i2c.c index 22325ab9d652..14f1ff6d448c 100644 --- a/drivers/staging/greybus/i2c.c +++ b/drivers/staging/greybus/i2c.c @@ -318,4 +318,5 @@ static struct gbphy_driver i2c_driver = { }; module_gbphy_driver(i2c_driver); +MODULE_DESCRIPTION("I2C bridge driver for the Greybus 'generic' I2C module"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c index 00360f4a0485..e509fdc715db 100644 --- a/drivers/staging/greybus/light.c +++ b/drivers/staging/greybus/light.c @@ -1339,4 +1339,5 @@ static struct greybus_driver gb_lights_driver = { }; module_greybus_driver(gb_lights_driver); +MODULE_DESCRIPTION("Greybus Lights protocol driver"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/log.c b/drivers/staging/greybus/log.c index 971f36dccac6..57dcf9453bf1 100644 --- a/drivers/staging/greybus/log.c +++ b/drivers/staging/greybus/log.c @@ -129,4 +129,5 @@ static struct greybus_driver gb_log_driver = { }; module_greybus_driver(gb_log_driver); +MODULE_DESCRIPTION("Greybus driver for the log protocol"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/loopback.c b/drivers/staging/greybus/loopback.c index 4313d3bbc23a..1f19323b0e1a 100644 --- a/drivers/staging/greybus/loopback.c +++ b/drivers/staging/greybus/loopback.c @@ -1175,4 +1175,5 @@ static void __exit loopback_exit(void) } module_exit(loopback_exit); +MODULE_DESCRIPTION("Loopback bridge driver for the Greybus loopback module"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/power_supply.c b/drivers/staging/greybus/power_supply.c index 75cb170e05fb..2ef46822f676 100644 --- a/drivers/staging/greybus/power_supply.c +++ b/drivers/staging/greybus/power_supply.c @@ -1136,4 +1136,5 @@ static struct greybus_driver gb_power_supply_driver = { }; module_greybus_driver(gb_power_supply_driver); +MODULE_DESCRIPTION("Power Supply driver for a Greybus module"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/pwm.c b/drivers/staging/greybus/pwm.c index 01883fbcd79b..1cb7b9089ead 100644 --- a/drivers/staging/greybus/pwm.c +++ b/drivers/staging/greybus/pwm.c @@ -327,4 +327,5 @@ static struct gbphy_driver pwm_driver = { }; module_gbphy_driver(pwm_driver); +MODULE_DESCRIPTION("PWM Greybus driver"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/raw.c b/drivers/staging/greybus/raw.c index 836d35e5fa85..71de6776739c 100644 --- a/drivers/staging/greybus/raw.c +++ b/drivers/staging/greybus/raw.c @@ -377,4 +377,5 @@ static void __exit raw_exit(void) } module_exit(raw_exit); +MODULE_DESCRIPTION("Greybus driver for the Raw protocol"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/sdio.c b/drivers/staging/greybus/sdio.c index 25bee5335c70..5326ea372b24 100644 --- a/drivers/staging/greybus/sdio.c +++ b/drivers/staging/greybus/sdio.c @@ -880,4 +880,5 @@ static struct gbphy_driver sdio_driver = { }; module_gbphy_driver(sdio_driver); +MODULE_DESCRIPTION("SD/MMC Greybus driver"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/spi.c b/drivers/staging/greybus/spi.c index 68e8d272db6d..45ea8d1bdd51 100644 --- a/drivers/staging/greybus/spi.c +++ b/drivers/staging/greybus/spi.c @@ -75,4 +75,5 @@ static struct gbphy_driver spi_driver = { }; module_gbphy_driver(spi_driver); +MODULE_DESCRIPTION("Greybus SPI bridge PHY driver"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/spilib.c b/drivers/staging/greybus/spilib.c index 34f10685139f..0e4ae01eb00f 100644 --- a/drivers/staging/greybus/spilib.c +++ b/drivers/staging/greybus/spilib.c @@ -567,4 +567,5 @@ void gb_spilib_master_exit(struct gb_connection *connection) } EXPORT_SYMBOL_GPL(gb_spilib_master_exit); +MODULE_DESCRIPTION("Greybus SPI library"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c index 999ce613dca8..cdf4ebb93b10 100644 --- a/drivers/staging/greybus/uart.c +++ b/drivers/staging/greybus/uart.c @@ -1024,4 +1024,5 @@ static void gb_uart_driver_exit(void) } module_exit(gb_uart_driver_exit); +MODULE_DESCRIPTION("UART driver for the Greybus 'generic' UART module"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/usb.c b/drivers/staging/greybus/usb.c index b7badf87a3f0..475f24f20cd4 100644 --- a/drivers/staging/greybus/usb.c +++ b/drivers/staging/greybus/usb.c @@ -242,4 +242,5 @@ static struct gbphy_driver usb_driver = { }; module_gbphy_driver(usb_driver); +MODULE_DESCRIPTION("USB host driver for the Greybus 'generic' USB module"); MODULE_LICENSE("GPL v2"); diff --git a/drivers/staging/greybus/vibrator.c b/drivers/staging/greybus/vibrator.c index 89bef8045549..ee112aa13ff1 100644 --- a/drivers/staging/greybus/vibrator.c +++ b/drivers/staging/greybus/vibrator.c @@ -245,4 +245,5 @@ static __exit void gb_vibrator_exit(void) } module_exit(gb_vibrator_exit); +MODULE_DESCRIPTION("Greybus Vibrator protocol driver"); MODULE_LICENSE("GPL v2"); --- base-commit: 19ca0d8a433ff37018f9429f7e7739e9f3d3d2b4 change-id: 20240607-md-drivers-staging-greybus-e046a1abe436

4 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 5.4 5/5] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

From: Sicong Huang <congei42(a)163.com> [ Upstream commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce ] In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index 67dbe6fda9a13..5412031fb67c5 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -694,6 +694,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 5.10 7/7] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

From: Sicong Huang <congei42(a)163.com> [ Upstream commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce ] In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index 9ec949a438ef6..52ef6be9d4499 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -694,6 +694,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 5.15 9/9] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

From: Sicong Huang <congei42(a)163.com> [ Upstream commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce ] In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index 9ec949a438ef6..52ef6be9d4499 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -694,6 +694,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 6.1 12/12] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

From: Sicong Huang <congei42(a)163.com> [ Upstream commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce ] In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index 9ec949a438ef6..52ef6be9d4499 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -694,6 +694,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 6.6 16/20] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

From: Sicong Huang <congei42(a)163.com> [ Upstream commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce ] In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index 9ec949a438ef6..52ef6be9d4499 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -694,6 +694,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.43.0

4 months, 2 weeks

1
0
0 0

[PATCH AUTOSEL 6.8 18/24] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

From: Sicong Huang <congei42(a)163.com> [ Upstream commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce ] In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index 9ec949a438ef6..52ef6be9d4499 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -694,6 +694,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.43.0

4 months, 2 weeks

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

greybus-dev June 2024