greybus-dev

greybus-dev@lists.linaro.org

548 discussions

[PATCH AUTOSEL 5.15 9/9] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

From: Sicong Huang <congei42(a)163.com> [ Upstream commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce ] In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index 9ec949a438ef6..52ef6be9d4499 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -694,6 +694,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.43.0

8 months, 2 weeks

[PATCH AUTOSEL 6.1 12/12] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

8 months, 2 weeks

[PATCH AUTOSEL 6.6 16/20] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

8 months, 2 weeks

[PATCH AUTOSEL 6.8 18/24] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

8 months, 2 weeks

[PATCH AUTOSEL 6.9 20/28] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sasha Levin

From: Sicong Huang <congei42(a)163.com> [ Upstream commit 5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce ] In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> Link: https://lore.kernel.org/r/20240416080313.92306-1-congei42@163.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index fd58a86b0888d..d022bfb5e95d7 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -693,6 +693,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.43.0

8 months, 2 weeks

[PATCH] greybus: audio: remove unused struct gb_mixer_control

by linux＠treblig.org

From: "Dr. David Alan Gilbert" <linux(a)treblig.org> 'gb_mixer_control' is unused since the original commit 6339d2322c47 ("greybus: audio: Add topology parser for GB codec"). Remove it. Signed-off-by: Dr. David Alan Gilbert <linux(a)treblig.org> --- drivers/staging/greybus/audio_topology.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/drivers/staging/greybus/audio_topology.c b/drivers/staging/greybus/audio_topology.c index 5dc4721105d4..6ca938dca4fd 100644 --- a/drivers/staging/greybus/audio_topology.c +++ b/drivers/staging/greybus/audio_topology.c @@ -10,12 +10,6 @@ #define GBAUDIO_INVALID_ID 0xFF -/* mixer control */ -struct gb_mixer_control { - int min, max; - unsigned int reg, rreg, shift, rshift, invert; -}; - struct gbaudio_ctl_pvt { unsigned int ctl_id; unsigned int data_cport; -- 2.45.1

8 months, 3 weeks

[Patch v2] staging: greybus: Replace gcam macros with direct dev log calls

by Jackson Chui

Reported by checkpatch: CHECK: Macro argument 'gcam' may be better as '(gcam)' to avoid precedence issues Inline standard calls to 'dev_*' kernel logging functions, in favor of 'gcam_*' macros, to clear up gcam-related logging. Signed-off-by: Jackson Chui <jacksonchui.qwerty(a)gmail.com> --- Changes in v2: - Inline 'dev_*' logging functions, over wrappers and macros to just use the standard call. - Remove 'gcam_*' macros, since they are no longer used. --- drivers/staging/greybus/camera.c | 58 +++++++++++++++----------------- 1 file changed, 27 insertions(+), 31 deletions(-) diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c index a8173aa3a995..b8b2bdfa59e5 100644 --- a/drivers/staging/greybus/camera.c +++ b/drivers/staging/greybus/camera.c @@ -180,10 +180,6 @@ static const struct gb_camera_fmt_info *gb_camera_get_format_info(u16 gb_fmt) #define GB_CAMERA_MAX_SETTINGS_SIZE 8192 -#define gcam_dbg(gcam, format...) dev_dbg(&gcam->bundle->dev, format) -#define gcam_info(gcam, format...) dev_info(&gcam->bundle->dev, format) -#define gcam_err(gcam, format...) dev_err(&gcam->bundle->dev, format) - static int gb_camera_operation_sync_flags(struct gb_connection *connection, int type, unsigned int flags, void *request, size_t request_size, @@ -232,8 +228,8 @@ static int gb_camera_get_max_pkt_size(struct gb_camera *gcam, fmt_info = gb_camera_get_format_info(cfg->format); if (!fmt_info) { - gcam_err(gcam, "unsupported greybus image format: %d\n", - cfg->format); + dev_err(&gcam->bundle->dev, "unsupported greybus image format: %d\n", + cfg->format); return -EIO; } @@ -241,18 +237,18 @@ static int gb_camera_get_max_pkt_size(struct gb_camera *gcam, pkt_size = le32_to_cpu(cfg->max_pkt_size); if (pkt_size == 0) { - gcam_err(gcam, - "Stream %u: invalid zero maximum packet size\n", - i); + dev_err(&gcam->bundle->dev, + "Stream %u: invalid zero maximum packet size\n", + i); return -EIO; } } else { pkt_size = le16_to_cpu(cfg->width) * fmt_info->bpp / 8; if (pkt_size != le32_to_cpu(cfg->max_pkt_size)) { - gcam_err(gcam, - "Stream %u: maximum packet size mismatch (%u/%u)\n", - i, pkt_size, cfg->max_pkt_size); + dev_err(&gcam->bundle->dev, + "Stream %u: maximum packet size mismatch (%u/%u)\n", + i, pkt_size, cfg->max_pkt_size); return -EIO; } } @@ -275,13 +271,13 @@ static const int gb_camera_configure_streams_validate_response(struct gb_camera /* Validate the returned response structure */ if (resp->padding[0] || resp->padding[1]) { - gcam_err(gcam, "response padding != 0\n"); + dev_err(&gcam->bundle->dev, "response padding != 0\n"); return -EIO; } if (resp->num_streams > nstreams) { - gcam_err(gcam, "got #streams %u > request %u\n", - resp->num_streams, nstreams); + dev_err(&gcam->bundle->dev, "got #streams %u > request %u\n", + resp->num_streams, nstreams); return -EIO; } @@ -289,7 +285,7 @@ static const int gb_camera_configure_streams_validate_response(struct gb_camera struct gb_camera_stream_config_response *cfg = &resp->config[i]; if (cfg->padding) { - gcam_err(gcam, "stream #%u padding != 0\n", i); + dev_err(&gcam->bundle->dev, "stream #%u padding != 0\n", i); return -EIO; } } @@ -340,16 +336,16 @@ static int gb_camera_set_power_mode(struct gb_camera *gcam, bool hs) ret = gb_camera_set_intf_power_mode(gcam, intf->interface_id, hs); if (ret < 0) { - gcam_err(gcam, "failed to set module interface to %s (%d)\n", - hs ? "HS" : "PWM", ret); + dev_err(&gcam->bundle->dev, "failed to set module interface to %s (%d)\n", + hs ? "HS" : "PWM", ret); return ret; } ret = gb_camera_set_intf_power_mode(gcam, svc->ap_intf_id, hs); if (ret < 0) { gb_camera_set_intf_power_mode(gcam, intf->interface_id, !hs); - gcam_err(gcam, "failed to set AP interface to %s (%d)\n", - hs ? "HS" : "PWM", ret); + dev_err(&gcam->bundle->dev, "failed to set AP interface to %s (%d)\n", + hs ? "HS" : "PWM", ret); return ret; } @@ -435,7 +431,7 @@ static int gb_camera_setup_data_connection(struct gb_camera *gcam, sizeof(csi_cfg), GB_APB_REQUEST_CSI_TX_CONTROL, false); if (ret < 0) { - gcam_err(gcam, "failed to start the CSI transmitter\n"); + dev_err(&gcam->bundle->dev, "failed to start the CSI transmitter\n"); goto error_power; } @@ -470,7 +466,7 @@ static void gb_camera_teardown_data_connection(struct gb_camera *gcam) GB_APB_REQUEST_CSI_TX_CONTROL, false); if (ret < 0) - gcam_err(gcam, "failed to stop the CSI transmitter\n"); + dev_err(&gcam->bundle->dev, "failed to stop the CSI transmitter\n"); /* Set the UniPro link to low speed mode. */ gb_camera_set_power_mode(gcam, false); @@ -507,7 +503,7 @@ static int gb_camera_capabilities(struct gb_camera *gcam, NULL, 0, (void *)capabilities, size); if (ret) - gcam_err(gcam, "failed to retrieve capabilities: %d\n", ret); + dev_err(&gcam->bundle->dev, "failed to retrieve capabilities: %d\n", ret); done: mutex_unlock(&gcam->mutex); @@ -723,22 +719,22 @@ static int gb_camera_request_handler(struct gb_operation *op) struct gb_message *request; if (op->type != GB_CAMERA_TYPE_METADATA) { - gcam_err(gcam, "Unsupported unsolicited event: %u\n", op->type); + dev_err(&gcam->bundle->dev, "Unsupported unsolicited event: %u\n", op->type); return -EINVAL; } request = op->request; if (request->payload_size < sizeof(*payload)) { - gcam_err(gcam, "Wrong event size received (%zu < %zu)\n", - request->payload_size, sizeof(*payload)); + dev_err(&gcam->bundle->dev, "Wrong event size received (%zu < %zu)\n", + request->payload_size, sizeof(*payload)); return -EINVAL; } payload = request->payload; - gcam_dbg(gcam, "received metadata for request %u, frame %u, stream %u\n", - payload->request_id, payload->frame_number, payload->stream); + dev_dbg(&gcam->bundle->dev, "received metadata for request %u, frame %u, stream %u\n", + payload->request_id, payload->frame_number, payload->stream); return 0; } @@ -1347,15 +1343,15 @@ static int gb_camera_resume(struct device *dev) ret = gb_connection_enable(gcam->connection); if (ret) { - gcam_err(gcam, "failed to enable connection: %d\n", ret); + dev_err(&gcam->bundle->dev, "failed to enable connection: %d\n", ret); return ret; } if (gcam->data_connection) { ret = gb_connection_enable(gcam->data_connection); if (ret) { - gcam_err(gcam, - "failed to enable data connection: %d\n", ret); + dev_err(&gcam->bundle->dev, + "failed to enable data connection: %d\n", ret); return ret; } } -- 2.34.1

10 months

[PATCH v1] greybus: Fix use-after-free bug in gb_interface_release due to race condition.

by Sicong Huang

In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". However, if gb_interface_mode_switch_work is scheduled to run after kfree, it may cause use-after-free error as gb_interface_mode_switch_work will use the object "intf". The possible execution flow that may lead to the issue is as follows: CPU0 CPU1 | gb_interface_create | gb_interface_request_mode_switch gb_interface_release | kfree(intf) (free) | | gb_interface_mode_switch_work | mutex_lock(&intf->mutex) (use) Fix it by canceling the work before kfree. Signed-off-by: Sicong Huang <congei42(a)163.com> --- drivers/greybus/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/greybus/interface.c b/drivers/greybus/interface.c index fd58a86b0888..d022bfb5e95d 100644 --- a/drivers/greybus/interface.c +++ b/drivers/greybus/interface.c @@ -693,6 +693,7 @@ static void gb_interface_release(struct device *dev) trace_gb_interface_release(intf); + cancel_work_sync(&intf->mode_switch_work); kfree(intf); } -- 2.34.1

10 months, 1 week

Re: Bug report: greybus/interface.c: use-after-free bug in gb_interface_release due to race condition

by Greg KH

On Tue, Apr 16, 2024 at 11:00:25AM +0800, sicong wrote: > greybus/interface.c: use-after-free bug in gb_interface_release due to > race condition. > > In gb_interface_create, &intf->mode_switch_completion is bound with > gb_interface_mode_switch_work. Then it will be started by > gb_interface_request_mode_switch. Here is the code. > if (!queue_work(system_long_wq, &intf->mode_switch_work)) { > ... > } > > If we call gb_interface_release to make cleanup, there may be an > unfinished work. This function will call kfree to free the object > "intf". However, if gb_interface_mode_switch_work is scheduled to > run after kfree, it may cause use-after-free error as > gb_interface_mode_switch_work will use the object "intf". > The possible execution flow that may lead to the issue is as follows: > > CPU0 CPU1 > > | gb_interface_create > | gb_interface_request_mode_switch > gb_interface_release | > kfree(intf) (free) | > | gb_interface_mode_switch_work > | mutex_lock(&intf->mutex) (use) > > This bug may be fixed by adding the following code before kfree. > cancel_work_sync(&intf->mode_switch_work); Wonderful, please submit a patch with this information and we will be glad to review it. thanks, greg k-h

10 months, 1 week

[PATCH v3 0/8] misc: Add mikroBUS driver

by Ayush Singh

MikroBUS is an open standard developed by MikroElektronika for connecting add-on boards to microcontrollers or microprocessors. It essentially allows you to easily expand the functionality of your main boards using these add-on boards. This patchset adds mikroBUS as a Linux bus type and provides a driver to parse, and flash mikroBUS manifest and register the mikroBUS board. The v1 and v2 of this patchset was submitted by Vaishnav M A back in 2020. This patchset also includes changes made over the years as part of BeagleBoards kernel. Link: https://www.mikroe.com/mikrobus Link: https://docs.beagleboard.org/latest/boards/beagleplay/ Link: https://lore.kernel.org/lkml/20200818124815.11029-1-vaishnav@beagleboard.or… Patch v2 Changes in v3: - Use phandle instead of busname for spi - Use spi board info for registering new device - Convert dt bindings to yaml - Add support for clickID - Code cleanup and style changes - Additions required to spi, serdev, w1 and regulator subsystems Changes in v2: - support for adding mikroBUS ports from DT overlays, - remove debug sysFS interface for adding mikrobus ports, - consider extended pin usage/deviations from mikrobus standard specifications - use greybus CPort protocol enum instead of new protocol enums - Fix cases of wrong indentation, ignoring return values, freeing allocated resources in case of errors and other style suggestions in v1 review. Ayush Singh (7): dt-bindings: misc: Add mikrobus-connector w1: Add w1_find_master_device spi: Make of_find_spi_controller_by_node() available regulator: fixed-helper: export regulator_register_always_on greybus: Add mikroBUS manifest types mikrobus: Add mikrobus driver dts: ti: k3-am625-beagleplay: Add mikroBUS Vaishnav M A (1): serdev: add of_ helper to get serdev controller .../bindings/misc/mikrobus-connector.yaml | 110 ++ MAINTAINERS | 7 + .../arm64/boot/dts/ti/k3-am625-beagleplay.dts | 76 +- drivers/misc/Kconfig | 1 + drivers/misc/Makefile | 1 + drivers/misc/mikrobus/Kconfig | 19 + drivers/misc/mikrobus/Makefile | 6 + drivers/misc/mikrobus/mikrobus_core.c | 942 ++++++++++++++++++ drivers/misc/mikrobus/mikrobus_core.h | 201 ++++ drivers/misc/mikrobus/mikrobus_id.c | 229 +++++ drivers/misc/mikrobus/mikrobus_manifest.c | 502 ++++++++++ drivers/misc/mikrobus/mikrobus_manifest.h | 20 + drivers/regulator/fixed-helper.c | 1 + drivers/spi/spi.c | 206 ++-- drivers/tty/serdev/core.c | 19 + drivers/w1/w1.c | 6 +- drivers/w1/w1_int.c | 27 + include/linux/greybus/greybus_manifest.h | 49 + include/linux/serdev.h | 4 + include/linux/spi/spi.h | 4 + include/linux/w1.h | 1 + 21 files changed, 2318 insertions(+), 113 deletions(-) create mode 100644 Documentation/devicetree/bindings/misc/mikrobus-connector.yaml create mode 100644 drivers/misc/mikrobus/Kconfig create mode 100644 drivers/misc/mikrobus/Makefile create mode 100644 drivers/misc/mikrobus/mikrobus_core.c create mode 100644 drivers/misc/mikrobus/mikrobus_core.h create mode 100644 drivers/misc/mikrobus/mikrobus_id.c create mode 100644 drivers/misc/mikrobus/mikrobus_manifest.c create mode 100644 drivers/misc/mikrobus/mikrobus_manifest.h base-commit: 61996c073c9b070922ad3a36c981ca6ddbea19a5 -- 2.44.0

10 months, 1 week

← Newer
1
2
3
4
5
6
7
...
55
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

greybus-dev