[PATCH] staging: vc04_services: vchiq_arm: Fix NULL ptr dereferences

[PATCH] staging: vc04_services: vchiq_arm: Fix NULL ptr dereferences

[Stefan Wahren]

The commit 8c9753f63905 ("staging: vc04_services: vchiq_arm: Drop
g_cache_line_size") introduced NULL pointer dereferences by
messing up usage of device driver data. But the real issue here
is the mixed usage of platform and device driver data. So fix
this by switching completely to device driver data.

Fixes: 8c9753f63905 ("staging: vc04_services: vchiq_arm: Drop g_cache_line_size")
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
---
 .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
index 502ddc0f6e46..3b032d987f0c 100644
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
@@ -257,7 +257,7 @@ create_pagelist(struct vchiq_instance *instance, char *buf, char __user *ubuf,
 	if (count >= INT_MAX - PAGE_SIZE)
 		return NULL;

-	drv_mgmt = dev_get_drvdata(instance->state->dev->parent);
+	drv_mgmt = dev_get_drvdata(instance->state->dev);

 	if (buf)
 		offset = (uintptr_t)buf & (PAGE_SIZE - 1);
@@ -436,7 +436,7 @@ free_pagelist(struct vchiq_instance *instance, struct vchiq_pagelist_info *pagel

 	dev_dbg(instance->state->dev, "arm: %pK, %d\n", pagelistinfo->pagelist, actual);

-	drv_mgmt = dev_get_drvdata(instance->state->dev->parent);
+	drv_mgmt = dev_get_drvdata(instance->state->dev);

 	/*
 	 * NOTE: dma_unmap_sg must be called before the
@@ -497,7 +497,7 @@ free_pagelist(struct vchiq_instance *instance, struct vchiq_pagelist_info *pagel
 static int vchiq_platform_init(struct platform_device *pdev, struct vchiq_state *state)
 {
 	struct device *dev = &pdev->dev;
-	struct vchiq_drv_mgmt *drv_mgmt = platform_get_drvdata(pdev);
+	struct vchiq_drv_mgmt *drv_mgmt = dev_get_drvdata(dev);
 	struct rpi_firmware *fw = drv_mgmt->fw;
 	struct vchiq_slot_zero *vchiq_slot_zero;
 	void *slot_mem;
@@ -1753,7 +1753,7 @@ static int vchiq_probe(struct platform_device *pdev)
 		return -EPROBE_DEFER;

 	mgmt->info = info;
-	platform_set_drvdata(pdev, mgmt);
+	dev_set_drvdata(&pdev->dev, mgmt);

 	err = vchiq_platform_init(pdev, &mgmt->state);
 	if (err)
--
2.34.1

Re: [PATCH] staging: vc04_services: vchiq_arm: Fix NULL ptr dereferences

[Laurent Pinchart]

Hi Stefan,

Thank you for the patch.

On Fri, Apr 19, 2024 at 04:26:50PM +0200, Stefan Wahren wrote:
> The commit 8c9753f63905 ("staging: vc04_services: vchiq_arm: Drop
> g_cache_line_size") introduced NULL pointer dereferences by
> messing up usage of device driver data. But the real issue here
> is the mixed usage of platform and device driver data. So fix
> this by switching completely to device driver data.
> 
> Fixes: 8c9753f63905 ("staging: vc04_services: vchiq_arm: Drop g_cache_line_size")
> Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
> ---
>  .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> index 502ddc0f6e46..3b032d987f0c 100644
> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> @@ -257,7 +257,7 @@ create_pagelist(struct vchiq_instance *instance, char *buf, char __user *ubuf,
>  	if (count >= INT_MAX - PAGE_SIZE)
>  		return NULL;
> 
> -	drv_mgmt = dev_get_drvdata(instance->state->dev->parent);
> +	drv_mgmt = dev_get_drvdata(instance->state->dev);
> 
>  	if (buf)
>  		offset = (uintptr_t)buf & (PAGE_SIZE - 1);
> @@ -436,7 +436,7 @@ free_pagelist(struct vchiq_instance *instance, struct vchiq_pagelist_info *pagel
> 
>  	dev_dbg(instance->state->dev, "arm: %pK, %d\n", pagelistinfo->pagelist, actual);
> 
> -	drv_mgmt = dev_get_drvdata(instance->state->dev->parent);
> +	drv_mgmt = dev_get_drvdata(instance->state->dev);
> 
>  	/*
>  	 * NOTE: dma_unmap_sg must be called before the
> @@ -497,7 +497,7 @@ free_pagelist(struct vchiq_instance *instance, struct vchiq_pagelist_info *pagel
>  static int vchiq_platform_init(struct platform_device *pdev, struct vchiq_state *state)
>  {
>  	struct device *dev = &pdev->dev;
> -	struct vchiq_drv_mgmt *drv_mgmt = platform_get_drvdata(pdev);
> +	struct vchiq_drv_mgmt *drv_mgmt = dev_get_drvdata(dev);

This hunk and the next one seem to be no-ops. Did you intend to make
cosmetic changes here, or was something overlooked ?

>  	struct rpi_firmware *fw = drv_mgmt->fw;
>  	struct vchiq_slot_zero *vchiq_slot_zero;
>  	void *slot_mem;
> @@ -1753,7 +1753,7 @@ static int vchiq_probe(struct platform_device *pdev)
>  		return -EPROBE_DEFER;
> 
>  	mgmt->info = info;
> -	platform_set_drvdata(pdev, mgmt);
> +	dev_set_drvdata(&pdev->dev, mgmt);
> 
>  	err = vchiq_platform_init(pdev, &mgmt->state);
>  	if (err)

-- 
Regards,

Laurent Pinchart

Re: [PATCH] staging: vc04_services: vchiq_arm: Fix NULL ptr dereferences

[Stefan Wahren]

Hi Laurent,

Am 19.04.24 um 16:44 schrieb Laurent Pinchart:
> Hi Stefan,
>
> Thank you for the patch.
>
> On Fri, Apr 19, 2024 at 04:26:50PM +0200, Stefan Wahren wrote:
>> The commit 8c9753f63905 ("staging: vc04_services: vchiq_arm: Drop
>> g_cache_line_size") introduced NULL pointer dereferences by
>> messing up usage of device driver data. But the real issue here
>> is the mixed usage of platform and device driver data. So fix
>> this by switching completely to device driver data.
>>
>> Fixes: 8c9753f63905 ("staging: vc04_services: vchiq_arm: Drop g_cache_line_size")
>> Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
>> ---
>>   .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 8 ++++----
>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> index 502ddc0f6e46..3b032d987f0c 100644
>> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> @@ -257,7 +257,7 @@ create_pagelist(struct vchiq_instance *instance, char *buf, char __user *ubuf,
>>   	if (count >= INT_MAX - PAGE_SIZE)
>>   		return NULL;
>>
>> -	drv_mgmt = dev_get_drvdata(instance->state->dev->parent);
>> +	drv_mgmt = dev_get_drvdata(instance->state->dev);
>>
>>   	if (buf)
>>   		offset = (uintptr_t)buf & (PAGE_SIZE - 1);
>> @@ -436,7 +436,7 @@ free_pagelist(struct vchiq_instance *instance, struct vchiq_pagelist_info *pagel
>>
>>   	dev_dbg(instance->state->dev, "arm: %pK, %d\n", pagelistinfo->pagelist, actual);
>>
>> -	drv_mgmt = dev_get_drvdata(instance->state->dev->parent);
>> +	drv_mgmt = dev_get_drvdata(instance->state->dev);
>>
>>   	/*
>>   	 * NOTE: dma_unmap_sg must be called before the
>> @@ -497,7 +497,7 @@ free_pagelist(struct vchiq_instance *instance, struct vchiq_pagelist_info *pagel
>>   static int vchiq_platform_init(struct platform_device *pdev, struct vchiq_state *state)
>>   {
>>   	struct device *dev = &pdev->dev;
>> -	struct vchiq_drv_mgmt *drv_mgmt = platform_get_drvdata(pdev);
>> +	struct vchiq_drv_mgmt *drv_mgmt = dev_get_drvdata(dev);
> This hunk and the next one seem to be no-ops. Did you intend to make
> cosmetic changes here, or was something overlooked ?
Yes it was intended. But you are right, i should split it.
>
>>   	struct rpi_firmware *fw = drv_mgmt->fw;
>>   	struct vchiq_slot_zero *vchiq_slot_zero;
>>   	void *slot_mem;
>> @@ -1753,7 +1753,7 @@ static int vchiq_probe(struct platform_device *pdev)
>>   		return -EPROBE_DEFER;
>>
>>   	mgmt->info = info;
>> -	platform_set_drvdata(pdev, mgmt);
>> +	dev_set_drvdata(&pdev->dev, mgmt);
>>
>>   	err = vchiq_platform_init(pdev, &mgmt->state);
>>   	if (err)