[PATCH] clk: Fix referring to wrong pointer in devm_clk_release()

[PATCH] clk: Fix referring to wrong pointer in devm_clk_release()

[Kunihiko Hayashi]

At bind phase, __devm_clk_get() calls devres_alloc() to allocate devres,
and dr->data is treated as a variable "state".

At unbind phase, release_nodes() calls devm_clk_release() specified by
devres_alloc().

The argument "res" of devm_clk_release() is dr->data, and this entity is
"state", however in devm_clk_release(), "*res" is treated as "state",
resulting in pointer inconsistency.

Unbinding a driver caused a panic.

    Unable to handle kernel execute from non-executable memory
    at virtual address ffff000100236810
    ...
    pc : 0xffff000100236810
    lr : devm_clk_release+0x6c/0x9c
    ...
    Call trace:
     0xffff000100236810
     release_nodes+0xb0/0x150
     devres_release_all+0x94/0xf8
     device_unbind_cleanup+0x20/0x70
     device_release_driver_internal+0x114/0x1a0
     device_driver_detach+0x20/0x30

Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
---
 drivers/clk/clk-devres.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clk/clk-devres.c b/drivers/clk/clk-devres.c
index 43ccd20e0298..1f37ed7ad395 100644
--- a/drivers/clk/clk-devres.c
+++ b/drivers/clk/clk-devres.c
@@ -11,7 +11,7 @@ struct devm_clk_state {
 
 static void devm_clk_release(struct device *dev, void *res)
 {
-	struct devm_clk_state *state = *(struct devm_clk_state **)res;
+	struct devm_clk_state *state = (struct devm_clk_state *)res;
 
 	if (state->exit)
 		state->exit(state->clk);
-- 
2.25.1

Re: [PATCH] clk: Fix referring to wrong pointer in devm_clk_release()

[Uwe Kleine-König]

[-- Attachment #1: Type: text/plain, Size: 1527 bytes --]

Hello,

On Thu, Jun 23, 2022 at 10:02:22AM +0900, Kunihiko Hayashi wrote:
> At bind phase, __devm_clk_get() calls devres_alloc() to allocate devres,
> and dr->data is treated as a variable "state".
> 
> At unbind phase, release_nodes() calls devm_clk_release() specified by
> devres_alloc().
> 
> The argument "res" of devm_clk_release() is dr->data, and this entity is
> "state", however in devm_clk_release(), "*res" is treated as "state",
> resulting in pointer inconsistency.
> 
> Unbinding a driver caused a panic.
> 
>     Unable to handle kernel execute from non-executable memory
>     at virtual address ffff000100236810
>     ...
>     pc : 0xffff000100236810
>     lr : devm_clk_release+0x6c/0x9c
>     ...
>     Call trace:
>      0xffff000100236810
>      release_nodes+0xb0/0x150
>      devres_release_all+0x94/0xf8
>      device_unbind_cleanup+0x20/0x70
>      device_release_driver_internal+0x114/0x1a0
>      device_driver_detach+0x20/0x30
> 
> Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
> Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
> Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>

This is already fixed in clk-next:

	https://git.kernel.org/pub/scm/linux/kernel/git/clk/linux.git/commit/?h=clk-next&id=8b3d743fc9e2542822826890b482afabf0e7522a

Thanks anyhow,
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | https://www.pengutronix.de/ |

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH] clk: Fix referring to wrong pointer in devm_clk_release()

[Kunihiko Hayashi]

Hi Uwe,

Thank you for pointing out.

On 2022/06/23 16:06, Uwe Kleine-König wrote:
> Hello,
> 
> On Thu, Jun 23, 2022 at 10:02:22AM +0900, Kunihiko Hayashi wrote:
>> At bind phase, __devm_clk_get() calls devres_alloc() to allocate devres,
>> and dr->data is treated as a variable "state".
>>
>> At unbind phase, release_nodes() calls devm_clk_release() specified by
>> devres_alloc().
>>
>> The argument "res" of devm_clk_release() is dr->data, and this entity is
>> "state", however in devm_clk_release(), "*res" is treated as "state",
>> resulting in pointer inconsistency.
>>
>> Unbinding a driver caused a panic.
>>
>>      Unable to handle kernel execute from non-executable memory
>>      at virtual address ffff000100236810
>>      ...
>>      pc : 0xffff000100236810
>>      lr : devm_clk_release+0x6c/0x9c
>>      ...
>>      Call trace:
>>       0xffff000100236810
>>       release_nodes+0xb0/0x150
>>       devres_release_all+0x94/0xf8
>>       device_unbind_cleanup+0x20/0x70
>>       device_release_driver_internal+0x114/0x1a0
>>       device_driver_detach+0x20/0x30
>>
>> Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
>> Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
>> Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
> 
> This is already fixed in clk-next:
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/clk/linux.git/commit/?h=clk-next&id=8b3d743fc9e2542822826890b482afabf0e7522a

Sorry for not finding the fix patch and duplicating it.
I'm waiting for it to be merged.

Thank you,

---
Best Regards
Kunihiko Hayashi