* [PATCH] clk: Fix referring to wrong pointer in devm_clk_release()
@ 2022-06-23 1:02 Kunihiko Hayashi
2022-06-23 7:06 ` Uwe Kleine-König
0 siblings, 1 reply; 3+ messages in thread
From: Kunihiko Hayashi @ 2022-06-23 1:02 UTC (permalink / raw)
To: Michael Turquette, Stephen Boyd
Cc: linux-clk, linux-kernel, Kunihiko Hayashi, Uwe Kleine-König
At bind phase, __devm_clk_get() calls devres_alloc() to allocate devres,
and dr->data is treated as a variable "state".
At unbind phase, release_nodes() calls devm_clk_release() specified by
devres_alloc().
The argument "res" of devm_clk_release() is dr->data, and this entity is
"state", however in devm_clk_release(), "*res" is treated as "state",
resulting in pointer inconsistency.
Unbinding a driver caused a panic.
Unable to handle kernel execute from non-executable memory
at virtual address ffff000100236810
...
pc : 0xffff000100236810
lr : devm_clk_release+0x6c/0x9c
...
Call trace:
0xffff000100236810
release_nodes+0xb0/0x150
devres_release_all+0x94/0xf8
device_unbind_cleanup+0x20/0x70
device_release_driver_internal+0x114/0x1a0
device_driver_detach+0x20/0x30
Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
---
drivers/clk/clk-devres.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/clk-devres.c b/drivers/clk/clk-devres.c
index 43ccd20e0298..1f37ed7ad395 100644
--- a/drivers/clk/clk-devres.c
+++ b/drivers/clk/clk-devres.c
@@ -11,7 +11,7 @@ struct devm_clk_state {
static void devm_clk_release(struct device *dev, void *res)
{
- struct devm_clk_state *state = *(struct devm_clk_state **)res;
+ struct devm_clk_state *state = (struct devm_clk_state *)res;
if (state->exit)
state->exit(state->clk);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] clk: Fix referring to wrong pointer in devm_clk_release()
2022-06-23 1:02 [PATCH] clk: Fix referring to wrong pointer in devm_clk_release() Kunihiko Hayashi
@ 2022-06-23 7:06 ` Uwe Kleine-König
2022-06-23 15:37 ` Kunihiko Hayashi
0 siblings, 1 reply; 3+ messages in thread
From: Uwe Kleine-König @ 2022-06-23 7:06 UTC (permalink / raw)
To: Kunihiko Hayashi; +Cc: Michael Turquette, Stephen Boyd, linux-clk, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1527 bytes --]
Hello,
On Thu, Jun 23, 2022 at 10:02:22AM +0900, Kunihiko Hayashi wrote:
> At bind phase, __devm_clk_get() calls devres_alloc() to allocate devres,
> and dr->data is treated as a variable "state".
>
> At unbind phase, release_nodes() calls devm_clk_release() specified by
> devres_alloc().
>
> The argument "res" of devm_clk_release() is dr->data, and this entity is
> "state", however in devm_clk_release(), "*res" is treated as "state",
> resulting in pointer inconsistency.
>
> Unbinding a driver caused a panic.
>
> Unable to handle kernel execute from non-executable memory
> at virtual address ffff000100236810
> ...
> pc : 0xffff000100236810
> lr : devm_clk_release+0x6c/0x9c
> ...
> Call trace:
> 0xffff000100236810
> release_nodes+0xb0/0x150
> devres_release_all+0x94/0xf8
> device_unbind_cleanup+0x20/0x70
> device_release_driver_internal+0x114/0x1a0
> device_driver_detach+0x20/0x30
>
> Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
> Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
> Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
This is already fixed in clk-next:
https://git.kernel.org/pub/scm/linux/kernel/git/clk/linux.git/commit/?h=clk-next&id=8b3d743fc9e2542822826890b482afabf0e7522a
Thanks anyhow,
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | https://www.pengutronix.de/ |
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] clk: Fix referring to wrong pointer in devm_clk_release()
2022-06-23 7:06 ` Uwe Kleine-König
@ 2022-06-23 15:37 ` Kunihiko Hayashi
0 siblings, 0 replies; 3+ messages in thread
From: Kunihiko Hayashi @ 2022-06-23 15:37 UTC (permalink / raw)
To: Uwe Kleine-König
Cc: Michael Turquette, Stephen Boyd, linux-clk, linux-kernel
Hi Uwe,
Thank you for pointing out.
On 2022/06/23 16:06, Uwe Kleine-König wrote:
> Hello,
>
> On Thu, Jun 23, 2022 at 10:02:22AM +0900, Kunihiko Hayashi wrote:
>> At bind phase, __devm_clk_get() calls devres_alloc() to allocate devres,
>> and dr->data is treated as a variable "state".
>>
>> At unbind phase, release_nodes() calls devm_clk_release() specified by
>> devres_alloc().
>>
>> The argument "res" of devm_clk_release() is dr->data, and this entity is
>> "state", however in devm_clk_release(), "*res" is treated as "state",
>> resulting in pointer inconsistency.
>>
>> Unbinding a driver caused a panic.
>>
>> Unable to handle kernel execute from non-executable memory
>> at virtual address ffff000100236810
>> ...
>> pc : 0xffff000100236810
>> lr : devm_clk_release+0x6c/0x9c
>> ...
>> Call trace:
>> 0xffff000100236810
>> release_nodes+0xb0/0x150
>> devres_release_all+0x94/0xf8
>> device_unbind_cleanup+0x20/0x70
>> device_release_driver_internal+0x114/0x1a0
>> device_driver_detach+0x20/0x30
>>
>> Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
>> Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
>> Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
>
> This is already fixed in clk-next:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/clk/linux.git/commit/?h=clk-next&id=8b3d743fc9e2542822826890b482afabf0e7522a
Sorry for not finding the fix patch and duplicating it.
I'm waiting for it to be merged.
Thank you,
---
Best Regards
Kunihiko Hayashi
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-06-23 15:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-23 1:02 [PATCH] clk: Fix referring to wrong pointer in devm_clk_release() Kunihiko Hayashi
2022-06-23 7:06 ` Uwe Kleine-König
2022-06-23 15:37 ` Kunihiko Hayashi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).