linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2 -next] usb/usbip: fix wrong data added to platform device
@ 2023-10-14  7:46 Hongren Zheng
  2023-10-16  7:40 ` Andy Shevchenko
  2023-10-16 17:42 ` Greg Kroah-Hartman
  0 siblings, 2 replies; 4+ messages in thread
From: Hongren Zheng @ 2023-10-14  7:46 UTC (permalink / raw)
  To: Shuah Khan, Greg Kroah-Hartman, Valentina Manea, Andy Shevchenko
  Cc: linux-usb, linux-kernel, sfr

.data of platform_device_info will be copied into .platform_data of
struct device via platform_device_add_data.

However, vhcis[i] contains a spinlock, is dynamically allocated and
used by other code, so it is not meant to be copied. The workaround
was to use void *vhci as an agent, but it was removed in the commit
suggested below.

This patch adds back the workaround and changes the way of using
platform_data accordingly.

Reported-by: syzbot+e0dbc33630a092ccf033@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/00000000000029242706077f3145@google.com/
Reported-by: syzbot+6867a9777f4b8dc4e256@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/0000000000007634c1060793197c@google.com/
Fixes: b8aaf639b403 ("usbip: Use platform_device_register_full()")
Tested-by: syzbot+6867a9777f4b8dc4e256@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/0000000000007ac87d0607979b6b@google.com/
Signed-off-by: Hongren Zheng <i@zenithal.me>
---
 drivers/usb/usbip/vhci_hcd.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

v2:
code style change suggested by Andy Shevchenko

diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index f845b91848b9..82650c11e451 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -1139,7 +1139,7 @@ static int hcd_name_to_id(const char *name)
 
 static int vhci_setup(struct usb_hcd *hcd)
 {
-	struct vhci *vhci = dev_get_platdata(hcd->self.controller);
+	struct vhci *vhci = *((void **)dev_get_platdata(hcd->self.controller));
 
 	if (usb_hcd_is_primary_hcd(hcd)) {
 		vhci->vhci_hcd_hs = hcd_to_vhci_hcd(hcd);
@@ -1257,7 +1257,7 @@ static int vhci_get_frame_number(struct usb_hcd *hcd)
 /* FIXME: suspend/resume */
 static int vhci_bus_suspend(struct usb_hcd *hcd)
 {
-	struct vhci *vhci = dev_get_platdata(hcd->self.controller);
+	struct vhci *vhci = *((void **)dev_get_platdata(hcd->self.controller));
 	unsigned long flags;
 
 	dev_dbg(&hcd->self.root_hub->dev, "%s\n", __func__);
@@ -1271,7 +1271,7 @@ static int vhci_bus_suspend(struct usb_hcd *hcd)
 
 static int vhci_bus_resume(struct usb_hcd *hcd)
 {
-	struct vhci *vhci = dev_get_platdata(hcd->self.controller);
+	struct vhci *vhci = *((void **)dev_get_platdata(hcd->self.controller));
 	int rc = 0;
 	unsigned long flags;
 
@@ -1338,7 +1338,7 @@ static const struct hc_driver vhci_hc_driver = {
 
 static int vhci_hcd_probe(struct platform_device *pdev)
 {
-	struct vhci             *vhci = dev_get_platdata(&pdev->dev);
+	struct vhci             *vhci = *((void **)dev_get_platdata(&pdev->dev));
 	struct usb_hcd		*hcd_hs;
 	struct usb_hcd		*hcd_ss;
 	int			ret;
@@ -1396,7 +1396,7 @@ static int vhci_hcd_probe(struct platform_device *pdev)
 
 static void vhci_hcd_remove(struct platform_device *pdev)
 {
-	struct vhci *vhci = dev_get_platdata(&pdev->dev);
+	struct vhci *vhci = *((void **)dev_get_platdata(&pdev->dev));
 
 	/*
 	 * Disconnects the root hub,
@@ -1431,7 +1431,7 @@ static int vhci_hcd_suspend(struct platform_device *pdev, pm_message_t state)
 	if (!hcd)
 		return 0;
 
-	vhci = dev_get_platdata(hcd->self.controller);
+	vhci = *((void **)dev_get_platdata(hcd->self.controller));
 
 	spin_lock_irqsave(&vhci->lock, flags);
 
@@ -1522,10 +1522,11 @@ static int __init vhci_hcd_init(void)
 		goto err_driver_register;
 
 	for (i = 0; i < vhci_num_controllers; i++) {
+		void *vhci = &vhcis[i];
 		struct platform_device_info pdevinfo = {
 			.name = driver_name,
 			.id = i,
-			.data = &vhcis[i],
+			.data = &vhci,
 			.size_data = sizeof(void *),
 		};
 
-- 
2.37.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 -next] usb/usbip: fix wrong data added to platform device
  2023-10-14  7:46 [PATCH v2 -next] usb/usbip: fix wrong data added to platform device Hongren Zheng
@ 2023-10-16  7:40 ` Andy Shevchenko
  2023-10-16 17:19   ` Shuah Khan
  2023-10-16 17:42 ` Greg Kroah-Hartman
  1 sibling, 1 reply; 4+ messages in thread
From: Andy Shevchenko @ 2023-10-16  7:40 UTC (permalink / raw)
  To: Hongren Zheng
  Cc: Shuah Khan, Greg Kroah-Hartman, Valentina Manea, linux-usb,
	linux-kernel, sfr

On Sat, Oct 14, 2023 at 03:46:04PM +0800, Hongren Zheng wrote:
> .data of platform_device_info will be copied into .platform_data of
> struct device via platform_device_add_data.

platform_device_add_data()

> However, vhcis[i] contains a spinlock, is dynamically allocated and
> used by other code, so it is not meant to be copied. The workaround
> was to use void *vhci as an agent, but it was removed in the commit
> suggested below.
> 
> This patch adds back the workaround and changes the way of using
> platform_data accordingly.

Good learning to me, thank you for the fix!
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 -next] usb/usbip: fix wrong data added to platform device
  2023-10-16  7:40 ` Andy Shevchenko
@ 2023-10-16 17:19   ` Shuah Khan
  0 siblings, 0 replies; 4+ messages in thread
From: Shuah Khan @ 2023-10-16 17:19 UTC (permalink / raw)
  To: Andy Shevchenko, Hongren Zheng
  Cc: Shuah Khan, Greg Kroah-Hartman, Valentina Manea, linux-usb,
	linux-kernel, sfr, Shuah Khan

On 10/16/23 01:40, Andy Shevchenko wrote:
> On Sat, Oct 14, 2023 at 03:46:04PM +0800, Hongren Zheng wrote:
>> .data of platform_device_info will be copied into .platform_data of
>> struct device via platform_device_add_data.
> 
> platform_device_add_data()
> 
>> However, vhcis[i] contains a spinlock, is dynamically allocated and
>> used by other code, so it is not meant to be copied. The workaround
>> was to use void *vhci as an agent, but it was removed in the commit
>> suggested below.
>>
>> This patch adds back the workaround and changes the way of using
>> platform_data accordingly.
> 
> Good learning to me, thank you for the fix!
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
> 

Thank you both.

Acked-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 -next] usb/usbip: fix wrong data added to platform device
  2023-10-14  7:46 [PATCH v2 -next] usb/usbip: fix wrong data added to platform device Hongren Zheng
  2023-10-16  7:40 ` Andy Shevchenko
@ 2023-10-16 17:42 ` Greg Kroah-Hartman
  1 sibling, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-16 17:42 UTC (permalink / raw)
  To: Hongren Zheng
  Cc: Shuah Khan, Valentina Manea, Andy Shevchenko, linux-usb,
	linux-kernel, sfr

On Sat, Oct 14, 2023 at 03:46:04PM +0800, Hongren Zheng wrote:
> .data of platform_device_info will be copied into .platform_data of
> struct device via platform_device_add_data.

That is crazy.

> However, vhcis[i] contains a spinlock, is dynamically allocated and
> used by other code, so it is not meant to be copied. The workaround
> was to use void *vhci as an agent, but it was removed in the commit
> suggested below.

Again, crazy, I'm amazed it works at all.

> This patch adds back the workaround and changes the way of using
> platform_data accordingly.
> 
> Reported-by: syzbot+e0dbc33630a092ccf033@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/r/00000000000029242706077f3145@google.com/
> Reported-by: syzbot+6867a9777f4b8dc4e256@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/r/0000000000007634c1060793197c@google.com/
> Fixes: b8aaf639b403 ("usbip: Use platform_device_register_full()")
> Tested-by: syzbot+6867a9777f4b8dc4e256@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/r/0000000000007ac87d0607979b6b@google.com/
> Signed-off-by: Hongren Zheng <i@zenithal.me>
> ---
>  drivers/usb/usbip/vhci_hcd.c | 15 ++++++++-------
>  1 file changed, 8 insertions(+), 7 deletions(-)

I'll take this now, as it fixes a reported issue, but really, the root
problem should be fixed instead.  This is not how to treat platform data
at all.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-10-16 17:58 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-14  7:46 [PATCH v2 -next] usb/usbip: fix wrong data added to platform device Hongren Zheng
2023-10-16  7:40 ` Andy Shevchenko
2023-10-16 17:19   ` Shuah Khan
2023-10-16 17:42 ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).