Message ID | 20230413205528.4044216-1-sboyd@kernel.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1330547vqo; Thu, 13 Apr 2023 14:30:05 -0700 (PDT) X-Google-Smtp-Source: AKy350ZvOjdkKoTRDJmljfL4s/xbpT/5qslbaFy4+sEHfenK9fUKoFiOdKClUQwcFcG0dyeyuzYd X-Received: by 2002:a17:902:f9c8:b0:19d:553:746b with SMTP id kz8-20020a170902f9c800b0019d0553746bmr278265plb.66.1681421405354; Thu, 13 Apr 2023 14:30:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681421405; cv=none; d=google.com; s=arc-20160816; b=kp9gIbMMc7MhZYqaP0qlSUzaLoQbSsiB56BePAAdqlpDN4nU+MqB2sFDugvMN3IA97 rTSvaQaHmblBT+9bLRdAPyiYY/Xxlrb67zyOlnjO77l8Q8osfbw9wYRLu+nN0aJ6qN7S gBxkzTxsSRlyeZGO2yv2PfheyyFxw9Tkze2Jpjm91KLdOtuZyovEg8toFspTtSKq7DNV sifk6PcOu0o2Apu3sXSXwn19aXV7kl8HTMHLz8vlnJbKAHfjYPjYrL5/l1HpC9q6xKOt 0Lk4UNZQGJwi9UnLKVP1vHSyXBpbJtP0Aih8T40/5zcoz7gvcuOoLV0YpOXXcV/9dqvm HKng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=5G0GixoTM2BuWf5Q68YXnSRxK9JrzlS4ba4xhi/l5W4=; b=rOWk2M4R5US5XkvDfeOtiyZhAPtyGOWlm9vNVcARxafvk+Y/KVHUPOmM3RWjK8k7eg FfhTDaqJWkvyYzXSIyAOi/v9fpvC1QqUMWcGqlWCxnQC4ApJqHQirVctx/jifjcM3nfk 6FcIUIzSzVTKPiPOOO/njJVwAvjKfx70GDfqgH6pYBtTR1XzwvYNhVuXMKIS20v5orq/ Ybe9ufVXnpDtaY9MnFpyTpGcVUIseUgx2j2oE4KaB6UUZHqDdDaJ0FDo9GR/34yVHpYd h/0enFFVG3oDhoaylGK3qY+9LIOFNWSygBdQNEnaZAFpK3adYeii+3wRtgUud9lOpP7U yldQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NpjGVP9F; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g1-20020a170902740100b0019e272a22c7si2826288pll.53.2023.04.13.14.29.42; Thu, 13 Apr 2023 14:30:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NpjGVP9F; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230130AbjDMUzd (ORCPT <rfc822;peter110.wang@gmail.com> + 99 others); Thu, 13 Apr 2023 16:55:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229704AbjDMUzc (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Thu, 13 Apr 2023 16:55:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F05083EA; Thu, 13 Apr 2023 13:55:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6AA6664087; Thu, 13 Apr 2023 20:55:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3633DC433D2; Thu, 13 Apr 2023 20:55:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1681419329; bh=t1d7XeNgX5GcZlgi+EOqXCN2JRp9UZEAZxIDR7stXlg=; h=From:To:Cc:Subject:Date:From; b=NpjGVP9F/j3kBb2SYkuDj4UxY1EOCIStQoa0yfA8FzoL7o/rcspzD5AlIQluXzf1u sSfVe1OKg8s7Q4P9uI6d141Isxd6ZawBdhJgCuJWkM/ew4YCSLpObBCUoRXpJMLMqx +ZY6/wAnvqU8gu+eCK6fqhfnCxlgW65/PpDJ5TKzOWIOl6JakVNCmBXwUwZ0P0rS9b NoSgNTAfejpi6DRsi8Er717h0XTIVuaddtLtwxOSryZD17iwFSLBZI5Ner1Pz5KSla BUtZUB6/bR/bP1jB3+J2Uz+pRHKtsNKRpMT7jU47Vk5TsME/VP7Do3FhcbDIvNPSwa +H+Zs4Z9JDQhw== From: Stephen Boyd <sboyd@kernel.org> To: Michael Turquette <mturquette@baylibre.com>, Stephen Boyd <sboyd@kernel.org> Cc: linux-kernel@vger.kernel.org, linux-clk@vger.kernel.org, patches@lists.linux.dev, Tommaso Merciai <tomm.merciai@gmail.com>, Emil Renner Berthing <emil.renner.berthing@canonical.com>, Hal Feng <hal.feng@starfivetech.com>, Conor Dooley <conor.dooley@microchip.com>, Xingyu Wu <xingyu.wu@starfivetech.com> Subject: [PATCH] clk: starfive: Avoid casting iomem pointers Date: Thu, 13 Apr 2023 13:55:28 -0700 Message-ID: <20230413205528.4044216-1-sboyd@kernel.org> X-Mailer: git-send-email 2.40.0.634.g4ca3ef3211-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1763098131649668038?= X-GMAIL-MSGID: =?utf-8?q?1763098131649668038?= |
Series |
clk: starfive: Avoid casting iomem pointers
|
|
Commit Message
Stephen Boyd
April 13, 2023, 8:55 p.m. UTC
Let's use a wrapper struct for the auxiliary_device made in
jh7110_reset_controller_register() so that we can stop casting iomem
pointers. The casts trip up tools like sparse, and make for some awkward
casts that are largely unnecessary. While we're here, change the
allocation from devm and actually free the auxiliary_device memory in
the release function. This avoids any use after free problems where the
parent device driver is unbound from the device but the
auxiliuary_device is still in use accessing devm freed memory.
Cc: Tommaso Merciai <tomm.merciai@gmail.com>
Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com>
Cc: Hal Feng <hal.feng@starfivetech.com>
Cc: Conor Dooley <conor.dooley@microchip.com>
Cc: Xingyu Wu <xingyu.wu@starfivetech.com>
Fixes: edab7204afe5 ("clk: starfive: Add StarFive JH7110 system clock driver")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
---
I can take this via clk tree.
drivers/clk/starfive/clk-starfive-jh7110-sys.c | 15 ++++++++++++---
drivers/reset/starfive/reset-starfive-jh7110.c | 9 ++++++---
include/soc/starfive/reset-starfive-jh71x0.h | 17 +++++++++++++++++
3 files changed, 35 insertions(+), 6 deletions(-)
create mode 100644 include/soc/starfive/reset-starfive-jh71x0.h
base-commit: 601e5d464d535d655917c2cfb29c394d367fb676
Comments
On Thu, Apr 13, 2023 at 01:55:28PM -0700, Stephen Boyd wrote: > Let's use a wrapper struct for the auxiliary_device made in > jh7110_reset_controller_register() so that we can stop casting iomem > pointers. The casts trip up tools like sparse, and make for some awkward > casts that are largely unnecessary. Cool, thanks for doing it! > While we're here, change the > allocation from devm and actually free the auxiliary_device memory in > the release function. This avoids any use after free problems where the > parent device driver is unbound from the device but the > auxiliuary_device is still in use accessing devm freed memory. > > Cc: Tommaso Merciai <tomm.merciai@gmail.com> > Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com> > Cc: Hal Feng <hal.feng@starfivetech.com> > Cc: Conor Dooley <conor.dooley@microchip.com> > Cc: Xingyu Wu <xingyu.wu@starfivetech.com> > Fixes: edab7204afe5 ("clk: starfive: Add StarFive JH7110 system clock driver") > Signed-off-by: Stephen Boyd <sboyd@kernel.org> > --- > > I can take this via clk tree. > > drivers/clk/starfive/clk-starfive-jh7110-sys.c | 15 ++++++++++++--- > drivers/reset/starfive/reset-starfive-jh7110.c | 9 ++++++--- > include/soc/starfive/reset-starfive-jh71x0.h | 17 +++++++++++++++++ > 3 files changed, 35 insertions(+), 6 deletions(-) > create mode 100644 include/soc/starfive/reset-starfive-jh71x0.h > > diff --git a/drivers/clk/starfive/clk-starfive-jh7110-sys.c b/drivers/clk/starfive/clk-starfive-jh7110-sys.c > index 5ec210644e1d..851b93d0f371 100644 > --- a/drivers/clk/starfive/clk-starfive-jh7110-sys.c > +++ b/drivers/clk/starfive/clk-starfive-jh7110-sys.c > @@ -11,6 +11,9 @@ > #include <linux/init.h> > #include <linux/io.h> > #include <linux/platform_device.h> > +#include <linux/slab.h> > + > +#include <soc/starfive/reset-starfive-jh71x0.h> > > #include <dt-bindings/clock/starfive,jh7110-crg.h> > > @@ -335,26 +338,32 @@ static void jh7110_reset_unregister_adev(void *_adev) > struct auxiliary_device *adev = _adev; > > auxiliary_device_delete(adev); > + auxiliary_device_uninit(adev); Huh, I think you didn't explicitly mention this one, but it's actually part of the UAF fix AFAICT? When I did the aux device stuff for the clk-mpfs driver, I copied from peci as there were almost no examples of aux dev stuff in-tree. It looks like subsequently to me starting development, this fix landed: 1c11289b34ab ("peci: cpu: Fix use-after-free in adev_release()") It similarly moves the uninit() to the release callback... I think I need the below (whitespace damaged): diff --git a/drivers/clk/microchip/clk-mpfs.c b/drivers/clk/microchip/clk-mpfs.c index 4f0a19db7ed7..cc5d7dee59f0 100644 --- a/drivers/clk/microchip/clk-mpfs.c +++ b/drivers/clk/microchip/clk-mpfs.c @@ -374,14 +374,13 @@ static void mpfs_reset_unregister_adev(void *_adev) struct auxiliary_device *adev = _adev; auxiliary_device_delete(adev); + auxiliary_device_uninit(adev); } static void mpfs_reset_adev_release(struct device *dev) { struct auxiliary_device *adev = to_auxiliary_dev(dev); - auxiliary_device_uninit(adev); - kfree(adev); } Anyways, for this patch: Reviewed-by: Conor Dooley <conor.dooley@microchip.com> Thanks, Conor. > } > > static void jh7110_reset_adev_release(struct device *dev) > { > struct auxiliary_device *adev = to_auxiliary_dev(dev); > + struct jh71x0_reset_adev *rdev = to_jh71x0_reset_adev(adev); > > - auxiliary_device_uninit(adev); > + kfree(rdev); > } > > int jh7110_reset_controller_register(struct jh71x0_clk_priv *priv, > const char *adev_name, > u32 adev_id) > { > + struct jh71x0_reset_adev *rdev; > struct auxiliary_device *adev; > int ret; > > - adev = devm_kzalloc(priv->dev, sizeof(*adev), GFP_KERNEL); > - if (!adev) > + rdev = kzalloc(sizeof(*rdev), GFP_KERNEL); > + if (!rdev) > return -ENOMEM; > > + rdev->base = priv->base; > + > + adev = &rdev->adev; > adev->name = adev_name; > adev->dev.parent = priv->dev; > adev->dev.release = jh7110_reset_adev_release; > diff --git a/drivers/reset/starfive/reset-starfive-jh7110.c b/drivers/reset/starfive/reset-starfive-jh7110.c > index c1b3a490d951..2d26ae95c8cc 100644 > --- a/drivers/reset/starfive/reset-starfive-jh7110.c > +++ b/drivers/reset/starfive/reset-starfive-jh7110.c > @@ -7,6 +7,8 @@ > > #include <linux/auxiliary_bus.h> > > +#include <soc/starfive/reset-starfive-jh71x0.h> > + > #include "reset-starfive-jh71x0.h" > > #include <dt-bindings/reset/starfive,jh7110-crg.h> > @@ -33,14 +35,15 @@ static int jh7110_reset_probe(struct auxiliary_device *adev, > const struct auxiliary_device_id *id) > { > struct jh7110_reset_info *info = (struct jh7110_reset_info *)(id->driver_data); > - void __iomem **base = (void __iomem **)dev_get_drvdata(adev->dev.parent); > + struct jh71x0_reset_adev *rdev = to_jh71x0_reset_adev(adev); > + void __iomem *base = rdev->base; > > if (!info || !base) > return -ENODEV; > > return reset_starfive_jh71x0_register(&adev->dev, adev->dev.parent->of_node, > - *base + info->assert_offset, > - *base + info->status_offset, > + base + info->assert_offset, > + base + info->status_offset, > NULL, > info->nr_resets, > NULL); > diff --git a/include/soc/starfive/reset-starfive-jh71x0.h b/include/soc/starfive/reset-starfive-jh71x0.h > new file mode 100644 > index 000000000000..47b486ececc5 > --- /dev/null > +++ b/include/soc/starfive/reset-starfive-jh71x0.h > @@ -0,0 +1,17 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +#ifndef __SOC_STARFIVE_RESET_JH71X0_H > +#define __SOC_STARFIVE_RESET_JH71X0_H > + > +#include <linux/auxiliary_bus.h> > +#include <linux/compiler_types.h> > +#include <linux/container_of.h> > + > +struct jh71x0_reset_adev { > + void __iomem *base; > + struct auxiliary_device adev; > +}; > + > +#define to_jh71x0_reset_adev(_adev) \ > + container_of((_adev), struct jh71x0_reset_adev, adev) > + > +#endif > > base-commit: 601e5d464d535d655917c2cfb29c394d367fb676 > -- > https://git.kernel.org/pub/scm/linux/kernel/git/clk/linux.git/ > https://git.kernel.org/pub/scm/linux/kernel/git/sboyd/spmi.git >
Quoting Conor Dooley (2023-04-13 14:26:56) > > @@ -335,26 +338,32 @@ static void jh7110_reset_unregister_adev(void *_adev) > > struct auxiliary_device *adev = _adev; > > > > auxiliary_device_delete(adev); > > + auxiliary_device_uninit(adev); > > Huh, I think you didn't explicitly mention this one, but it's actually > part of the UAF fix AFAICT? > > When I did the aux device stuff for the clk-mpfs driver, I copied from > peci as there were almost no examples of aux dev stuff in-tree. > It looks like subsequently to me starting development, this fix landed: > 1c11289b34ab ("peci: cpu: Fix use-after-free in adev_release()") > > It similarly moves the uninit() to the release callback... > > I think I need the below (whitespace damaged): Yeah that looks better. Care to send a proper patch for it? > diff --git a/drivers/clk/microchip/clk-mpfs.c b/drivers/clk/microchip/clk-mpfs.c > index 4f0a19db7ed7..cc5d7dee59f0 100644 > --- a/drivers/clk/microchip/clk-mpfs.c > +++ b/drivers/clk/microchip/clk-mpfs.c > @@ -374,14 +374,13 @@ static void mpfs_reset_unregister_adev(void *_adev) > struct auxiliary_device *adev = _adev; > > auxiliary_device_delete(adev); > + auxiliary_device_uninit(adev); > } > > static void mpfs_reset_adev_release(struct device *dev) > { > struct auxiliary_device *adev = to_auxiliary_dev(dev); > > - auxiliary_device_uninit(adev); > - > kfree(adev); > } > > Anyways, for this patch: > Reviewed-by: Conor Dooley <conor.dooley@microchip.com> > Thanks.
On Thu, Apr 13, 2023 at 03:01:02PM -0700, Stephen Boyd wrote:
> Yeah that looks better. Care to send a proper patch for it?
Yup, no problem: 20230413-critter-synopsis-dac070a86cb4@spud
Cheers,
Conor.
Quoting Stephen Boyd (2023-04-13 13:55:28) > Let's use a wrapper struct for the auxiliary_device made in > jh7110_reset_controller_register() so that we can stop casting iomem > pointers. The casts trip up tools like sparse, and make for some awkward > casts that are largely unnecessary. While we're here, change the > allocation from devm and actually free the auxiliary_device memory in > the release function. This avoids any use after free problems where the > parent device driver is unbound from the device but the > auxiliuary_device is still in use accessing devm freed memory. > > Cc: Tommaso Merciai <tomm.merciai@gmail.com> > Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com> > Cc: Hal Feng <hal.feng@starfivetech.com> > Cc: Conor Dooley <conor.dooley@microchip.com> > Cc: Xingyu Wu <xingyu.wu@starfivetech.com> > Fixes: edab7204afe5 ("clk: starfive: Add StarFive JH7110 system clock driver") > Signed-off-by: Stephen Boyd <sboyd@kernel.org> > --- Applied to clk-next
On 2023/4/14 4:55, Stephen Boyd wrote: > Let's use a wrapper struct for the auxiliary_device made in > jh7110_reset_controller_register() so that we can stop casting iomem > pointers. The casts trip up tools like sparse, and make for some awkward > casts that are largely unnecessary. While we're here, change the > allocation from devm and actually free the auxiliary_device memory in > the release function. This avoids any use after free problems where the > parent device driver is unbound from the device but the > auxiliuary_device is still in use accessing devm freed memory. > > Cc: Tommaso Merciai <tomm.merciai@gmail.com> > Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com> > Cc: Hal Feng <hal.feng@starfivetech.com> > Cc: Conor Dooley <conor.dooley@microchip.com> > Cc: Xingyu Wu <xingyu.wu@starfivetech.com> > Fixes: edab7204afe5 ("clk: starfive: Add StarFive JH7110 system clock driver") > Signed-off-by: Stephen Boyd <sboyd@kernel.org> > --- > > I can take this via clk tree. > > drivers/clk/starfive/clk-starfive-jh7110-sys.c | 15 ++++++++++++--- > drivers/reset/starfive/reset-starfive-jh7110.c | 9 ++++++--- > include/soc/starfive/reset-starfive-jh71x0.h | 17 +++++++++++++++++ > 3 files changed, 35 insertions(+), 6 deletions(-) > create mode 100644 include/soc/starfive/reset-starfive-jh71x0.h > > diff --git a/drivers/clk/starfive/clk-starfive-jh7110-sys.c b/drivers/clk/starfive/clk-starfive-jh7110-sys.c > index 5ec210644e1d..851b93d0f371 100644 > --- a/drivers/clk/starfive/clk-starfive-jh7110-sys.c > +++ b/drivers/clk/starfive/clk-starfive-jh7110-sys.c > @@ -11,6 +11,9 @@ > #include <linux/init.h> > #include <linux/io.h> > #include <linux/platform_device.h> > +#include <linux/slab.h> > + > +#include <soc/starfive/reset-starfive-jh71x0.h> > > #include <dt-bindings/clock/starfive,jh7110-crg.h> > > @@ -335,26 +338,32 @@ static void jh7110_reset_unregister_adev(void *_adev) > struct auxiliary_device *adev = _adev; > > auxiliary_device_delete(adev); > + auxiliary_device_uninit(adev); > } > > static void jh7110_reset_adev_release(struct device *dev) > { > struct auxiliary_device *adev = to_auxiliary_dev(dev); > + struct jh71x0_reset_adev *rdev = to_jh71x0_reset_adev(adev); > > - auxiliary_device_uninit(adev); > + kfree(rdev); > } > > int jh7110_reset_controller_register(struct jh71x0_clk_priv *priv, > const char *adev_name, > u32 adev_id) > { > + struct jh71x0_reset_adev *rdev; > struct auxiliary_device *adev; > int ret; > > - adev = devm_kzalloc(priv->dev, sizeof(*adev), GFP_KERNEL); > - if (!adev) > + rdev = kzalloc(sizeof(*rdev), GFP_KERNEL); > + if (!rdev) > return -ENOMEM; > > + rdev->base = priv->base; > + > + adev = &rdev->adev; > adev->name = adev_name; > adev->dev.parent = priv->dev; > adev->dev.release = jh7110_reset_adev_release; > diff --git a/drivers/reset/starfive/reset-starfive-jh7110.c b/drivers/reset/starfive/reset-starfive-jh7110.c > index c1b3a490d951..2d26ae95c8cc 100644 > --- a/drivers/reset/starfive/reset-starfive-jh7110.c > +++ b/drivers/reset/starfive/reset-starfive-jh7110.c > @@ -7,6 +7,8 @@ > > #include <linux/auxiliary_bus.h> > > +#include <soc/starfive/reset-starfive-jh71x0.h> > + > #include "reset-starfive-jh71x0.h" > > #include <dt-bindings/reset/starfive,jh7110-crg.h> > @@ -33,14 +35,15 @@ static int jh7110_reset_probe(struct auxiliary_device *adev, > const struct auxiliary_device_id *id) > { > struct jh7110_reset_info *info = (struct jh7110_reset_info *)(id->driver_data); > - void __iomem **base = (void __iomem **)dev_get_drvdata(adev->dev.parent); Thank you for doing that. BTW, if drop the dev_get_drvdata(), the dev_set_drvdata() should also be dropped. diff --git a/drivers/clk/starfive/clk-starfive-jh7110-aon.c b/drivers/clk/starfive/clk-starfive-jh7110-aon.c index a2799fe8a234..62954eb7b50a 100644 --- a/drivers/clk/starfive/clk-starfive-jh7110-aon.c +++ b/drivers/clk/starfive/clk-starfive-jh7110-aon.c @@ -83,8 +83,6 @@ static int jh7110_aoncrg_probe(struct platform_device *pdev) if (IS_ERR(priv->base)) return PTR_ERR(priv->base); - dev_set_drvdata(priv->dev, (void *)(&priv->base)); - for (idx = 0; idx < JH7110_AONCLK_END; idx++) { u32 max = jh7110_aonclk_data[idx].max; struct clk_parent_data parents[4] = {}; diff --git a/drivers/clk/starfive/clk-starfive-jh7110-sys.c b/drivers/clk/starfive/clk-starfive-jh7110-sys.c index 5ec210644e1d..0cda33fd47f8 100644 --- a/drivers/clk/starfive/clk-starfive-jh7110-sys.c +++ b/drivers/clk/starfive/clk-starfive-jh7110-sys.c @@ -393,8 +393,6 @@ static int __init jh7110_syscrg_probe(struct platform_device *pdev) if (IS_ERR(priv->base)) return PTR_ERR(priv->base); - dev_set_drvdata(priv->dev, (void *)(&priv->base)); - /* * These PLL clocks are not actually fixed factor clocks and can be * controlled by the syscon registers of JH7110. They will be dropped > + struct jh71x0_reset_adev *rdev = to_jh71x0_reset_adev(adev); > + void __iomem *base = rdev->base; > > if (!info || !base) > return -ENODEV; > > return reset_starfive_jh71x0_register(&adev->dev, adev->dev.parent->of_node, > - *base + info->assert_offset, > - *base + info->status_offset, > + base + info->assert_offset, > + base + info->status_offset, > NULL, > info->nr_resets, > NULL); > diff --git a/include/soc/starfive/reset-starfive-jh71x0.h b/include/soc/starfive/reset-starfive-jh71x0.h > new file mode 100644 > index 000000000000..47b486ececc5 > --- /dev/null > +++ b/include/soc/starfive/reset-starfive-jh71x0.h > @@ -0,0 +1,17 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +#ifndef __SOC_STARFIVE_RESET_JH71X0_H > +#define __SOC_STARFIVE_RESET_JH71X0_H > + > +#include <linux/auxiliary_bus.h> > +#include <linux/compiler_types.h> > +#include <linux/container_of.h> > + > +struct jh71x0_reset_adev { > + void __iomem *base; > + struct auxiliary_device adev; > +}; > + > +#define to_jh71x0_reset_adev(_adev) \ > + container_of((_adev), struct jh71x0_reset_adev, adev) > + > +#endif > > base-commit: 601e5d464d535d655917c2cfb29c394d367fb676 Best regards, Xingyu Wu
On Fri, 14 Apr 2023 09:58:47 +0800, Xingyu Wu wrote: > On 2023/4/14 4:55, Stephen Boyd wrote: >> Let's use a wrapper struct for the auxiliary_device made in >> jh7110_reset_controller_register() so that we can stop casting iomem >> pointers. The casts trip up tools like sparse, and make for some awkward >> casts that are largely unnecessary. While we're here, change the >> allocation from devm and actually free the auxiliary_device memory in >> the release function. This avoids any use after free problems where the >> parent device driver is unbound from the device but the >> auxiliuary_device is still in use accessing devm freed memory. >> >> Cc: Tommaso Merciai <tomm.merciai@gmail.com> >> Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com> >> Cc: Hal Feng <hal.feng@starfivetech.com> >> Cc: Conor Dooley <conor.dooley@microchip.com> >> Cc: Xingyu Wu <xingyu.wu@starfivetech.com> >> Fixes: edab7204afe5 ("clk: starfive: Add StarFive JH7110 system clock driver") >> Signed-off-by: Stephen Boyd <sboyd@kernel.org> >> --- >> >> I can take this via clk tree. >> >> drivers/clk/starfive/clk-starfive-jh7110-sys.c | 15 ++++++++++++--- >> drivers/reset/starfive/reset-starfive-jh7110.c | 9 ++++++--- >> include/soc/starfive/reset-starfive-jh71x0.h | 17 +++++++++++++++++ >> 3 files changed, 35 insertions(+), 6 deletions(-) >> create mode 100644 include/soc/starfive/reset-starfive-jh71x0.h >> >> diff --git a/drivers/clk/starfive/clk-starfive-jh7110-sys.c b/drivers/clk/starfive/clk-starfive-jh7110-sys.c >> index 5ec210644e1d..851b93d0f371 100644 >> --- a/drivers/clk/starfive/clk-starfive-jh7110-sys.c >> +++ b/drivers/clk/starfive/clk-starfive-jh7110-sys.c >> @@ -11,6 +11,9 @@ >> #include <linux/init.h> >> #include <linux/io.h> >> #include <linux/platform_device.h> >> +#include <linux/slab.h> >> + >> +#include <soc/starfive/reset-starfive-jh71x0.h> >> >> #include <dt-bindings/clock/starfive,jh7110-crg.h> >> >> @@ -335,26 +338,32 @@ static void jh7110_reset_unregister_adev(void *_adev) >> struct auxiliary_device *adev = _adev; >> >> auxiliary_device_delete(adev); >> + auxiliary_device_uninit(adev); >> } >> >> static void jh7110_reset_adev_release(struct device *dev) >> { >> struct auxiliary_device *adev = to_auxiliary_dev(dev); >> + struct jh71x0_reset_adev *rdev = to_jh71x0_reset_adev(adev); >> >> - auxiliary_device_uninit(adev); >> + kfree(rdev); >> } >> >> int jh7110_reset_controller_register(struct jh71x0_clk_priv *priv, >> const char *adev_name, >> u32 adev_id) >> { >> + struct jh71x0_reset_adev *rdev; >> struct auxiliary_device *adev; >> int ret; >> >> - adev = devm_kzalloc(priv->dev, sizeof(*adev), GFP_KERNEL); >> - if (!adev) >> + rdev = kzalloc(sizeof(*rdev), GFP_KERNEL); >> + if (!rdev) >> return -ENOMEM; >> >> + rdev->base = priv->base; >> + >> + adev = &rdev->adev; >> adev->name = adev_name; >> adev->dev.parent = priv->dev; >> adev->dev.release = jh7110_reset_adev_release; >> diff --git a/drivers/reset/starfive/reset-starfive-jh7110.c b/drivers/reset/starfive/reset-starfive-jh7110.c >> index c1b3a490d951..2d26ae95c8cc 100644 >> --- a/drivers/reset/starfive/reset-starfive-jh7110.c >> +++ b/drivers/reset/starfive/reset-starfive-jh7110.c >> @@ -7,6 +7,8 @@ >> >> #include <linux/auxiliary_bus.h> >> >> +#include <soc/starfive/reset-starfive-jh71x0.h> >> + >> #include "reset-starfive-jh71x0.h" >> >> #include <dt-bindings/reset/starfive,jh7110-crg.h> >> @@ -33,14 +35,15 @@ static int jh7110_reset_probe(struct auxiliary_device *adev, >> const struct auxiliary_device_id *id) >> { >> struct jh7110_reset_info *info = (struct jh7110_reset_info *)(id->driver_data); >> - void __iomem **base = (void __iomem **)dev_get_drvdata(adev->dev.parent); > > Thank you for doing that. BTW, if drop the dev_get_drvdata(), the dev_set_drvdata() should also be dropped. > > diff --git a/drivers/clk/starfive/clk-starfive-jh7110-aon.c b/drivers/clk/starfive/clk-starfive-jh7110-aon.c > index a2799fe8a234..62954eb7b50a 100644 > --- a/drivers/clk/starfive/clk-starfive-jh7110-aon.c > +++ b/drivers/clk/starfive/clk-starfive-jh7110-aon.c > @@ -83,8 +83,6 @@ static int jh7110_aoncrg_probe(struct platform_device *pdev) > if (IS_ERR(priv->base)) > return PTR_ERR(priv->base); > > - dev_set_drvdata(priv->dev, (void *)(&priv->base)); > - > for (idx = 0; idx < JH7110_AONCLK_END; idx++) { > u32 max = jh7110_aonclk_data[idx].max; > struct clk_parent_data parents[4] = {}; > diff --git a/drivers/clk/starfive/clk-starfive-jh7110-sys.c b/drivers/clk/starfive/clk-starfive-jh7110-sys.c > index 5ec210644e1d..0cda33fd47f8 100644 > --- a/drivers/clk/starfive/clk-starfive-jh7110-sys.c > +++ b/drivers/clk/starfive/clk-starfive-jh7110-sys.c > @@ -393,8 +393,6 @@ static int __init jh7110_syscrg_probe(struct platform_device *pdev) > if (IS_ERR(priv->base)) > return PTR_ERR(priv->base); > > - dev_set_drvdata(priv->dev, (void *)(&priv->base)); > - > /* > * These PLL clocks are not actually fixed factor clocks and can be > * controlled by the syscon registers of JH7110. They will be dropped > Hi, Stephen, Thanks for your fix to my previous patches, and I have tested this patch on VisionFive 2 board. As Xingyu said above, I think dev_set_drvdata() should also be dropped in clk-starfive-jh7110-sys.c and clk-starfive-jh7110-aon.c. Best regards, Hal
Quoting Hal Feng (2023-04-14 16:31:45) > > Thanks for your fix to my previous patches, and I have tested this patch > on VisionFive 2 board. As Xingyu said above, I think dev_set_drvdata() > should also be dropped in clk-starfive-jh7110-sys.c and > clk-starfive-jh7110-aon.c. > Sure. I see you sent the patch. Thanks.
diff --git a/drivers/clk/starfive/clk-starfive-jh7110-sys.c b/drivers/clk/starfive/clk-starfive-jh7110-sys.c index 5ec210644e1d..851b93d0f371 100644 --- a/drivers/clk/starfive/clk-starfive-jh7110-sys.c +++ b/drivers/clk/starfive/clk-starfive-jh7110-sys.c @@ -11,6 +11,9 @@ #include <linux/init.h> #include <linux/io.h> #include <linux/platform_device.h> +#include <linux/slab.h> + +#include <soc/starfive/reset-starfive-jh71x0.h> #include <dt-bindings/clock/starfive,jh7110-crg.h> @@ -335,26 +338,32 @@ static void jh7110_reset_unregister_adev(void *_adev) struct auxiliary_device *adev = _adev; auxiliary_device_delete(adev); + auxiliary_device_uninit(adev); } static void jh7110_reset_adev_release(struct device *dev) { struct auxiliary_device *adev = to_auxiliary_dev(dev); + struct jh71x0_reset_adev *rdev = to_jh71x0_reset_adev(adev); - auxiliary_device_uninit(adev); + kfree(rdev); } int jh7110_reset_controller_register(struct jh71x0_clk_priv *priv, const char *adev_name, u32 adev_id) { + struct jh71x0_reset_adev *rdev; struct auxiliary_device *adev; int ret; - adev = devm_kzalloc(priv->dev, sizeof(*adev), GFP_KERNEL); - if (!adev) + rdev = kzalloc(sizeof(*rdev), GFP_KERNEL); + if (!rdev) return -ENOMEM; + rdev->base = priv->base; + + adev = &rdev->adev; adev->name = adev_name; adev->dev.parent = priv->dev; adev->dev.release = jh7110_reset_adev_release; diff --git a/drivers/reset/starfive/reset-starfive-jh7110.c b/drivers/reset/starfive/reset-starfive-jh7110.c index c1b3a490d951..2d26ae95c8cc 100644 --- a/drivers/reset/starfive/reset-starfive-jh7110.c +++ b/drivers/reset/starfive/reset-starfive-jh7110.c @@ -7,6 +7,8 @@ #include <linux/auxiliary_bus.h> +#include <soc/starfive/reset-starfive-jh71x0.h> + #include "reset-starfive-jh71x0.h" #include <dt-bindings/reset/starfive,jh7110-crg.h> @@ -33,14 +35,15 @@ static int jh7110_reset_probe(struct auxiliary_device *adev, const struct auxiliary_device_id *id) { struct jh7110_reset_info *info = (struct jh7110_reset_info *)(id->driver_data); - void __iomem **base = (void __iomem **)dev_get_drvdata(adev->dev.parent); + struct jh71x0_reset_adev *rdev = to_jh71x0_reset_adev(adev); + void __iomem *base = rdev->base; if (!info || !base) return -ENODEV; return reset_starfive_jh71x0_register(&adev->dev, adev->dev.parent->of_node, - *base + info->assert_offset, - *base + info->status_offset, + base + info->assert_offset, + base + info->status_offset, NULL, info->nr_resets, NULL); diff --git a/include/soc/starfive/reset-starfive-jh71x0.h b/include/soc/starfive/reset-starfive-jh71x0.h new file mode 100644 index 000000000000..47b486ececc5 --- /dev/null +++ b/include/soc/starfive/reset-starfive-jh71x0.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef __SOC_STARFIVE_RESET_JH71X0_H +#define __SOC_STARFIVE_RESET_JH71X0_H + +#include <linux/auxiliary_bus.h> +#include <linux/compiler_types.h> +#include <linux/container_of.h> + +struct jh71x0_reset_adev { + void __iomem *base; + struct auxiliary_device adev; +}; + +#define to_jh71x0_reset_adev(_adev) \ + container_of((_adev), struct jh71x0_reset_adev, adev) + +#endif