tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

rpmsg: Fix calling device_lock() on non-initialized device

driver_set_override() helper uses device_lock() so it should not be
called before rpmsg_register_device() (which calls device_register()).
Effect can be seen with CONFIG_DEBUG_MUTEXES:

DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 3 PID: 57 at kernel/locking/mutex.c:582 __mutex_lock+0x1ec/0x430
...
Call trace:
__mutex_lock+0x1ec/0x430
mutex_lock_nested+0x44/0x50
driver_set_override+0x124/0x150
qcom_glink_native_probe+0x30c/0x3b0
glink_rpm_probe+0x274/0x350
platform_probe+0x6c/0xe0
really_probe+0x17c/0x3d0
__driver_probe_device+0x114/0x190
driver_probe_device+0x3c/0xf0
...

Refactor the rpmsg_register_device() function to use two-step device
registering (initialization + add) and call driver_set_override() in
proper moment.

This moves the code around, so while at it also NULL-ify the
rpdev->driver_override in error path to be sure it won't be kfree()
second time.

Fixes: 42cd402b8fd4 ("rpmsg: Fix kfree() of static memory on setting driver_override")
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20220429195946.1061725-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Krzysztof Kozlowski and committed by
Greg Kroah-Hartman bb17d110 6370b04f

+40 -29
+30 -3
drivers/rpmsg/rpmsg_core.c
··· 593 593 .remove = rpmsg_dev_remove, 594 594 }; 595 595 596 - int rpmsg_register_device(struct rpmsg_device *rpdev) 596 + /* 597 + * A helper for registering rpmsg device with driver override and name. 598 + * Drivers should not be using it, but instead rpmsg_register_device(). 599 + */ 600 + int rpmsg_register_device_override(struct rpmsg_device *rpdev, 601 + const char *driver_override) 597 602 { 598 603 struct device *dev = &rpdev->dev; 599 604 int ret; 605 + 606 + if (driver_override) 607 + strcpy(rpdev->id.name, driver_override); 600 608 601 609 dev_set_name(&rpdev->dev, "%s.%s.%d.%d", dev_name(dev->parent), 602 610 rpdev->id.name, rpdev->src, rpdev->dst); 603 611 604 612 rpdev->dev.bus = &rpmsg_bus; 605 613 606 - ret = device_register(&rpdev->dev); 614 + device_initialize(dev); 615 + if (driver_override) { 616 + ret = driver_set_override(dev, &rpdev->driver_override, 617 + driver_override, 618 + strlen(driver_override)); 619 + if (ret) { 620 + dev_err(dev, "device_set_override failed: %d\n", ret); 621 + return ret; 622 + } 623 + } 624 + 625 + ret = device_add(dev); 607 626 if (ret) { 608 - dev_err(dev, "device_register failed: %d\n", ret); 627 + dev_err(dev, "device_add failed: %d\n", ret); 628 + kfree(rpdev->driver_override); 629 + rpdev->driver_override = NULL; 609 630 put_device(&rpdev->dev); 610 631 } 611 632 612 633 return ret; 634 + } 635 + EXPORT_SYMBOL(rpmsg_register_device_override); 636 + 637 + int rpmsg_register_device(struct rpmsg_device *rpdev) 638 + { 639 + return rpmsg_register_device_override(rpdev, NULL); 613 640 } 614 641 EXPORT_SYMBOL(rpmsg_register_device); 615 642
+1 -13
drivers/rpmsg/rpmsg_internal.h
··· 94 94 */ 95 95 static inline int rpmsg_ctrldev_register_device(struct rpmsg_device *rpdev) 96 96 { 97 - int ret; 98 - 99 - strcpy(rpdev->id.name, "rpmsg_ctrl"); 100 - ret = driver_set_override(&rpdev->dev, &rpdev->driver_override, 101 - rpdev->id.name, strlen(rpdev->id.name)); 102 - if (ret) 103 - return ret; 104 - 105 - ret = rpmsg_register_device(rpdev); 106 - if (ret) 107 - kfree(rpdev->driver_override); 108 - 109 - return ret; 97 + return rpmsg_register_device_override(rpdev, "rpmsg_ctrl"); 110 98 } 111 99 112 100 #endif
+1 -13
drivers/rpmsg/rpmsg_ns.c
··· 20 20 */ 21 21 int rpmsg_ns_register_device(struct rpmsg_device *rpdev) 22 22 { 23 - int ret; 24 - 25 - strcpy(rpdev->id.name, "rpmsg_ns"); 26 - ret = driver_set_override(&rpdev->dev, &rpdev->driver_override, 27 - rpdev->id.name, strlen(rpdev->id.name)); 28 - if (ret) 29 - return ret; 30 - 31 23 rpdev->src = RPMSG_NS_ADDR; 32 24 rpdev->dst = RPMSG_NS_ADDR; 33 25 34 - ret = rpmsg_register_device(rpdev); 35 - if (ret) 36 - kfree(rpdev->driver_override); 37 - 38 - return ret; 26 + return rpmsg_register_device_override(rpdev, "rpmsg_ns"); 39 27 } 40 28 EXPORT_SYMBOL(rpmsg_ns_register_device); 41 29
+8
include/linux/rpmsg.h
··· 165 165 166 166 #if IS_ENABLED(CONFIG_RPMSG) 167 167 168 + int rpmsg_register_device_override(struct rpmsg_device *rpdev, 169 + const char *driver_override); 168 170 int rpmsg_register_device(struct rpmsg_device *rpdev); 169 171 int rpmsg_unregister_device(struct device *parent, 170 172 struct rpmsg_channel_info *chinfo); ··· 193 191 ssize_t rpmsg_get_mtu(struct rpmsg_endpoint *ept); 194 192 195 193 #else 194 + 195 + static inline int rpmsg_register_device_override(struct rpmsg_device *rpdev, 196 + const char *driver_override) 197 + { 198 + return -ENXIO; 199 + } 196 200 197 201 static inline int rpmsg_register_device(struct rpmsg_device *rpdev) 198 202 {