When allocating a new mcb_bus the bus_type is added to the mcb_bus
itself, causing an issue when calling mcb_bus_add_devices().
This function is not only called for each mcb_device under the
mcb_bus but for the bus itself.
This causes a crash when freeing the ida resources as the bus numbering
gets corrupted due to a wrong cast of structs mcb_bus and mcb_device.
Make the release of the mcb devices and their mcb bus explicit.
Co-developed-by: Jorge Sanjuan Garcia <[email protected]>
Signed-off-by: Jorge Sanjuan Garcia <[email protected]>
Signed-off-by: Javier Rodriguez <[email protected]>
---
drivers/mcb/mcb-core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/mcb/mcb-core.c b/drivers/mcb/mcb-core.c
index 978fdfc19a06..d4535b8aea1d 100644
--- a/drivers/mcb/mcb-core.c
+++ b/drivers/mcb/mcb-core.c
@@ -251,6 +251,12 @@ int mcb_device_register(struct mcb_bus *bus, struct mcb_device *dev)
}
EXPORT_SYMBOL_NS_GPL(mcb_device_register, MCB);
+
+static void mcb_bus_unregister(struct mcb_bus *bus)
+{
+ device_unregister(&bus->dev);
+}
+
static void mcb_free_bus(struct device *dev)
{
struct mcb_bus *bus = to_mcb_bus(dev);
@@ -286,7 +292,6 @@ struct mcb_bus *mcb_alloc_bus(struct device *carrier)
device_initialize(&bus->dev);
bus->dev.parent = carrier;
- bus->dev.bus = &mcb_bus_type;
bus->dev.type = &mcb_carrier_device_type;
bus->dev.release = &mcb_free_bus;
@@ -322,6 +327,7 @@ static void mcb_devices_unregister(struct mcb_bus *bus)
void mcb_release_bus(struct mcb_bus *bus)
{
mcb_devices_unregister(bus);
+ mcb_bus_unregister(bus);
}
EXPORT_SYMBOL_NS_GPL(mcb_release_bus, MCB);
--
2.34.1
On Mon, Jul 10, 2023 at 04:57:52PM +0200, Johannes Thumshirn wrote:
> From: Rodr?guez Barbarin, Jos? Javier <[email protected]>
This does not match your signed-off-by line.
>
> When allocating a new mcb_bus the bus_type is added to the mcb_bus
> itself, causing an issue when calling mcb_bus_add_devices().
> This function is not only called for each mcb_device under the
> mcb_bus but for the bus itself.
>
> This causes a crash when freeing the ida resources as the bus numbering
> gets corrupted due to a wrong cast of structs mcb_bus and mcb_device.
>
> Make the release of the mcb devices and their mcb bus explicit.
>
> Co-developed-by: Jorge Sanjuan Garcia <[email protected]>
> Signed-off-by: Jorge Sanjuan Garcia <[email protected]>
> Signed-off-by: Javier Rodriguez <[email protected]>
> Signed-off-by: Johannes Thumshirn <[email protected]>
> ---
What commit id does this fix?
> drivers/mcb/mcb-core.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/mcb/mcb-core.c b/drivers/mcb/mcb-core.c
> index 978fdfc19a06..d4535b8aea1d 100644
> --- a/drivers/mcb/mcb-core.c
> +++ b/drivers/mcb/mcb-core.c
> @@ -251,6 +251,12 @@ int mcb_device_register(struct mcb_bus *bus, struct mcb_device *dev)
> }
> EXPORT_SYMBOL_NS_GPL(mcb_device_register, MCB);
>
> +
> +static void mcb_bus_unregister(struct mcb_bus *bus)
> +{
> + device_unregister(&bus->dev);
> +}
> +
> static void mcb_free_bus(struct device *dev)
> {
> struct mcb_bus *bus = to_mcb_bus(dev);
> @@ -286,7 +292,6 @@ struct mcb_bus *mcb_alloc_bus(struct device *carrier)
>
> device_initialize(&bus->dev);
> bus->dev.parent = carrier;
> - bus->dev.bus = &mcb_bus_type;
So what bus type does this device now belong to?
> bus->dev.type = &mcb_carrier_device_type;
> bus->dev.release = &mcb_free_bus;
>
> @@ -322,6 +327,7 @@ static void mcb_devices_unregister(struct mcb_bus *bus)
> void mcb_release_bus(struct mcb_bus *bus)
> {
> mcb_devices_unregister(bus);
> + mcb_bus_unregister(bus);
thanks.
greg k-h
When allocating a new mcb_bus the bus_type is added to the mcb_bus itself,
causing an issue when calling mcb_bus_add_devices(). This function is not
only called for each mcb_device under the mcb_bus but for the bus itself.
The crash happens when the mcb_core module is removed, getting
the following error:
[ 286.691693] ------------[ cut here ]------------
[ 286.691695] ida_free called for id=1 which is not allocated.
[ 286.691714] WARNING: CPU: 0 PID: 1719 at lib/idr.c:523 ida_free+0xe0/0x140
[ 286.691715] Modules linked in: snd_hda_codec_hdmi amd64_edac_mod snd_hda_intel edac_mce_amd snd_intel_dspcfg kvm_amd snd_hda_codec amdgpu nls_iso8859_1 ccp snd_hda_core snd_hwdep amd_iommu_v2 kvm snd_pcm gpu_sched crct10dif_pclmul crc32_pclmul snd_seq_midi snd_seq_midi_event ghash_clmulni_intel ttm snd_rawmidi aesni_intel snd_seq binfmt_misc crypto_simd cryptd glue_helper drm_kms_helper snd_seq_device snd_timer drm snd k10temp fb_sys_fops syscopyarea sysfillrect sysimgblt snd_rn_pci_acp3x mcb_pci(-) snd_pci_acp3x soundcore altera_cvp fpga_mgr mcb spi_nor mtd 8250_dw mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 mmc_block nvme ahci i2c_piix4 libahci i2c_amd_mp2_pci igb nvme_core i2c_algo_bit dca video sdhci_acpi sdhci [last unloaded: 8250_men_mcb]
[ 286.691752] CPU: 0 PID: 1719 Comm: modprobe Not tainted 5.4.702+ #11
[ 286.691753] Hardware name: MEN F027/n/a, BIOS 1.03 04/20/2021
[ 286.691756] RIP: 0010:ida_free+0xe0/0x140
[ 286.691759] Code: a8 31 f6 e8 12 f7 00 00 eb 4b 4c 0f a3 28 72 21 48 8b 7d a8 4c 89 f6 e8 8e ad 02 00 89 de 48 c7 c7 e8 02 83 b5 e8 b0 7a 5d ff <0f> 0b e9 67 ff ff ff 4c 0f b3 28 48 8d 7d a8 31 f6 e8 da e0 00 00
[ 286.691761] RSP: 0018:ffff9a56c38f7bd8 EFLAGS: 00010282
[ 286.691763] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000006
[ 286.691764] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff8d881fa1c8c0
[ 286.691765] RBP: ffff9a56c38f7c30 R08: 0000000000000487 R09: 0000000000000004
[ 286.691766] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
[ 286.691767] R13: 0000000000000001 R14: 0000000000000202 R15: 0000000000000001
[ 286.691769] FS: 00007fb78e303540(0000) GS:ffff8d881fa00000(0000) knlGS:0000000000000000
[ 286.691770] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 286.691771] CR2: 00007ffe92b2ce98 CR3: 000000079fd9c000 CR4: 00000000003406f0
[ 286.691772] Call Trace:
[ 286.691781] mcb_free_bus+0x2b/0x40 [mcb]
[ 286.691785] device_release+0x2c/0x80
[ 286.691787] kobject_put+0xb9/0x1d0
[ 286.691790] put_device+0x13/0x20
As mcb_bus_add_devices() is called for the mcb_bus itself, the function
tries to cast the incorrectly passed struct mcb_bus to mcb_device. Both
structs have the same layout:
struct mcb_bus {
struct device dev;
struct device *carrier;
int bus_nr;
...
};
struct mcb_device {
struct device dev;
struct mcb_bus *bus;
bool is_added;
...
};
This incorrect casting is causing a wrong behaviour in
mcb_bus_add_devices() where the member bus_nr is casted to is_added,
meaning that when bus_nr is "0", the function continues and sets bus_nr
to "1" (is_added = true)
If we have 2 buses (one for each F215 board), the function ida_alloc()
will give the value "0" and "1" to each bus respectively, but as both
buses are included themselves in the devices' lists, after the call to
mcb_bus_add_devices(), the buses will have the value "1" and "1". For
this reason, when the mcb-core module is removed, the error raises as
the ida resource with value "1" is being released twice, leaking
the ida resource with value "0".
changes for V2:
* create a dedicated bus_type for mcb_bus and mcb_device structs
instead of removing bus_type for mcb_bus.
This patch is based on linux-next (next-20230817)
Jose Javier Rodriguez Barbarin (1):
mcb: create dedicated bus_type for mcb_bus and mcb_device
drivers/mcb/mcb-core.c | 43 ++++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
--
2.34.1