If a module successfully registers a misc device.
Then, due to some bugs, use same address register misc device
again, init list head will corrupt misc_list, resulting in oops
when using misc_list.
In this scenario, do not init list head, if registration is
successful, init list head is also not required.
Signed-off-by: Jiazi Li <[email protected]>
---
drivers/char/misc.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/char/misc.c b/drivers/char/misc.c
index ca5141e..2451640 100644
--- a/drivers/char/misc.c
+++ b/drivers/char/misc.c
@@ -176,7 +176,6 @@ int misc_register(struct miscdevice *misc)
int err = 0;
bool is_dynamic = (misc->minor == MISC_DYNAMIC_MINOR);
- INIT_LIST_HEAD(&misc->list);
mutex_lock(&misc_mtx);
@@ -185,7 +184,7 @@ int misc_register(struct miscdevice *misc)
if (i >= DYNAMIC_MINORS) {
err = -EBUSY;
- goto out;
+ goto err2;
}
misc->minor = DYNAMIC_MINORS - i - 1;
set_bit(i, misc_minors);
@@ -195,7 +194,13 @@ int misc_register(struct miscdevice *misc)
list_for_each_entry(c, &misc_list, list) {
if (c->minor == misc->minor) {
err = -EBUSY;
- goto out;
+ /*
+ * if module use same address double register,
+ * init list will corrupt misc_list
+ */
+ if (c == misc)
+ goto err1;
+ goto err2;
}
}
}
@@ -214,7 +219,7 @@ int misc_register(struct miscdevice *misc)
misc->minor = MISC_DYNAMIC_MINOR;
}
err = PTR_ERR(misc->this_device);
- goto out;
+ goto err2;
}
/*
@@ -222,7 +227,11 @@ int misc_register(struct miscdevice *misc)
* earlier defaults
*/
list_add(&misc->list, &misc_list);
- out:
+ mutex_unlock(&misc_mtx);
+ return 0;
+ err2:
+ INIT_LIST_HEAD(&misc->list);
+ err1:
mutex_unlock(&misc_mtx);
return err;
}
--
2.7.4
On Mon, Aug 16, 2021 at 06:12:32PM +0800, Jiazi Li wrote:
> If a module successfully registers a misc device.
> Then, due to some bugs, use same address register misc device
> again, init list head will corrupt misc_list, resulting in oops
> when using misc_list.
Then fix those bugs that try to register the misc device more than once?
Does that happen in any in-kernel drivers or is this just a failure of
external drivers that are not submitted to the kernel tree?
> In this scenario, do not init list head, if registration is
> successful, init list head is also not required.
>
> Signed-off-by: Jiazi Li <[email protected]>
> ---
> drivers/char/misc.c | 19 ++++++++++++++-----
> 1 file changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/char/misc.c b/drivers/char/misc.c
> index ca5141e..2451640 100644
> --- a/drivers/char/misc.c
> +++ b/drivers/char/misc.c
> @@ -176,7 +176,6 @@ int misc_register(struct miscdevice *misc)
> int err = 0;
> bool is_dynamic = (misc->minor == MISC_DYNAMIC_MINOR);
>
> - INIT_LIST_HEAD(&misc->list);
>
> mutex_lock(&misc_mtx);
>
> @@ -185,7 +184,7 @@ int misc_register(struct miscdevice *misc)
>
> if (i >= DYNAMIC_MINORS) {
> err = -EBUSY;
> - goto out;
> + goto err2;
> }
> misc->minor = DYNAMIC_MINORS - i - 1;
> set_bit(i, misc_minors);
> @@ -195,7 +194,13 @@ int misc_register(struct miscdevice *misc)
> list_for_each_entry(c, &misc_list, list) {
> if (c->minor == misc->minor) {
> err = -EBUSY;
> - goto out;
> + /*
> + * if module use same address double register,
> + * init list will corrupt misc_list
I do not understand the text here at all, sorry.
thanks,
greg k-h