linux/drivers/memstick/core/memstick.c

663 lines
16 KiB
C
Raw Normal View History

// SPDX-License-Identifier: GPL-2.0-only
/*
* Sony MemoryStick support
*
* Copyright (C) 2007 Alex Dubov <oakad@yahoo.com>
*
* Special thanks to Carlos Corbacho for providing various MemoryStick cards
* that made this driver possible.
*/
#include <linux/memstick.h>
#include <linux/idr.h>
#include <linux/fs.h>
#include <linux/delay.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 11:04:11 +03:00
#include <linux/slab.h>
#include <linux/module.h>
#include <linux/pm_runtime.h>
#define DRIVER_NAME "memstick"
static unsigned int cmd_retries = 3;
module_param(cmd_retries, uint, 0644);
static struct workqueue_struct *workqueue;
static DEFINE_IDR(memstick_host_idr);
static DEFINE_SPINLOCK(memstick_host_lock);
static int memstick_dev_match(struct memstick_dev *card,
struct memstick_device_id *id)
{
if (id->match_flags & MEMSTICK_MATCH_ALL) {
if ((id->type == card->id.type)
&& (id->category == card->id.category)
&& (id->class == card->id.class))
return 1;
}
return 0;
}
static int memstick_bus_match(struct device *dev, struct device_driver *drv)
{
struct memstick_dev *card = container_of(dev, struct memstick_dev,
dev);
struct memstick_driver *ms_drv = container_of(drv,
struct memstick_driver,
driver);
struct memstick_device_id *ids = ms_drv->id_table;
if (ids) {
while (ids->match_flags) {
if (memstick_dev_match(card, ids))
return 1;
++ids;
}
}
return 0;
}
static int memstick_uevent(struct device *dev, struct kobj_uevent_env *env)
{
struct memstick_dev *card = container_of(dev, struct memstick_dev,
dev);
if (add_uevent_var(env, "MEMSTICK_TYPE=%02X", card->id.type))
return -ENOMEM;
if (add_uevent_var(env, "MEMSTICK_CATEGORY=%02X", card->id.category))
return -ENOMEM;
if (add_uevent_var(env, "MEMSTICK_CLASS=%02X", card->id.class))
return -ENOMEM;
return 0;
}
static int memstick_device_probe(struct device *dev)
{
struct memstick_dev *card = container_of(dev, struct memstick_dev,
dev);
struct memstick_driver *drv = container_of(dev->driver,
struct memstick_driver,
driver);
int rc = -ENODEV;
if (dev->driver && drv->probe) {
rc = drv->probe(card);
if (!rc)
get_device(dev);
}
return rc;
}
static int memstick_device_remove(struct device *dev)
{
struct memstick_dev *card = container_of(dev, struct memstick_dev,
dev);
struct memstick_driver *drv = container_of(dev->driver,
struct memstick_driver,
driver);
if (dev->driver && drv->remove) {
drv->remove(card);
card->dev.driver = NULL;
}
put_device(dev);
return 0;
}
#ifdef CONFIG_PM
static int memstick_device_suspend(struct device *dev, pm_message_t state)
{
struct memstick_dev *card = container_of(dev, struct memstick_dev,
dev);
struct memstick_driver *drv = container_of(dev->driver,
struct memstick_driver,
driver);
if (dev->driver && drv->suspend)
return drv->suspend(card, state);
return 0;
}
static int memstick_device_resume(struct device *dev)
{
struct memstick_dev *card = container_of(dev, struct memstick_dev,
dev);
struct memstick_driver *drv = container_of(dev->driver,
struct memstick_driver,
driver);
if (dev->driver && drv->resume)
return drv->resume(card);
return 0;
}
#else
#define memstick_device_suspend NULL
#define memstick_device_resume NULL
#endif /* CONFIG_PM */
#define MEMSTICK_ATTR(name, format) \
static ssize_t name##_show(struct device *dev, struct device_attribute *attr, \
char *buf) \
{ \
struct memstick_dev *card = container_of(dev, struct memstick_dev, \
dev); \
return sprintf(buf, format, card->id.name); \
} \
static DEVICE_ATTR_RO(name);
MEMSTICK_ATTR(type, "%02X");
MEMSTICK_ATTR(category, "%02X");
MEMSTICK_ATTR(class, "%02X");
static struct attribute *memstick_dev_attrs[] = {
&dev_attr_type.attr,
&dev_attr_category.attr,
&dev_attr_class.attr,
NULL,
};
ATTRIBUTE_GROUPS(memstick_dev);
static struct bus_type memstick_bus_type = {
.name = "memstick",
.dev_groups = memstick_dev_groups,
.match = memstick_bus_match,
.uevent = memstick_uevent,
.probe = memstick_device_probe,
.remove = memstick_device_remove,
.suspend = memstick_device_suspend,
.resume = memstick_device_resume
};
static void memstick_free(struct device *dev)
{
struct memstick_host *host = container_of(dev, struct memstick_host,
dev);
kfree(host);
}
static struct class memstick_host_class = {
.name = "memstick_host",
.dev_release = memstick_free
};
static void memstick_free_card(struct device *dev)
{
struct memstick_dev *card = container_of(dev, struct memstick_dev,
dev);
kfree(card);
}
static int memstick_dummy_check(struct memstick_dev *card)
{
return 0;
}
/**
* memstick_detect_change - schedule media detection on memstick host
* @host - host to use
*/
void memstick_detect_change(struct memstick_host *host)
{
queue_work(workqueue, &host->media_checker);
}
EXPORT_SYMBOL(memstick_detect_change);
/**
* memstick_next_req - called by host driver to obtain next request to process
* @host - host to use
* @mrq - pointer to stick the request to
*
* Host calls this function from idle state (*mrq == NULL) or after finishing
* previous request (*mrq should point to it). If previous request was
* unsuccessful, it is retried for predetermined number of times. Return value
* of 0 means that new request was assigned to the host.
*/
int memstick_next_req(struct memstick_host *host, struct memstick_request **mrq)
{
int rc = -ENXIO;
if ((*mrq) && (*mrq)->error && host->retries) {
(*mrq)->error = rc;
host->retries--;
return 0;
}
if (host->card && host->card->next_request)
rc = host->card->next_request(host->card, mrq);
if (!rc)
host->retries = cmd_retries > 1 ? cmd_retries - 1 : 1;
else
*mrq = NULL;
return rc;
}
EXPORT_SYMBOL(memstick_next_req);
/**
* memstick_new_req - notify the host that some requests are pending
* @host - host to use
*/
void memstick_new_req(struct memstick_host *host)
{
if (host->card) {
host->retries = cmd_retries;
reinit_completion(&host->card->mrq_complete);
host->request(host);
}
}
EXPORT_SYMBOL(memstick_new_req);
/**
* memstick_init_req_sg - set request fields needed for bulk data transfer
* @mrq - request to use
* @tpc - memstick Transport Protocol Command
* @sg - TPC argument
*/
void memstick_init_req_sg(struct memstick_request *mrq, unsigned char tpc,
const struct scatterlist *sg)
{
mrq->tpc = tpc;
if (tpc & 8)
mrq->data_dir = WRITE;
else
mrq->data_dir = READ;
mrq->sg = *sg;
mrq->long_data = 1;
if (tpc == MS_TPC_SET_CMD || tpc == MS_TPC_EX_SET_CMD)
mrq->need_card_int = 1;
else
mrq->need_card_int = 0;
}
EXPORT_SYMBOL(memstick_init_req_sg);
/**
* memstick_init_req - set request fields needed for short data transfer
* @mrq - request to use
* @tpc - memstick Transport Protocol Command
* @buf - TPC argument buffer
* @length - TPC argument size
*
* The intended use of this function (transfer of data items several bytes
* in size) allows us to just copy the value between request structure and
* user supplied buffer.
*/
void memstick_init_req(struct memstick_request *mrq, unsigned char tpc,
const void *buf, size_t length)
{
mrq->tpc = tpc;
if (tpc & 8)
mrq->data_dir = WRITE;
else
mrq->data_dir = READ;
mrq->data_len = length > sizeof(mrq->data) ? sizeof(mrq->data) : length;
if (mrq->data_dir == WRITE)
memcpy(mrq->data, buf, mrq->data_len);
mrq->long_data = 0;
if (tpc == MS_TPC_SET_CMD || tpc == MS_TPC_EX_SET_CMD)
mrq->need_card_int = 1;
else
mrq->need_card_int = 0;
}
EXPORT_SYMBOL(memstick_init_req);
/*
* Functions prefixed with "h_" are protocol callbacks. They can be called from
* interrupt context. Return value of 0 means that request processing is still
* ongoing, while special error value of -EAGAIN means that current request is
* finished (and request processor should come back some time later).
*/
static int h_memstick_read_dev_id(struct memstick_dev *card,
struct memstick_request **mrq)
{
struct ms_id_register id_reg;
if (!(*mrq)) {
memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg,
sizeof(struct ms_id_register));
*mrq = &card->current_mrq;
return 0;
} else {
if (!(*mrq)->error) {
memcpy(&id_reg, (*mrq)->data, sizeof(id_reg));
card->id.match_flags = MEMSTICK_MATCH_ALL;
card->id.type = id_reg.type;
card->id.category = id_reg.category;
card->id.class = id_reg.class;
dev_dbg(&card->dev, "if_mode = %02x\n", id_reg.if_mode);
}
complete(&card->mrq_complete);
return -EAGAIN;
}
}
static int h_memstick_set_rw_addr(struct memstick_dev *card,
struct memstick_request **mrq)
{
if (!(*mrq)) {
memstick_init_req(&card->current_mrq, MS_TPC_SET_RW_REG_ADRS,
(char *)&card->reg_addr,
sizeof(card->reg_addr));
*mrq = &card->current_mrq;
return 0;
} else {
complete(&card->mrq_complete);
return -EAGAIN;
}
}
/**
* memstick_set_rw_addr - issue SET_RW_REG_ADDR request and wait for it to
* complete
* @card - media device to use
*/
int memstick_set_rw_addr(struct memstick_dev *card)
{
card->next_request = h_memstick_set_rw_addr;
memstick_new_req(card->host);
wait_for_completion(&card->mrq_complete);
return card->current_mrq.error;
}
EXPORT_SYMBOL(memstick_set_rw_addr);
static struct memstick_dev *memstick_alloc_card(struct memstick_host *host)
{
struct memstick_dev *card = kzalloc(sizeof(struct memstick_dev),
GFP_KERNEL);
struct memstick_dev *old_card = host->card;
struct ms_id_register id_reg;
if (card) {
card->host = host;
dev_set_name(&card->dev, "%s", dev_name(&host->dev));
card->dev.parent = &host->dev;
card->dev.bus = &memstick_bus_type;
card->dev.release = memstick_free_card;
card->check = memstick_dummy_check;
card->reg_addr.r_offset = offsetof(struct ms_register, id);
card->reg_addr.r_length = sizeof(id_reg);
card->reg_addr.w_offset = offsetof(struct ms_register, id);
card->reg_addr.w_length = sizeof(id_reg);
init_completion(&card->mrq_complete);
host->card = card;
if (memstick_set_rw_addr(card))
goto err_out;
card->next_request = h_memstick_read_dev_id;
memstick_new_req(host);
wait_for_completion(&card->mrq_complete);
if (card->current_mrq.error)
goto err_out;
}
host->card = old_card;
return card;
err_out:
host->card = old_card;
kfree(card);
return NULL;
}
static int memstick_power_on(struct memstick_host *host)
{
int rc = host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_ON);
if (!rc)
rc = host->set_param(host, MEMSTICK_INTERFACE, MEMSTICK_SERIAL);
return rc;
}
static void memstick_check(struct work_struct *work)
{
struct memstick_host *host = container_of(work, struct memstick_host,
media_checker);
struct memstick_dev *card;
dev_dbg(&host->dev, "memstick_check started\n");
pm_runtime_get_noresume(host->dev.parent);
mutex_lock(&host->lock);
if (!host->card) {
if (memstick_power_on(host))
goto out_power_off;
} else if (host->card->stop)
host->card->stop(host->card);
if (host->removing)
goto out_power_off;
card = memstick_alloc_card(host);
if (!card) {
if (host->card) {
device_unregister(&host->card->dev);
host->card = NULL;
}
} else {
dev_dbg(&host->dev, "new card %02x, %02x, %02x\n",
card->id.type, card->id.category, card->id.class);
if (host->card) {
if (memstick_set_rw_addr(host->card)
|| !memstick_dev_match(host->card, &card->id)
|| !(host->card->check(host->card))) {
device_unregister(&host->card->dev);
host->card = NULL;
} else if (host->card->start)
host->card->start(host->card);
}
if (!host->card) {
host->card = card;
if (device_register(&card->dev)) {
put_device(&card->dev);
kfree(host->card);
host->card = NULL;
}
} else
kfree(card);
}
out_power_off:
if (!host->card)
host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF);
mutex_unlock(&host->lock);
pm_runtime_put(host->dev.parent);
dev_dbg(&host->dev, "memstick_check finished\n");
}
/**
* memstick_alloc_host - allocate a memstick_host structure
* @extra: size of the user private data to allocate
* @dev: parent device of the host
*/
struct memstick_host *memstick_alloc_host(unsigned int extra,
struct device *dev)
{
struct memstick_host *host;
host = kzalloc(sizeof(struct memstick_host) + extra, GFP_KERNEL);
if (host) {
mutex_init(&host->lock);
INIT_WORK(&host->media_checker, memstick_check);
host->dev.class = &memstick_host_class;
host->dev.parent = dev;
device_initialize(&host->dev);
}
return host;
}
EXPORT_SYMBOL(memstick_alloc_host);
/**
* memstick_add_host - start request processing on memstick host
* @host - host to use
*/
int memstick_add_host(struct memstick_host *host)
{
int rc;
idr_preload(GFP_KERNEL);
spin_lock(&memstick_host_lock);
rc = idr_alloc(&memstick_host_idr, host, 0, 0, GFP_NOWAIT);
if (rc >= 0)
host->id = rc;
spin_unlock(&memstick_host_lock);
idr_preload_end();
if (rc < 0)
return rc;
dev_set_name(&host->dev, "memstick%u", host->id);
rc = device_add(&host->dev);
if (rc) {
spin_lock(&memstick_host_lock);
idr_remove(&memstick_host_idr, host->id);
spin_unlock(&memstick_host_lock);
return rc;
}
host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF);
memstick_detect_change(host);
return 0;
}
EXPORT_SYMBOL(memstick_add_host);
/**
* memstick_remove_host - stop request processing on memstick host
* @host - host to use
*/
void memstick_remove_host(struct memstick_host *host)
{
host->removing = 1;
flush_workqueue(workqueue);
mutex_lock(&host->lock);
if (host->card)
device_unregister(&host->card->dev);
host->card = NULL;
host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF);
mutex_unlock(&host->lock);
spin_lock(&memstick_host_lock);
idr_remove(&memstick_host_idr, host->id);
spin_unlock(&memstick_host_lock);
device_del(&host->dev);
}
EXPORT_SYMBOL(memstick_remove_host);
/**
* memstick_free_host - free memstick host
* @host - host to use
*/
void memstick_free_host(struct memstick_host *host)
{
mutex_destroy(&host->lock);
put_device(&host->dev);
}
EXPORT_SYMBOL(memstick_free_host);
/**
* memstick_suspend_host - notify bus driver of host suspension
* @host - host to use
*/
void memstick_suspend_host(struct memstick_host *host)
{
mutex_lock(&host->lock);
host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF);
mutex_unlock(&host->lock);
}
EXPORT_SYMBOL(memstick_suspend_host);
/**
* memstick_resume_host - notify bus driver of host resumption
* @host - host to use
*/
void memstick_resume_host(struct memstick_host *host)
{
int rc = 0;
mutex_lock(&host->lock);
if (host->card)
rc = memstick_power_on(host);
mutex_unlock(&host->lock);
if (!rc)
memstick_detect_change(host);
}
EXPORT_SYMBOL(memstick_resume_host);
int memstick_register_driver(struct memstick_driver *drv)
{
drv->driver.bus = &memstick_bus_type;
return driver_register(&drv->driver);
}
EXPORT_SYMBOL(memstick_register_driver);
void memstick_unregister_driver(struct memstick_driver *drv)
{
driver_unregister(&drv->driver);
}
EXPORT_SYMBOL(memstick_unregister_driver);
static int __init memstick_init(void)
{
int rc;
workqueue = create_freezable_workqueue("kmemstick");
if (!workqueue)
return -ENOMEM;
rc = bus_register(&memstick_bus_type);
memstick: Fix error cleanup path of memstick_init If bus_register fails. On its error handling path, it has cleaned up what it has done. There is no need to call bus_unregister again. Otherwise, if bus_unregister is called, issues such as null-ptr-deref will arise. Syzkaller report this: kobject_add_internal failed for memstick (error: -12 parent: bus) BUG: KASAN: null-ptr-deref in sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 Read of size 8 at addr 0000000000000078 by task syz-executor.0/4460 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa9/0x10e lib/dump_stack.c:113 __kasan_report+0x171/0x18d mm/kasan/report.c:321 kasan_report+0xe/0x20 mm/kasan/common.c:614 sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 sysfs_remove_file include/linux/sysfs.h:519 [inline] bus_remove_file+0x6c/0x90 drivers/base/bus.c:145 remove_probe_files drivers/base/bus.c:599 [inline] bus_unregister+0x6e/0x100 drivers/base/bus.c:916 ? 0xffffffffc1590000 memstick_init+0x7a/0x1000 [memstick] do_one_initcall+0xb9/0x3b5 init/main.c:914 do_init_module+0xe0/0x330 kernel/module.c:3468 load_module+0x38eb/0x4270 kernel/module.c:3819 __do_sys_finit_module+0x162/0x190 kernel/module.c:3909 do_syscall_64+0x72/0x2a0 arch/x86/entry/common.c:298 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: baf8532a147d ("memstick: initial commit for Sony MemoryStick support") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai26@huawei.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2019-05-15 17:37:25 +03:00
if (rc)
goto error_destroy_workqueue;
memstick: Fix error cleanup path of memstick_init If bus_register fails. On its error handling path, it has cleaned up what it has done. There is no need to call bus_unregister again. Otherwise, if bus_unregister is called, issues such as null-ptr-deref will arise. Syzkaller report this: kobject_add_internal failed for memstick (error: -12 parent: bus) BUG: KASAN: null-ptr-deref in sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 Read of size 8 at addr 0000000000000078 by task syz-executor.0/4460 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa9/0x10e lib/dump_stack.c:113 __kasan_report+0x171/0x18d mm/kasan/report.c:321 kasan_report+0xe/0x20 mm/kasan/common.c:614 sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 sysfs_remove_file include/linux/sysfs.h:519 [inline] bus_remove_file+0x6c/0x90 drivers/base/bus.c:145 remove_probe_files drivers/base/bus.c:599 [inline] bus_unregister+0x6e/0x100 drivers/base/bus.c:916 ? 0xffffffffc1590000 memstick_init+0x7a/0x1000 [memstick] do_one_initcall+0xb9/0x3b5 init/main.c:914 do_init_module+0xe0/0x330 kernel/module.c:3468 load_module+0x38eb/0x4270 kernel/module.c:3819 __do_sys_finit_module+0x162/0x190 kernel/module.c:3909 do_syscall_64+0x72/0x2a0 arch/x86/entry/common.c:298 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: baf8532a147d ("memstick: initial commit for Sony MemoryStick support") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai26@huawei.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2019-05-15 17:37:25 +03:00
rc = class_register(&memstick_host_class);
if (rc)
goto error_bus_unregister;
return 0;
memstick: Fix error cleanup path of memstick_init If bus_register fails. On its error handling path, it has cleaned up what it has done. There is no need to call bus_unregister again. Otherwise, if bus_unregister is called, issues such as null-ptr-deref will arise. Syzkaller report this: kobject_add_internal failed for memstick (error: -12 parent: bus) BUG: KASAN: null-ptr-deref in sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 Read of size 8 at addr 0000000000000078 by task syz-executor.0/4460 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa9/0x10e lib/dump_stack.c:113 __kasan_report+0x171/0x18d mm/kasan/report.c:321 kasan_report+0xe/0x20 mm/kasan/common.c:614 sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 sysfs_remove_file include/linux/sysfs.h:519 [inline] bus_remove_file+0x6c/0x90 drivers/base/bus.c:145 remove_probe_files drivers/base/bus.c:599 [inline] bus_unregister+0x6e/0x100 drivers/base/bus.c:916 ? 0xffffffffc1590000 memstick_init+0x7a/0x1000 [memstick] do_one_initcall+0xb9/0x3b5 init/main.c:914 do_init_module+0xe0/0x330 kernel/module.c:3468 load_module+0x38eb/0x4270 kernel/module.c:3819 __do_sys_finit_module+0x162/0x190 kernel/module.c:3909 do_syscall_64+0x72/0x2a0 arch/x86/entry/common.c:298 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: baf8532a147d ("memstick: initial commit for Sony MemoryStick support") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai26@huawei.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2019-05-15 17:37:25 +03:00
error_bus_unregister:
bus_unregister(&memstick_bus_type);
memstick: Fix error cleanup path of memstick_init If bus_register fails. On its error handling path, it has cleaned up what it has done. There is no need to call bus_unregister again. Otherwise, if bus_unregister is called, issues such as null-ptr-deref will arise. Syzkaller report this: kobject_add_internal failed for memstick (error: -12 parent: bus) BUG: KASAN: null-ptr-deref in sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 Read of size 8 at addr 0000000000000078 by task syz-executor.0/4460 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa9/0x10e lib/dump_stack.c:113 __kasan_report+0x171/0x18d mm/kasan/report.c:321 kasan_report+0xe/0x20 mm/kasan/common.c:614 sysfs_remove_file_ns+0x1b/0x40 fs/sysfs/file.c:467 sysfs_remove_file include/linux/sysfs.h:519 [inline] bus_remove_file+0x6c/0x90 drivers/base/bus.c:145 remove_probe_files drivers/base/bus.c:599 [inline] bus_unregister+0x6e/0x100 drivers/base/bus.c:916 ? 0xffffffffc1590000 memstick_init+0x7a/0x1000 [memstick] do_one_initcall+0xb9/0x3b5 init/main.c:914 do_init_module+0xe0/0x330 kernel/module.c:3468 load_module+0x38eb/0x4270 kernel/module.c:3819 __do_sys_finit_module+0x162/0x190 kernel/module.c:3909 do_syscall_64+0x72/0x2a0 arch/x86/entry/common.c:298 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: baf8532a147d ("memstick: initial commit for Sony MemoryStick support") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai26@huawei.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2019-05-15 17:37:25 +03:00
error_destroy_workqueue:
destroy_workqueue(workqueue);
return rc;
}
static void __exit memstick_exit(void)
{
class_unregister(&memstick_host_class);
bus_unregister(&memstick_bus_type);
destroy_workqueue(workqueue);
idr_destroy(&memstick_host_idr);
}
module_init(memstick_init);
module_exit(memstick_exit);
MODULE_AUTHOR("Alex Dubov");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Sony MemoryStick core driver");