Commit Graph

25 Commits

Author SHA1 Message Date
Dan Carpenter
8fe72b76db mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
There was a bug where this code forgot to unlock the tdev->mutex if the
kzalloc() failed.  Fix this issue, by moving the allocation outside the
lock.

Fixes: 2d1e952a2b ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2023-05-31 13:26:44 -05:00
Lee Jones
2d1e952a2b mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()
If a user can make copy_from_user() fail, there is a potential for
UAF/DF due to a lack of locking around the allocation, use and freeing
of the data buffers.

This issue is not theoretical.  I managed to author a POC for it:

    BUG: KASAN: double-free in kfree+0x5c/0xac
    Free of addr ffff29280be5de00 by task poc/356
    CPU: 1 PID: 356 Comm: poc Not tainted 6.1.0-00001-g961aa6552c04-dirty #20
    Hardware name: linux,dummy-virt (DT)
    Call trace:
     dump_backtrace.part.0+0xe0/0xf0
     show_stack+0x18/0x40
     dump_stack_lvl+0x64/0x80
     print_report+0x188/0x48c
     kasan_report_invalid_free+0xa0/0xc0
     ____kasan_slab_free+0x174/0x1b0
     __kasan_slab_free+0x18/0x24
     __kmem_cache_free+0x130/0x2e0
     kfree+0x5c/0xac
     mbox_test_message_write+0x208/0x29c
     full_proxy_write+0x90/0xf0
     vfs_write+0x154/0x440
     ksys_write+0xcc/0x180
     __arm64_sys_write+0x44/0x60
     invoke_syscall+0x60/0x190
     el0_svc_common.constprop.0+0x7c/0x160
     do_el0_svc+0x40/0xf0
     el0_svc+0x2c/0x6c
     el0t_64_sync_handler+0xf4/0x120
     el0t_64_sync+0x18c/0x190

    Allocated by task 356:
     kasan_save_stack+0x3c/0x70
     kasan_set_track+0x2c/0x40
     kasan_save_alloc_info+0x24/0x34
     __kasan_kmalloc+0xb8/0xc0
     kmalloc_trace+0x58/0x70
     mbox_test_message_write+0x6c/0x29c
     full_proxy_write+0x90/0xf0
     vfs_write+0x154/0x440
     ksys_write+0xcc/0x180
     __arm64_sys_write+0x44/0x60
     invoke_syscall+0x60/0x190
     el0_svc_common.constprop.0+0x7c/0x160
     do_el0_svc+0x40/0xf0
     el0_svc+0x2c/0x6c
     el0t_64_sync_handler+0xf4/0x120
     el0t_64_sync+0x18c/0x190

    Freed by task 357:
     kasan_save_stack+0x3c/0x70
     kasan_set_track+0x2c/0x40
     kasan_save_free_info+0x38/0x5c
     ____kasan_slab_free+0x13c/0x1b0
     __kasan_slab_free+0x18/0x24
     __kmem_cache_free+0x130/0x2e0
     kfree+0x5c/0xac
     mbox_test_message_write+0x208/0x29c
     full_proxy_write+0x90/0xf0
     vfs_write+0x154/0x440
     ksys_write+0xcc/0x180
     __arm64_sys_write+0x44/0x60
     invoke_syscall+0x60/0x190
     el0_svc_common.constprop.0+0x7c/0x160
     do_el0_svc+0x40/0xf0
     el0_svc+0x2c/0x6c
     el0t_64_sync_handler+0xf4/0x120
     el0t_64_sync+0x18c/0x190

Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2023-05-04 00:53:31 -05:00
Lee Jones
be88458585 mailbox: mailbox-test: Explicitly include header for spinlock support
Presently the support appears to be implied.

Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2023-05-04 00:53:28 -05:00
Thomas Gleixner
2874c5fd28 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 3029 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-30 11:26:32 -07:00
Fabien Dessenne
6899b4f7c9 mailbox: mailbox-test: fix null pointer if no mmio
Fix null pointer issue if resource_size is called with no ioresource.

Signed-off-by: Ludovic Barre <ludovic.barre@st.com>
Signed-off-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2019-03-06 20:33:14 -06:00
Fabien Dessenne
10cfc5a92e mailbox: mailbox-test: fix debugfs in multi-instances
Create one debug entry directory per instance to support the multi
instantiation.

Signed-off-by: Ludovic Barre <ludovic.barre@st.com>
Signed-off-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2019-03-06 20:32:59 -06:00
Linus Torvalds
a9a08845e9 vfs: do bulk POLL* -> EPOLL* replacement
This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:

    for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
        L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
        for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
    done

with de-mangling cleanups yet to come.

NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do.  But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.

The next patch from Al will sort out the final differences, and we
should be all done.

Scripted-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-02-11 14:34:03 -08:00
Al Viro
afc9a42b74 the rest of drivers/*: annotate ->poll() instances
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-11-28 11:06:58 -05:00
Sudeep Holla
e339c80af9 mailbox: mailbox-test: don't rely on rx_buffer content to signal data ready
Currently we rely on the first byte of the Rx buffer to check if there's
any data available to be read. If the first byte of the received buffer
is zero (i.e. null character), then we fail to signal that data is
available even when it's available.

Instead introduce a boolean variable to track the data availability and
update it in the channel receive callback as ready and clear it when the
data is read.

Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2017-11-14 20:21:32 +05:30
Ingo Molnar
174cd4b1e5 sched/headers: Prepare to move signal wakeup & sigpending methods from <linux/sched.h> into <linux/sched/signal.h>
Fix up affected files that include this signal functionality via sched.h.

Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-03-02 08:42:32 +01:00
Sudeep Holla
db4d22c07e mailbox: mailbox-test: allow reserved areas in SRAM
When CONFIG_SRAM is enable and the SRAM region is found, the entire SRAM
region resource is requested and marked as occupied by SRAM driver even
if certain parts of regions is marked reserved.

It's quite possible that a small region of the SRAM is reserved for all
the mailbox communication and hence it may fail to request the region
as it's already marked busy region.

This patch tries to just do a ioremap of this mailbox memory region if
it finds it busy.

Cc: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-12-19 20:10:23 +05:30
Sudeep Holla
baef9a35d2 mailbox: mailbox-test: add support for fasync/poll
Currently the read operation on the message debug file returns error if
there's no data ready to be read. It expects the userspace to retry if
it fails. Since the mailbox response could be asynchronous, it would be
good to add support to block the read until the data is available.

We can also implement poll file operations so that the userspace can
wait to become ready to perform any I/O.

This patch implements the poll and fasync file operation callback for
the test mailbox device.

Cc: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-12-19 20:10:23 +05:30
Javier Martinez Canillas
f42cce3c24 mailbox: mailbox-test: Fix module autoload
If the driver is built as a module, autoload won't work because the module
alias information is not filled. So user-space can't match the registered
device with the corresponding module.

Export the module alias information using the MODULE_DEVICE_TABLE() macro.

Before this patch:

$ modinfo drivers/mailbox/mailbox-test.ko | grep alias
$

After this patch:

$ modinfo drivers/mailbox/mailbox-test.ko | grep alias
alias:          of:N*T*Cmailbox-testC*
alias:          of:N*T*Cmailbox-test

Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-12-19 20:10:17 +05:30
Sudeep Holla
9ef3c51121 mailbox: mailbox-test: set tdev->signal to NULL after freeing
tdev->signal is not set NULL after it's freed. This will cause random
exceptions when the stale pointer is accessed after tdev->signal is
freed. Also, since tdev->signal allocation is skipped the next time
it's written, this leads to continuous fault finally leading to the
total death of the system.

Fixes: d1c2f87c9a ("mailbox: mailbox-test: Prevent memory leak")
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-06-12 15:13:04 +05:30
Lee Jones
d1c2f87c9a mailbox: mailbox-test: Prevent memory leak
If we set the Signal twice or more, without using it as part of a message,
memory will be re-allocated and the pointer over-written.  Prevent this
potential leak by only allocating memory when there isn't any already.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-04-12 13:28:30 +05:30
Lee Jones
17f5f28ffa mailbox: mailbox-test: Use more consistent format for calling copy_from_user()
While we're at it, ensure copy-to location is NULL'ed in the error path.

Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-04-12 13:28:20 +05:30
Sudeep Holla
2d74ffdc91 mailbox: mailbox-test: add support for separate tx/rx buffer with single channel
This patch adds support for different MMIO region for Tx and Rx paths.
If only one region is specified, it's assumed to be shared between Rx
and Tx, thereby retaining backward compatibility.

Also in order to support single channel dealing with both Tx and Rx with
dedicated MMIO regions, Tx channel itself is assigned to Rx if MMIO
regions are different and Rx is not specified.

Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-03-04 12:32:19 +05:30
Sudeep Holla
27fa680f7f mailbox: mailbox-test: use print_hex_dump_bytes to allow dynamic printk
Reduce the logging from info to debug. Also use print_hex_dump_bytes
instead as it has support for dynamic printk providing options to
conditionally enable/disable these logs.

Cc: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-03-04 12:32:19 +05:30
Sudeep Holla
c428013783 mailbox: mailbox-test: fix the compatible string
Underscores are usually forbidden in the compatible strings. So lets
remove it before the first users of this is seen.

Acked-by: Rob Herring <robh@kernel.org>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-03-04 12:32:18 +05:30
Sudeep Holla
adf06ba9b3 mailbox: mailbox-test: rename driver as generic test driver
This mailbox-test driver was designed to be generic, so let's remove ST
tag on it and make it generic.

Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2016-03-04 12:32:13 +05:30
Jassi Brar
cb1ca0b3bb mailbox: mailbox-test: avoid reading iomem twice
Don't pass mmio region as source to print_hex_dump() and then
again to memcpy_fromio(). Do it once and give print_hex_dump()
the buffer we just read the data in.

Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2015-11-04 14:03:04 +05:30
Dan Carpenter
c3ac54a6f5 mailbox: Off by one in mbox_test_message_read()
We need to leave space for the NUL char.

Fixes: 8ea4484d0c ('mailbox: Add generic mechanism for testing Mailbox Controllers')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
2015-10-27 21:27:25 +05:30
Lee Jones
a133f8b65d mailbox: mailbox-test: Correctly repair Sparse warnings
Kbuild test robot reported some Sparse warnings to the tune of:

  sparse: incorrect type in argument 6 (different address spaces)
    expected void const *buf
    got void [noderef] <asn:2>*mmio

This was due to passing variables tagged with the Sparse cookie
'__iomem' through into memcpy() and print_hex_dump() without
adequate protection or casting.  These issues were fixed in a
previous patch suppressing the warnings, but the issue is indeed
still present.

This patch fixes the warnings in the correct way, i.e. by using
the purposely authored memcpy_{from,to}io() derivatives in the
memcpy() case and casting the memory address to (void *) and
forcing Sparse to ignore to ignore it in the print_hex_dump()
case [NB: This is also what the memcpy() derivatives do].

Reported-by: Peter Griffin <peter.griffin@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2015-10-23 11:19:21 +05:30
Lee Jones
6c03663f98 mailbox: Fix a couple of trivial static checker issues
This patch deals with a few spelling, white space and type
warnings reported by Intel's Kbuild Test Robot.

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2015-10-17 10:36:56 +05:30
Lee Jones
8ea4484d0c mailbox: Add generic mechanism for testing Mailbox Controllers
This particular Client implementation uses shared memory in order
to pass messages between Mailbox users; however, it can be easily
hacked to support any type of Controller.

Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
2015-10-17 10:36:56 +05:30