471b12c43f
When the auxiliary device code is built into the kernel, it can be executed
before the auxiliary bus is registered. This causes bus->p to be not
allocated and triggers a NULL pointer dereference when the auxiliary bus
device gets added with bus_add_device(). Call the auxiliary_bus_init()
under driver_init() so the bus is initialized before devices.
Below is the kernel splat for the bug:
[ 1.948215] BUG: kernel NULL pointer dereference, address: 0000000000000060
[ 1.950670] #PF: supervisor read access in kernel mode
[ 1.950670] #PF: error_code(0x0000) - not-present page
[ 1.950670] PGD 0
[ 1.950670] Oops: 0000 1 SMP NOPTI
[ 1.950670] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.10.0-intel-nextsvmtest+ #2205
[ 1.950670] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 1.950670] RIP: 0010:bus_add_device+0x64/0x140
[ 1.950670] Code: 00 49 8b 75 20 48 89 df e8 59 a1 ff ff 41 89 c4 85 c0 75 7b 48 8b 53 50 48 85 d2 75 03 48 8b 13 49 8b 85 a0 00 00 00 48 89 de <48> 8
78 60 48 83 c7 18 e8 ef d9 a9 ff 41 89 c4 85 c0 75 45 48 8b
[ 1.950670] RSP: 0000:ff46032ac001baf8 EFLAGS: 00010246
[ 1.950670] RAX: 0000000000000000 RBX: ff4597f7414aa680 RCX: 0000000000000000
[ 1.950670] RDX: ff4597f74142bbc0 RSI: ff4597f7414aa680 RDI: ff4597f7414aa680
[ 1.950670] RBP: ff46032ac001bb10 R08: 0000000000000044 R09: 0000000000000228
[ 1.950670] R10: ff4597f741141b30 R11: ff4597f740182a90 R12: 0000000000000000
[ 1.950670] R13: ffffffffa5e936c0 R14: 0000000000000000 R15: 0000000000000000
[ 1.950670] FS: 0000000000000000(0000) GS:ff4597f7bba00000(0000) knlGS:0000000000000000
[ 1.950670] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.950670] CR2: 0000000000000060 CR3: 000000002140c001 CR4: 0000000000f71ef0
[ 1.950670] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1.950670] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[ 1.950670] PKRU: 55555554
[ 1.950670] Call Trace:
[ 1.950670] device_add+0x3ee/0x850
[ 1.950670] __auxiliary_device_add+0x47/0x60
[ 1.950670] idxd_pci_probe+0xf77/0x1180
[ 1.950670] local_pci_probe+0x4a/0x90
[ 1.950670] pci_device_probe+0xff/0x1b0
[ 1.950670] really_probe+0x1cf/0x440
[ 1.950670] ? rdinit_setup+0x31/0x31
[ 1.950670] driver_probe_device+0xe8/0x150
[ 1.950670] device_driver_attach+0x58/0x60
[ 1.950670] __driver_attach+0x8f/0x150
[ 1.950670] ? device_driver_attach+0x60/0x60
[ 1.950670] ? device_driver_attach+0x60/0x60
[ 1.950670] bus_for_each_dev+0x79/0xc0
[ 1.950670] ? kmem_cache_alloc_trace+0x323/0x430
[ 1.950670] driver_attach+0x1e/0x20
[ 1.950670] bus_add_driver+0x154/0x1f0
[ 1.950670] driver_register+0x70/0xc0
[ 1.950670] __pci_register_driver+0x54/0x60
[ 1.950670] idxd_init_module+0xe2/0xfc
[ 1.950670] ? idma64_platform_driver_init+0x19/0x19
[ 1.950670] do_one_initcall+0x4a/0x1e0
[ 1.950670] kernel_init_freeable+0x1fc/0x25c
[ 1.950670] ? rest_init+0xba/0xba
[ 1.950670] kernel_init+0xe/0x116
[ 1.950670] ret_from_fork+0x1f/0x30
[ 1.950670] Modules linked in:
[ 1.950670] CR2: 0000000000000060
[ 1.950670] --[ end trace cd7d1b226d3ca901 ]--
Fixes: 7de3697e9c
("Add auxiliary bus support")
Reported-by: Jacob Pan <jacob.jun.pan@intel.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Dave Ertman <david.m.ertman@intel.com>
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20210210201611.1611074-1-dave.jiang@intel.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
273 lines
7.7 KiB
C
273 lines
7.7 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Copyright (c) 2019-2020 Intel Corporation
|
|
*
|
|
* Please see Documentation/driver-api/auxiliary_bus.rst for more information.
|
|
*/
|
|
|
|
#define pr_fmt(fmt) "%s:%s: " fmt, KBUILD_MODNAME, __func__
|
|
|
|
#include <linux/device.h>
|
|
#include <linux/init.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/module.h>
|
|
#include <linux/pm_domain.h>
|
|
#include <linux/pm_runtime.h>
|
|
#include <linux/string.h>
|
|
#include <linux/auxiliary_bus.h>
|
|
#include "base.h"
|
|
|
|
static const struct auxiliary_device_id *auxiliary_match_id(const struct auxiliary_device_id *id,
|
|
const struct auxiliary_device *auxdev)
|
|
{
|
|
for (; id->name[0]; id++) {
|
|
const char *p = strrchr(dev_name(&auxdev->dev), '.');
|
|
int match_size;
|
|
|
|
if (!p)
|
|
continue;
|
|
match_size = p - dev_name(&auxdev->dev);
|
|
|
|
/* use dev_name(&auxdev->dev) prefix before last '.' char to match to */
|
|
if (strlen(id->name) == match_size &&
|
|
!strncmp(dev_name(&auxdev->dev), id->name, match_size))
|
|
return id;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
static int auxiliary_match(struct device *dev, struct device_driver *drv)
|
|
{
|
|
struct auxiliary_device *auxdev = to_auxiliary_dev(dev);
|
|
struct auxiliary_driver *auxdrv = to_auxiliary_drv(drv);
|
|
|
|
return !!auxiliary_match_id(auxdrv->id_table, auxdev);
|
|
}
|
|
|
|
static int auxiliary_uevent(struct device *dev, struct kobj_uevent_env *env)
|
|
{
|
|
const char *name, *p;
|
|
|
|
name = dev_name(dev);
|
|
p = strrchr(name, '.');
|
|
|
|
return add_uevent_var(env, "MODALIAS=%s%.*s", AUXILIARY_MODULE_PREFIX,
|
|
(int)(p - name), name);
|
|
}
|
|
|
|
static const struct dev_pm_ops auxiliary_dev_pm_ops = {
|
|
SET_RUNTIME_PM_OPS(pm_generic_runtime_suspend, pm_generic_runtime_resume, NULL)
|
|
SET_SYSTEM_SLEEP_PM_OPS(pm_generic_suspend, pm_generic_resume)
|
|
};
|
|
|
|
static int auxiliary_bus_probe(struct device *dev)
|
|
{
|
|
struct auxiliary_driver *auxdrv = to_auxiliary_drv(dev->driver);
|
|
struct auxiliary_device *auxdev = to_auxiliary_dev(dev);
|
|
int ret;
|
|
|
|
ret = dev_pm_domain_attach(dev, true);
|
|
if (ret) {
|
|
dev_warn(dev, "Failed to attach to PM Domain : %d\n", ret);
|
|
return ret;
|
|
}
|
|
|
|
ret = auxdrv->probe(auxdev, auxiliary_match_id(auxdrv->id_table, auxdev));
|
|
if (ret)
|
|
dev_pm_domain_detach(dev, true);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int auxiliary_bus_remove(struct device *dev)
|
|
{
|
|
struct auxiliary_driver *auxdrv = to_auxiliary_drv(dev->driver);
|
|
struct auxiliary_device *auxdev = to_auxiliary_dev(dev);
|
|
|
|
if (auxdrv->remove)
|
|
auxdrv->remove(auxdev);
|
|
dev_pm_domain_detach(dev, true);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void auxiliary_bus_shutdown(struct device *dev)
|
|
{
|
|
struct auxiliary_driver *auxdrv = NULL;
|
|
struct auxiliary_device *auxdev;
|
|
|
|
if (dev->driver) {
|
|
auxdrv = to_auxiliary_drv(dev->driver);
|
|
auxdev = to_auxiliary_dev(dev);
|
|
}
|
|
|
|
if (auxdrv && auxdrv->shutdown)
|
|
auxdrv->shutdown(auxdev);
|
|
}
|
|
|
|
static struct bus_type auxiliary_bus_type = {
|
|
.name = "auxiliary",
|
|
.probe = auxiliary_bus_probe,
|
|
.remove = auxiliary_bus_remove,
|
|
.shutdown = auxiliary_bus_shutdown,
|
|
.match = auxiliary_match,
|
|
.uevent = auxiliary_uevent,
|
|
.pm = &auxiliary_dev_pm_ops,
|
|
};
|
|
|
|
/**
|
|
* auxiliary_device_init - check auxiliary_device and initialize
|
|
* @auxdev: auxiliary device struct
|
|
*
|
|
* This is the first step in the two-step process to register an
|
|
* auxiliary_device.
|
|
*
|
|
* When this function returns an error code, then the device_initialize will
|
|
* *not* have been performed, and the caller will be responsible to free any
|
|
* memory allocated for the auxiliary_device in the error path directly.
|
|
*
|
|
* It returns 0 on success. On success, the device_initialize has been
|
|
* performed. After this point any error unwinding will need to include a call
|
|
* to auxiliary_device_uninit(). In this post-initialize error scenario, a call
|
|
* to the device's .release callback will be triggered, and all memory clean-up
|
|
* is expected to be handled there.
|
|
*/
|
|
int auxiliary_device_init(struct auxiliary_device *auxdev)
|
|
{
|
|
struct device *dev = &auxdev->dev;
|
|
|
|
if (!dev->parent) {
|
|
pr_err("auxiliary_device has a NULL dev->parent\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (!auxdev->name) {
|
|
pr_err("auxiliary_device has a NULL name\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
dev->bus = &auxiliary_bus_type;
|
|
device_initialize(&auxdev->dev);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(auxiliary_device_init);
|
|
|
|
/**
|
|
* __auxiliary_device_add - add an auxiliary bus device
|
|
* @auxdev: auxiliary bus device to add to the bus
|
|
* @modname: name of the parent device's driver module
|
|
*
|
|
* This is the second step in the two-step process to register an
|
|
* auxiliary_device.
|
|
*
|
|
* This function must be called after a successful call to
|
|
* auxiliary_device_init(), which will perform the device_initialize. This
|
|
* means that if this returns an error code, then a call to
|
|
* auxiliary_device_uninit() must be performed so that the .release callback
|
|
* will be triggered to free the memory associated with the auxiliary_device.
|
|
*
|
|
* The expectation is that users will call the "auxiliary_device_add" macro so
|
|
* that the caller's KBUILD_MODNAME is automatically inserted for the modname
|
|
* parameter. Only if a user requires a custom name would this version be
|
|
* called directly.
|
|
*/
|
|
int __auxiliary_device_add(struct auxiliary_device *auxdev, const char *modname)
|
|
{
|
|
struct device *dev = &auxdev->dev;
|
|
int ret;
|
|
|
|
if (!modname) {
|
|
dev_err(dev, "auxiliary device modname is NULL\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
ret = dev_set_name(dev, "%s.%s.%d", modname, auxdev->name, auxdev->id);
|
|
if (ret) {
|
|
dev_err(dev, "auxiliary device dev_set_name failed: %d\n", ret);
|
|
return ret;
|
|
}
|
|
|
|
ret = device_add(dev);
|
|
if (ret)
|
|
dev_err(dev, "adding auxiliary device failed!: %d\n", ret);
|
|
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__auxiliary_device_add);
|
|
|
|
/**
|
|
* auxiliary_find_device - auxiliary device iterator for locating a particular device.
|
|
* @start: Device to begin with
|
|
* @data: Data to pass to match function
|
|
* @match: Callback function to check device
|
|
*
|
|
* This function returns a reference to a device that is 'found'
|
|
* for later use, as determined by the @match callback.
|
|
*
|
|
* The callback should return 0 if the device doesn't match and non-zero
|
|
* if it does. If the callback returns non-zero, this function will
|
|
* return to the caller and not iterate over any more devices.
|
|
*/
|
|
struct auxiliary_device *auxiliary_find_device(struct device *start,
|
|
const void *data,
|
|
int (*match)(struct device *dev, const void *data))
|
|
{
|
|
struct device *dev;
|
|
|
|
dev = bus_find_device(&auxiliary_bus_type, start, data, match);
|
|
if (!dev)
|
|
return NULL;
|
|
|
|
return to_auxiliary_dev(dev);
|
|
}
|
|
EXPORT_SYMBOL_GPL(auxiliary_find_device);
|
|
|
|
/**
|
|
* __auxiliary_driver_register - register a driver for auxiliary bus devices
|
|
* @auxdrv: auxiliary_driver structure
|
|
* @owner: owning module/driver
|
|
* @modname: KBUILD_MODNAME for parent driver
|
|
*/
|
|
int __auxiliary_driver_register(struct auxiliary_driver *auxdrv,
|
|
struct module *owner, const char *modname)
|
|
{
|
|
if (WARN_ON(!auxdrv->probe) || WARN_ON(!auxdrv->id_table))
|
|
return -EINVAL;
|
|
|
|
if (auxdrv->name)
|
|
auxdrv->driver.name = kasprintf(GFP_KERNEL, "%s.%s", modname,
|
|
auxdrv->name);
|
|
else
|
|
auxdrv->driver.name = kasprintf(GFP_KERNEL, "%s", modname);
|
|
if (!auxdrv->driver.name)
|
|
return -ENOMEM;
|
|
|
|
auxdrv->driver.owner = owner;
|
|
auxdrv->driver.bus = &auxiliary_bus_type;
|
|
auxdrv->driver.mod_name = modname;
|
|
|
|
return driver_register(&auxdrv->driver);
|
|
}
|
|
EXPORT_SYMBOL_GPL(__auxiliary_driver_register);
|
|
|
|
/**
|
|
* auxiliary_driver_unregister - unregister a driver
|
|
* @auxdrv: auxiliary_driver structure
|
|
*/
|
|
void auxiliary_driver_unregister(struct auxiliary_driver *auxdrv)
|
|
{
|
|
driver_unregister(&auxdrv->driver);
|
|
kfree(auxdrv->driver.name);
|
|
}
|
|
EXPORT_SYMBOL_GPL(auxiliary_driver_unregister);
|
|
|
|
void __init auxiliary_bus_init(void)
|
|
{
|
|
WARN_ON(bus_register(&auxiliary_bus_type));
|
|
}
|
|
|
|
MODULE_LICENSE("GPL v2");
|
|
MODULE_DESCRIPTION("Auxiliary Bus");
|
|
MODULE_AUTHOR("David Ertman <david.m.ertman@intel.com>");
|
|
MODULE_AUTHOR("Kiran Patil <kiran.patil@intel.com>");
|