When endpoint_alloc() return failed in xillyusb_setup_base_eps(),
'xdev->msg_ep' will be freed but not set to NULL. That lets program
enter fail handling to cleanup_dev() in xillyusb_probe(). Check for
'xdev->msg_ep' is invalid in cleanup_dev() because 'xdev->msg_ep' did
not set to NULL when was freed. So the UAF problem for 'xdev->msg_ep'
is triggered.
==================================================================
BUG: KASAN: use-after-free in fifo_mem_release+0x1f4/0x210
CPU: 0 PID: 166 Comm: kworker/0:2 Not tainted 5.15.0-rc5+ #19
Call Trace:
dump_stack_lvl+0xe2/0x152
print_address_description.constprop.0+0x21/0x140
? fifo_mem_release+0x1f4/0x210
kasan_report.cold+0x7f/0x11b
? xillyusb_probe+0x530/0x700
? fifo_mem_release+0x1f4/0x210
fifo_mem_release+0x1f4/0x210
? __sanitizer_cov_trace_pc+0x1d/0x50
endpoint_dealloc+0x35/0x2b0
cleanup_dev+0x90/0x120
xillyusb_probe+0x59a/0x700
...
Freed by task 166:
kasan_save_stack+0x1b/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x109/0x140
kfree+0x117/0x4c0
xillyusb_probe+0x606/0x700
Set 'xdev->msg_ep' to NULL after being freed in xillyusb_setup_base_eps()
to fix the UAF problem.
Fixes: a53d1202ae ("char: xillybus: Add driver for XillyUSB (Xillybus variant for USB)")
Cc: stable <stable@vger.kernel.org>
Acked-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/r/20211016052047.1611983-1-william.xuanziyang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The driver was originally written with the assumption that a different
API must be used for DMA-related functions if the device is PCIe based
or if not. Since Xillybus' driver supports devices on a PCIe bus (with
xillybus_pcie) as well as connected directly to the processor (with
xillybus_of), it originally used wrapper functions that ensure that
a different API is used for each.
This patch eliminates the said wrapper functions, as all use the same
dma_* API now. This is most notable by the code deleted in xillybus_pcie.c
and xillybus_of.c.
It also eliminates the OF driver's check for a "dma-coherent" attribute
in the device's OF entry, since this is taken care of by the kernel's
implementation of dma_sync_single_for_*().
There is however still need for one wrapper function, which is merged
from xillybus_pcie.c and xillybus_of.c into xillybus_core.c: The call to
dma_map_single() is wrapped by a function that uses the Managed Device
(devres) framework, in the absence of a relevant function in the current
kernel's API.
Suggested-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20210929094442.46383-1-eli.billauer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
'struct xilly_endpoint' has a 'dev' field which is a 'struct device *' and
a 'pdev' field which is 'struct pci_dev *'.
Both fields are initialized by 'xillybus_init_endpoint()' and in
'xillybus_pcie.c', we have:
xillybus_init_endpoint(pdev, &pdev->dev, &pci_hw);
^ ^
xilly_endpoint.pdev = ___| |___ = xilly_endpoint.dev
So the modification from pci_ to dma_ function is straightforward.
Update all remaining deprecated pci_ function calls to equivalent
dma_ API function.
Switching from 'ep->pdev' to 'ep->dev' makes the transformation
straightforward.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/19d67ac0208a609aef1e28278b3f2477aa714029.1630083668.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
'struct xilly_mapping' includes a 'void *device' field which holds,
depending of the context, a 'struct device *' or a 'struct pci_dev *'.
This field is then used with 'pci_umap_single()' in 'xillybus_pcie.c' and
with 'dma_umap_single()' in 'xillybus_of.c'.
In order to remove usage of the deprecated 'pci_unmap_single()' API, turn
the 'void *device' field from 'struct xilly_mapping', into an explicit
'struct device *device' and use 'dma_umap_single()' everywhere.
In order to update 'xillybus_pcie.c', use the 'dev' field instead of the
'pdev' field from the 'struct xilly_endpoint'.
Both fields are initialized by 'xillybus_init_endpoint()' and in
'xillybus_pcie.c', we have:
xillybus_init_endpoint(pdev, &pdev->dev, &pci_hw);
^ ^
xilly_endpoint.pdev = ___| |___ = xilly_endpoint.dev
So the modification from pci_ to dma_ function is straightforward.
While at it, remove a comment that is wrong, because in the case above,
both 'dev' and 'pdev' are not NULL.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/baa3f6c7f009d9c231ae320bf1d568268bfef089.1630083668.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is a spelling mistake in a dev_err message. Fix it.
Acked-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: https://lore.kernel.org/r/20210601102201.8489-1-colin.king@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
MODULE_VERSION is useless for in-kernel drivers, so these are removed from
files in drivers/char/xillybus/
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20210528092242.51104-2-eli.billauer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The XillyUSB driver is the USB variant for the Xillybus FPGA IP core.
Even though it presents a nearly identical API on the FPGA and host,
it's almost a complete rewrite of the driver: The framework for exchanging
data on a USB bus is fundamentally different from doing the same with a
PCIe interface, which leaves very little in common between the existing
driver and the new one for XillyUSB.
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20210526100311.56327-3-eli.billauer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch is a preparation for adding another related driver, XillyUSB.
In order to share some code between the existing Xillybus driver and the
one to be added, some functions are moved to xillybus_class.c
XILLYBUS_CLASS is added to Kconfig and is common to all drivers in this
group. The relation with the existing XILLYBUS symbol is "select" rather
than "depends on" XILLYBUS_CLASS, or else "make olddefconfig" will silently
turn off XILLYBUS, which is currently enabled in several distributions.
XILLYBUS_CLASS doesn't depend on anything else, hence using it with
"select" poses no risk for a broken configuration.
After the future addition of the XillyUSB module, the tree of symbols
will be as follows:
XILLYBUS_CLASS --+-- XILLYBUS --+-- XILLYBUS_PCIE
| |
| +-- XILLYBUS_OF
|
+-- XILLYUSB
XILLYBUS is for drivers based upon memory registers + DMA-based interfaces,
and it's combined with XILLYBUS_PCIE and/or XILLYBUS_OF.
XILLYUSB is for the USB variant only.
Or a more detailed, bottom-up outline:
* CONFIG_XILLYBUS_PCIE -> xillybus_pcie.c: Functions related to PCIe.
* CONFIG_XILLYBUS_OF -> xillybus_of.c: Functions related to Xillybus as a
peripheral on an FPGA / Processor combo chip.
* CONFIG_XILLYBUS -> xillybus_core.c: Functions that are common to the two
above, mainly access to the peripheral with memory-mapped registers and
DMA.
* CONFIG_XILLYUSB -> xillyusb.c: The driver for the USB variant, accesses
the peripheral through the USB framework.
* CONFIG_XILLYBUS_CLASS -> xillybus_class.c: The new module, which contains
the class and API parts that would otherwise appear both in
xillybus_core.c and xillyusb.c. Contains utility functions for the two
latter.
And since I'm at it, comments on the module names are added in the
Kconfig's help part.
The functions are exported with the non-GPL EXPORT_SYMBOL (a matter of
taste).
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20210526100311.56327-2-eli.billauer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use devm_platform_ioremap_resource() to simplify the code a bit.
This is detected by coccinelle.
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Eli Billauer <eli.billauer@gmail.com>
Link: https://lore.kernel.org/r/20191016092546.26332-1-yuehaibing@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Move ASPM definitions and function prototypes from include/linux/pci-aspm.h
to include/linux/pci.h so users only need to include <linux/pci.h>:
PCIE_LINK_STATE_L0S
PCIE_LINK_STATE_L1
PCIE_LINK_STATE_CLKPM
pci_disable_link_state()
pci_disable_link_state_locked()
pcie_no_aspm()
No functional changes intended.
Link: https://lore.kernel.org/r/20190827095620.11213-1-kw@linux.com
Signed-off-by: Krzysztof Wilczynski <kw@linux.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the smems of the gnu general public license as published by
the free software foundation version 2 of the license
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 5 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Armijn Hemel <armijn@tjaldur.nl>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190531190111.946565886@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add SPDX license identifiers to all Make/Kconfig files which:
- Have no license information of any form
These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:
GPL-2.0-only
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add the Altera PCI Vendor id to pci_ids.h and remove the private
definitions from xillybus_pcie.c and altera-cvp.c.
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Eli Billauer <eli.billauer@gmail.com>
Cc: Anatolij Gustschin <agust@denx.de>
Acked-by: Eli Billauer <eli.billauer@gmail.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:
for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
done
with de-mangling cleanups yet to come.
NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do. But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.
The next patch from Al will sort out the final differences, and we
should be all done.
Scripted-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Here is the big pull request for char/misc drivers for 4.16-rc1.
There's a lot of stuff in here. Three new driver subsystems were added
for various types of hardware busses:
- siox
- slimbus
- soundwire
as well as a new vboxguest subsystem for the VirtualBox hypervisor
drivers.
There's also big updates from the FPGA subsystem, lots of Android binder
fixes, the usual handful of hyper-v updates, and lots of other smaller
driver updates.
All of these have been in linux-next for a long time, with no reported
issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCWnLuZw8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ynS4QCcCrPmwfD5PJwaF+q2dPfyKaflkQMAn0x6Wd+u
Gw3Z2scgjETUpwJ9ilnL
=xcQ0
-----END PGP SIGNATURE-----
Merge tag 'char-misc-4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc driver updates from Greg KH:
"Here is the big pull request for char/misc drivers for 4.16-rc1.
There's a lot of stuff in here. Three new driver subsystems were added
for various types of hardware busses:
- siox
- slimbus
- soundwire
as well as a new vboxguest subsystem for the VirtualBox hypervisor
drivers.
There's also big updates from the FPGA subsystem, lots of Android
binder fixes, the usual handful of hyper-v updates, and lots of other
smaller driver updates.
All of these have been in linux-next for a long time, with no reported
issues"
* tag 'char-misc-4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (155 commits)
char: lp: use true or false for boolean values
android: binder: use VM_ALLOC to get vm area
android: binder: Use true and false for boolean values
lkdtm: fix handle_irq_event symbol for INT_HW_IRQ_EN
EISA: Delete error message for a failed memory allocation in eisa_probe()
EISA: Whitespace cleanup
misc: remove AVR32 dependencies
virt: vbox: Add error mapping for VERR_INVALID_NAME and VERR_NO_MORE_FILES
soundwire: Fix a signedness bug
uio_hv_generic: fix new type mismatch warnings
uio_hv_generic: fix type mismatch warnings
auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE
uio_hv_generic: add rescind support
uio_hv_generic: check that host supports monitor page
uio_hv_generic: create send and receive buffers
uio: document uio_hv_generic regions
doc: fix documentation about uio_hv_generic
vmbus: add monitor_id and subchannel_id to sysfs per channel
vmbus: fix ABI documentation
uio_hv_generic: use ISR callback method
...
Drivers generally should not need to depend directly on OF_ADDRESS or
OF_IRQ. Convert xillybus to use the preferred platform_get_resource() and
platform_get_irq() functions to remove this dependency.
Cc: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch fixes two minor issues:
(1) An inaccurate comment
(2) A spelling mistake in dev_err message ("upgarde" -> "upgrade")
Reported-by: Joe Perches <joe@perches.com>
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If devm_add_action() fails we are explicitly calling dma_unmap_single(),
pci_unmap_single() and kfree(). Lets use the helper
devm_add_action_or_reset() and return directly in case of error, as we
know that the cleanup function has been already called by the helper if
there was any error. At that same time remove the variable rc which
becomes unused now.
Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
A couple of fields in a data structure, which is used by the driver only,
were not initialized properly during the driver's setup.
The primary issue with this bug was that channel->wr_buf_size remained zero,
so calls to dma_sync_single_for_cpu() took place with zero size, and
consequently did nothing.
This had a rather minimal practical impact, because
(a) these calls are NOPs on Intel/AMD platforms, as well as other platforms
with coherent cache, and
(b) it's extremely rare that any cache line would survive between two reads
from a given DMA buffer
Hence no significant practical difference is expected with this patch.
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Until now, only 32-bit DMA addressing was allowed, following a report on
some old Intel machine that dropped 64-bit PCIe packets, even though
pci_set_dma_mask() was successful with DMA_BIT_MASK(64).
But then came TI's Keystone II chip (ARM Cortex A15 + DSPs), which refuses
32-bit DMA addressing (for good reasons). So 64-bit DMA is allowed as a
fallback option.
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If NO_DMA=y:
drivers/built-in.o: In function `xilly_of_unmap':
xillybus_of.c:(.text+0xa860e): undefined reference to `dma_unmap_single'
drivers/built-in.o: In function `xilly_map_single_of':
xillybus_of.c:(.text+0xa8668): undefined reference to `dma_map_single'
xillybus_of.c:(.text+0xa8676): undefined reference to `dma_mapping_error'
xillybus_of.c:(.text+0xa86ca): undefined reference to `dma_unmap_single'
drivers/built-in.o: In function `xilly_dma_sync_single_for_device_of':
xillybus_of.c:(.text+0xa8700): undefined reference to `dma_sync_single_for_cpu'
drivers/built-in.o: In function `xilly_dma_sync_single_for_cpu_of':
xillybus_of.c:(.text+0xa8726): undefined reference to `dma_sync_single_for_cpu'
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Eli Billauer <eli.billauer@gmail.com>
--
v2:
- Add Acked-by, send to char and misc drivers maintainers.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The API allows the application to flush a host-to-FPGA stream by calling
write() with the data count set to zero. Before this patch, copy_from_user()
was called with a non-zero byte count, which possibly made it attempt to read
from unmapped user memory. Such attempts caused the driver to return -EFAULT
instead of 0, even though the desired operation went through fine.
This patch ensures the driver returns 0 on a successful flush.
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
of_device_id is always used as const.
(See driver.of_match_table and open firmware functions)
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This driver has been functional and stable throughout the year it has spent
in the staging area. It has been patched for minor bugs, coding style issues
and improvements during this period.
This is the second submission of this move-out, after making several style
improvements, as suggested by Dan Carpenter.
Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>