Re: [PATCH 4/4] Revert "drivers: convert sbd_duart.map_guard from atomic_t to refcount_t"

public inbox for linux-serial@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Maciej W. Rozycki" <macro@orcam.me.uk>
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
	Jiri Slaby <jirislaby@kernel.org>,
	Elena Reshetova <elena.reshetova@intel.com>,
	David Windsor <dwindsor@gmail.com>, Kees Cook <kees@kernel.org>,
	Hans Liljestrand <ishkamiel@gmail.com>,
	linux-mips@vger.kernel.org, linux-serial@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 4/4] Revert "drivers: convert sbd_duart.map_guard from atomic_t to refcount_t"
Date: Sun, 26 Apr 2026 22:45:06 +0200	[thread overview]
Message-ID: <2026042630-diaphragm-reactor-7cfe@gregkh> (raw)
In-Reply-To: <alpine.DEB.2.21.2604130416440.29980@angie.orcam.me.uk>

On Mon, Apr 13, 2026 at 04:28:53AM +0100, Maciej W. Rozycki wrote:
> Revert commit 22a33651a56f ("drivers: convert sbd_duart.map_guard from
> atomic_t to refcount_t"), which broke perfectly valid code:
> 
>   ------------[ cut here ]------------
>   WARNING: CPU: 1 PID: 1 at lib/refcount.c:114 sbd_request_port+0x54/0x140
>   refcount_t: increment on 0; use-after-free.
>   CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.11.0-rc2+ #34
>   Stack : 0000000014001fe0 0000000000000000 ffffffff80830000 0000000000000000
>           ffffffff8127bc7a ffffffff8016fe08 ffffffff808d0000 ffffffff808d0000
>           ffffffff807aa828 ffffffff80822337 ffffffff808ce188 a8000001860b0000
>           0000000000000001 0000000000000001 00000000000001c8 ffffffff808a3090
>           00000000000000bb ffffffff801b09d4 a80000018609bb68 ffffffff801231cc
>           ffffffff812a0000 ffffffff80171388 0000000000001000 ffffffff807aa828
>           0000000000000001 0000000000000001 0000000000000000 0000000000000000
>           0000000000000000 a80000018609bab0 0000000000000000 ffffffff803c47cc
>           0000000000000000 0000000000000000 0000000000000000 0000000000000000
>           ffffffff807cb648 ffffffff8010bff8 0000000014001fe1 ffffffff803c47cc
>           ...
>   Call Trace:
>   [<ffffffff8010bff8>] show_stack+0x28/0x88
>   [<ffffffff803c47cc>] dump_stack+0x8c/0xc0
>   [<ffffffff801aff5c>] __warn+0xe0/0x114
>   [<ffffffff801233f0>] warn_slowpath_fmt+0x40/0x50
>   [<ffffffff80455bcc>] sbd_request_port+0x54/0x140
>   [<ffffffff804563a4>] sbd_config_port+0x2c/0x68
>   ---[ end trace f666d696412caa3e ]---
> 
> (report at the offending commit) -- sbd_request_port() is called twice
> per DUART instance, to reserve a resource holding the control register
> block shared between the two channels, so there's no slightest chance
> for an overflow.  Also this doesn't stop the driver from working and
> it's just the reservation that is missing as a result, i.e.:
> 
> 10060100-100601ff : sb1250-duart
> 10060200-100602ff : sb1250-duart
> 
> as from the offending change, vs:
> 
> 10060100-100601ff : sb1250-duart
> 10060200-100602ff : sb1250-duart
> 10060300-100603ff : sb1250-duart
> 
> beforehand, which is surely why the breakage has gone so long unnoticed.
> 
> "If it ain't broke, don't fix it," so just revert the broken commit.

How about fix this up to work properly with a refcount?  having "open
coded" atomic variables like this is ripe for problems, like it seems
this driver is abusing.

thanks,

greg k-h

     prev parent reply	other threads:[~2026-04-27  3:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-13  3:28 [PATCH 0/4] MIPS: SiByte: Fix serial device regressions Maciej W. Rozycki
2026-04-13  3:28 ` [PATCH 1/4] MIPS: SiByte: Fix console message clobbering at channel resets Maciej W. Rozycki
2026-04-13  3:28 ` [PATCH 2/4] MIPS: SiByte: Fix bootconsole handover lockup Maciej W. Rozycki
2026-04-13  3:28 ` [PATCH 3/4] MIPS: SiByte: Convert to use a platform device Maciej W. Rozycki
2026-04-13  3:28 ` [PATCH 4/4] Revert "drivers: convert sbd_duart.map_guard from atomic_t to refcount_t" Maciej W. Rozycki
2026-04-26 20:45   ` Greg Kroah-Hartman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026042630-diaphragm-reactor-7cfe@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=dwindsor@gmail.com \
    --cc=elena.reshetova@intel.com \
    --cc=ishkamiel@gmail.com \
    --cc=jirislaby@kernel.org \
    --cc=kees@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mips@vger.kernel.org \
    --cc=linux-serial@vger.kernel.org \
    --cc=macro@orcam.me.uk \
    --cc=tsbogend@alpha.franken.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox