From: Hongren Zheng <i@zenithal.me>
To: Shuah Khan <shuah@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Valentina Manea <valentina.manea.m@gmail.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
sfr@canb.auug.org.au
Subject: [PATCH -next] usb/usbip: fix wrong data added to platform device
Date: Fri, 13 Oct 2023 18:52:09 +0800 [thread overview]
Message-ID: <ZSkhWa5wmAGsAdCK@Sun> (raw)
.data of platform_device_info will be copied into .platform_data of
struct device via platform_device_add_data.
However, vhcis[i] contains a spinlock, is dynamically allocated and
used by other code, so it is not meant to be copied. The workaround
was to use void *vhci as an agent, but it was removed in the commit
suggested below.
This patch adds back the workaround and changes the way of using
platform_data accordingly.
Reported-by: syzbot+e0dbc33630a092ccf033@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/00000000000029242706077f3145@google.com/
Reported-by: syzbot+6867a9777f4b8dc4e256@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/0000000000007634c1060793197c@google.com/
Fixes: b8aaf639b403 ("usbip: Use platform_device_register_full()")
Signed-off-by: Hongren Zheng <i@zenithal.me>
---
drivers/usb/usbip/vhci_hcd.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index f845b91848b9..dfbdc77108e5 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -1139,8 +1139,7 @@ static int hcd_name_to_id(const char *name)
static int vhci_setup(struct usb_hcd *hcd)
{
- struct vhci *vhci = dev_get_platdata(hcd->self.controller);
-
+ struct vhci *vhci = *((void **)dev_get_platdata(hcd->self.controller));
if (usb_hcd_is_primary_hcd(hcd)) {
vhci->vhci_hcd_hs = hcd_to_vhci_hcd(hcd);
vhci->vhci_hcd_hs->vhci = vhci;
@@ -1257,7 +1256,7 @@ static int vhci_get_frame_number(struct usb_hcd *hcd)
/* FIXME: suspend/resume */
static int vhci_bus_suspend(struct usb_hcd *hcd)
{
- struct vhci *vhci = dev_get_platdata(hcd->self.controller);
+ struct vhci *vhci = *((void **)dev_get_platdata(hcd->self.controller));
unsigned long flags;
dev_dbg(&hcd->self.root_hub->dev, "%s\n", __func__);
@@ -1271,7 +1270,7 @@ static int vhci_bus_suspend(struct usb_hcd *hcd)
static int vhci_bus_resume(struct usb_hcd *hcd)
{
- struct vhci *vhci = dev_get_platdata(hcd->self.controller);
+ struct vhci *vhci = *((void **)dev_get_platdata(hcd->self.controller));
int rc = 0;
unsigned long flags;
@@ -1338,7 +1337,7 @@ static const struct hc_driver vhci_hc_driver = {
static int vhci_hcd_probe(struct platform_device *pdev)
{
- struct vhci *vhci = dev_get_platdata(&pdev->dev);
+ struct vhci *vhci = *((void **)dev_get_platdata(&pdev->dev));
struct usb_hcd *hcd_hs;
struct usb_hcd *hcd_ss;
int ret;
@@ -1396,7 +1395,7 @@ static int vhci_hcd_probe(struct platform_device *pdev)
static void vhci_hcd_remove(struct platform_device *pdev)
{
- struct vhci *vhci = dev_get_platdata(&pdev->dev);
+ struct vhci *vhci = *((void **)dev_get_platdata(&pdev->dev));
/*
* Disconnects the root hub,
@@ -1431,7 +1430,7 @@ static int vhci_hcd_suspend(struct platform_device *pdev, pm_message_t state)
if (!hcd)
return 0;
- vhci = dev_get_platdata(hcd->self.controller);
+ vhci = *((void **)dev_get_platdata(hcd->self.controller));
spin_lock_irqsave(&vhci->lock, flags);
@@ -1506,6 +1505,7 @@ static void del_platform_devices(void)
static int __init vhci_hcd_init(void)
{
int i, ret;
+ void *vhci;
if (usb_disabled())
return -ENODEV;
@@ -1522,10 +1522,11 @@ static int __init vhci_hcd_init(void)
goto err_driver_register;
for (i = 0; i < vhci_num_controllers; i++) {
+ vhci = &vhcis[i];
struct platform_device_info pdevinfo = {
.name = driver_name,
.id = i,
- .data = &vhcis[i],
+ .data = &vhci,
.size_data = sizeof(void *),
};
--
2.37.2
next reply other threads:[~2023-10-13 10:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-13 10:52 Hongren Zheng [this message]
2023-10-13 12:05 ` [PATCH -next] usb/usbip: fix wrong data added to platform device Hongren Zheng
2023-10-13 19:55 ` Andy Shevchenko
2023-10-13 19:58 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZSkhWa5wmAGsAdCK@Sun \
--to=i@zenithal.me \
--cc=andriy.shevchenko@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=shuah@kernel.org \
--cc=valentina.manea.m@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).