--- /dev/null
+From 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 3 May 2019 14:22:08 -0700
+Subject: clk: rockchip: Don't yell about bad mmc phases when getting
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 upstream.
+
+At boot time, my rk3288-veyron devices yell with 8 lines that look
+like this:
+ [ 0.000000] rockchip_mmc_get_phase: invalid clk rate
+
+This is because the clock framework at clk_register() time tries to
+get the phase but we don't have a parent yet.
+
+While the errors appear to be harmless they are still ugly and, in
+general, we don't want yells like this in the log unless they are
+important.
+
+There's no real reason to be yelling here. We can still return
+-EINVAL to indicate that the phase makes no sense without a parent.
+If someone really tries to do tuning and the clock is reported as 0
+then we'll see the yells in rockchip_mmc_set_phase().
+
+Fixes: 4bf59902b500 ("clk: rockchip: Prevent calculating mmc phase if clock rate is zero")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/rockchip/clk-mmc-phase.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/clk/rockchip/clk-mmc-phase.c
++++ b/drivers/clk/rockchip/clk-mmc-phase.c
+@@ -61,10 +61,8 @@ static int rockchip_mmc_get_phase(struct
+ u32 delay_num = 0;
+
+ /* See the comment for rockchip_mmc_set_phase below */
+- if (!rate) {
+- pr_err("%s: invalid clk rate\n", __func__);
++ if (!rate)
+ return -EINVAL;
+- }
+
+ raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift);
+
--- /dev/null
+From ac43432cb1f5c2950408534987e57c2071e24d8f Mon Sep 17 00:00:00 2001
+From: Muchun Song <smuchun@gmail.com>
+Date: Sat, 27 Jul 2019 11:21:22 +0800
+Subject: driver core: Fix use-after-free and double free on glue directory
+
+From: Muchun Song <smuchun@gmail.com>
+
+commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream.
+
+There is a race condition between removing glue directory and adding a new
+device under the glue dir. It can be reproduced in following test:
+
+CPU1: CPU2:
+
+device_add()
+ get_device_parent()
+ class_dir_create_and_add()
+ kobject_add_internal()
+ create_dir() // create glue_dir
+
+ device_add()
+ get_device_parent()
+ kobject_get() // get glue_dir
+
+device_del()
+ cleanup_glue_dir()
+ kobject_del(glue_dir)
+
+ kobject_add()
+ kobject_add_internal()
+ create_dir() // in glue_dir
+ sysfs_create_dir_ns()
+ kernfs_create_dir_ns(sd)
+
+ sysfs_remove_dir() // glue_dir->sd=NULL
+ sysfs_put() // free glue_dir->sd
+
+ // sd is freed
+ kernfs_new_node(sd)
+ kernfs_get(glue_dir)
+ kernfs_add_one()
+ kernfs_put()
+
+Before CPU1 remove last child device under glue dir, if CPU2 add a new
+device under glue dir, the glue_dir kobject reference count will be
+increase to 2 via kobject_get() in get_device_parent(). And CPU2 has
+been called kernfs_create_dir_ns(), but not call kernfs_new_node().
+Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in
+glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call
+kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase
+it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next
+call kernfs_add_one() by CPU2 will fail(This is also use-after-free)
+and call kernfs_put() to decrease reference count. Because the reference
+count is decremented to 0, it will also call kmem_cache_free() to free
+the glue_dir->sd again. This will result in double free.
+
+In order to avoid this happening, we also should make sure that kernfs_node
+for glue_dir is released in CPU1 only when refcount for glue_dir kobj is
+1 to fix this race.
+
+The following calltrace is captured in kernel 4.14 with the following patch
+applied:
+
+commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+
+--------------------------------------------------------------------------
+[ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494
+ Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get().
+....
+[ 3.633986] Call trace:
+[ 3.633991] kernfs_create_dir_ns+0xa8/0xb0
+[ 3.633994] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634001] kobject_add_internal+0x22c/0x3f0
+[ 3.634005] kobject_add+0xe4/0x118
+[ 3.634011] device_add+0x200/0x870
+[ 3.634017] _request_firmware+0x958/0xc38
+[ 3.634020] request_firmware_into_buf+0x4c/0x70
+....
+[ 3.634064] kernel BUG at .../mm/slub.c:294!
+ Here is BUG_ON(object == fp) in set_freepointer().
+....
+[ 3.634346] Call trace:
+[ 3.634351] kmem_cache_free+0x504/0x6b8
+[ 3.634355] kernfs_put+0x14c/0x1d8
+[ 3.634359] kernfs_create_dir_ns+0x88/0xb0
+[ 3.634362] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634366] kobject_add_internal+0x22c/0x3f0
+[ 3.634370] kobject_add+0xe4/0x118
+[ 3.634374] device_add+0x200/0x870
+[ 3.634378] _request_firmware+0x958/0xc38
+[ 3.634381] request_firmware_into_buf+0x4c/0x70
+--------------------------------------------------------------------------
+
+Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+Signed-off-by: Muchun Song <smuchun@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Prateek Sood <prsood@codeaurora.org>
+Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/core.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -857,12 +857,63 @@ static inline struct kobject *get_glue_d
+ */
+ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
+ {
++ unsigned int ref;
++
+ /* see if we live in a "glue" directory */
+ if (!live_in_glue_dir(glue_dir, dev))
+ return;
+
+ mutex_lock(&gdp_mutex);
+- if (!kobject_has_children(glue_dir))
++ /**
++ * There is a race condition between removing glue directory
++ * and adding a new device under the glue directory.
++ *
++ * CPU1: CPU2:
++ *
++ * device_add()
++ * get_device_parent()
++ * class_dir_create_and_add()
++ * kobject_add_internal()
++ * create_dir() // create glue_dir
++ *
++ * device_add()
++ * get_device_parent()
++ * kobject_get() // get glue_dir
++ *
++ * device_del()
++ * cleanup_glue_dir()
++ * kobject_del(glue_dir)
++ *
++ * kobject_add()
++ * kobject_add_internal()
++ * create_dir() // in glue_dir
++ * sysfs_create_dir_ns()
++ * kernfs_create_dir_ns(sd)
++ *
++ * sysfs_remove_dir() // glue_dir->sd=NULL
++ * sysfs_put() // free glue_dir->sd
++ *
++ * // sd is freed
++ * kernfs_new_node(sd)
++ * kernfs_get(glue_dir)
++ * kernfs_add_one()
++ * kernfs_put()
++ *
++ * Before CPU1 remove last child device under glue dir, if CPU2 add
++ * a new device under glue dir, the glue_dir kobject reference count
++ * will be increase to 2 in kobject_get(k). And CPU2 has been called
++ * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
++ * and sysfs_put(). This result in glue_dir->sd is freed.
++ *
++ * Then the CPU2 will see a stale "empty" but still potentially used
++ * glue dir around in kernfs_new_node().
++ *
++ * In order to avoid this happening, we also should make sure that
++ * kernfs_node for glue_dir is released in CPU1 only when refcount
++ * for glue_dir kobj is 1.
++ */
++ ref = kref_read(&glue_dir->kref);
++ if (!kobject_has_children(glue_dir) && !--ref)
+ kobject_del(glue_dir);
+ kobject_put(glue_dir);
+ mutex_unlock(&gdp_mutex);
projects / thirdparty / kernel / stable-queue.git / commitdiff
