Revision 4e43e64d0f1332fcc503babad4dc31aead7131ca authored by Eric Dumazet on 28 June 2022, 12:12:48 UTC, committed by Jakub Kicinski on 30 June 2022, 03:41:09 UTC
As reported by syzbot, we should not use rcu_dereference()
when rcu_read_lock() is not held.
WARNING: suspicious RCU usage
5.19.0-rc2-syzkaller #0 Not tainted
net/ipv6/addrconf.c:5175 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor326/3617:
#0: ffffffff8d5848e8 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xae/0xc20 net/netlink/af_netlink.c:2223
stack backtrace:
CPU: 0 PID: 3617 Comm: syz-executor326 Not tainted 5.19.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
in6_dump_addrs+0x12d1/0x1790 net/ipv6/addrconf.c:5175
inet6_dump_addr+0x9c1/0xb50 net/ipv6/addrconf.c:5300
netlink_dump+0x541/0xc20 net/netlink/af_netlink.c:2275
__netlink_dump_start+0x647/0x900 net/netlink/af_netlink.c:2380
netlink_dump_start include/linux/netlink.h:245 [inline]
rtnetlink_rcv_msg+0x73e/0xc90 net/core/rtnetlink.c:6046
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x6eb/0x810 net/socket.c:2492
___sys_sendmsg+0xf3/0x170 net/socket.c:2546
__sys_sendmsg net/socket.c:2575 [inline]
__do_sys_sendmsg net/socket.c:2584 [inline]
__se_sys_sendmsg net/socket.c:2582 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2582
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fixes: 88e2ca308094 ("mld: convert ifmcaddr6 to RCU")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Taehee Yoo <ap420073@gmail.com>
Link: https://lore.kernel.org/r/20220628121248.858695-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent fa152f6
gpio-gpio-mm.c
// SPDX-License-Identifier: GPL-2.0-only
/*
* GPIO driver for the Diamond Systems GPIO-MM
* Copyright (C) 2016 William Breathitt Gray
*
* This driver supports the following Diamond Systems devices: GPIO-MM and
* GPIO-MM-12.
*/
#include <linux/bitmap.h>
#include <linux/bitops.h>
#include <linux/device.h>
#include <linux/errno.h>
#include <linux/gpio/driver.h>
#include <linux/io.h>
#include <linux/ioport.h>
#include <linux/isa.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/spinlock.h>
#define GPIOMM_EXTENT 8
#define MAX_NUM_GPIOMM max_num_isa_dev(GPIOMM_EXTENT)
static unsigned int base[MAX_NUM_GPIOMM];
static unsigned int num_gpiomm;
module_param_hw_array(base, uint, ioport, &num_gpiomm, 0);
MODULE_PARM_DESC(base, "Diamond Systems GPIO-MM base addresses");
/**
* struct gpiomm_gpio - GPIO device private data structure
* @chip: instance of the gpio_chip
* @io_state: bit I/O state (whether bit is set to input or output)
* @out_state: output bits state
* @control: Control registers state
* @lock: synchronization lock to prevent I/O race conditions
* @base: base port address of the GPIO device
*/
struct gpiomm_gpio {
struct gpio_chip chip;
unsigned char io_state[6];
unsigned char out_state[6];
unsigned char control[2];
spinlock_t lock;
void __iomem *base;
};
static int gpiomm_gpio_get_direction(struct gpio_chip *chip,
unsigned int offset)
{
struct gpiomm_gpio *const gpiommgpio = gpiochip_get_data(chip);
const unsigned int port = offset / 8;
const unsigned int mask = BIT(offset % 8);
if (gpiommgpio->io_state[port] & mask)
return GPIO_LINE_DIRECTION_IN;
return GPIO_LINE_DIRECTION_OUT;
}
static int gpiomm_gpio_direction_input(struct gpio_chip *chip,
unsigned int offset)
{
struct gpiomm_gpio *const gpiommgpio = gpiochip_get_data(chip);
const unsigned int io_port = offset / 8;
const unsigned int control_port = io_port / 3;
unsigned long flags;
unsigned int control;
spin_lock_irqsave(&gpiommgpio->lock, flags);
/* Check if configuring Port C */
if (io_port == 2 || io_port == 5) {
/* Port C can be configured by nibble */
if (offset % 8 > 3) {
gpiommgpio->io_state[io_port] |= 0xF0;
gpiommgpio->control[control_port] |= BIT(3);
} else {
gpiommgpio->io_state[io_port] |= 0x0F;
gpiommgpio->control[control_port] |= BIT(0);
}
} else {
gpiommgpio->io_state[io_port] |= 0xFF;
if (io_port == 0 || io_port == 3)
gpiommgpio->control[control_port] |= BIT(4);
else
gpiommgpio->control[control_port] |= BIT(1);
}
control = BIT(7) | gpiommgpio->control[control_port];
iowrite8(control, gpiommgpio->base + 3 + control_port*4);
spin_unlock_irqrestore(&gpiommgpio->lock, flags);
return 0;
}
static int gpiomm_gpio_direction_output(struct gpio_chip *chip,
unsigned int offset, int value)
{
struct gpiomm_gpio *const gpiommgpio = gpiochip_get_data(chip);
const unsigned int io_port = offset / 8;
const unsigned int control_port = io_port / 3;
const unsigned int mask = BIT(offset % 8);
const unsigned int out_port = (io_port > 2) ? io_port + 1 : io_port;
unsigned long flags;
unsigned int control;
spin_lock_irqsave(&gpiommgpio->lock, flags);
/* Check if configuring Port C */
if (io_port == 2 || io_port == 5) {
/* Port C can be configured by nibble */
if (offset % 8 > 3) {
gpiommgpio->io_state[io_port] &= 0x0F;
gpiommgpio->control[control_port] &= ~BIT(3);
} else {
gpiommgpio->io_state[io_port] &= 0xF0;
gpiommgpio->control[control_port] &= ~BIT(0);
}
} else {
gpiommgpio->io_state[io_port] &= 0x00;
if (io_port == 0 || io_port == 3)
gpiommgpio->control[control_port] &= ~BIT(4);
else
gpiommgpio->control[control_port] &= ~BIT(1);
}
if (value)
gpiommgpio->out_state[io_port] |= mask;
else
gpiommgpio->out_state[io_port] &= ~mask;
control = BIT(7) | gpiommgpio->control[control_port];
iowrite8(control, gpiommgpio->base + 3 + control_port*4);
iowrite8(gpiommgpio->out_state[io_port], gpiommgpio->base + out_port);
spin_unlock_irqrestore(&gpiommgpio->lock, flags);
return 0;
}
static int gpiomm_gpio_get(struct gpio_chip *chip, unsigned int offset)
{
struct gpiomm_gpio *const gpiommgpio = gpiochip_get_data(chip);
const unsigned int port = offset / 8;
const unsigned int mask = BIT(offset % 8);
const unsigned int in_port = (port > 2) ? port + 1 : port;
unsigned long flags;
unsigned int port_state;
spin_lock_irqsave(&gpiommgpio->lock, flags);
/* ensure that GPIO is set for input */
if (!(gpiommgpio->io_state[port] & mask)) {
spin_unlock_irqrestore(&gpiommgpio->lock, flags);
return -EINVAL;
}
port_state = ioread8(gpiommgpio->base + in_port);
spin_unlock_irqrestore(&gpiommgpio->lock, flags);
return !!(port_state & mask);
}
static const size_t ports[] = { 0, 1, 2, 4, 5, 6 };
static int gpiomm_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask,
unsigned long *bits)
{
struct gpiomm_gpio *const gpiommgpio = gpiochip_get_data(chip);
unsigned long offset;
unsigned long gpio_mask;
void __iomem *port_addr;
unsigned long port_state;
/* clear bits array to a clean slate */
bitmap_zero(bits, chip->ngpio);
for_each_set_clump8(offset, gpio_mask, mask, ARRAY_SIZE(ports) * 8) {
port_addr = gpiommgpio->base + ports[offset / 8];
port_state = ioread8(port_addr) & gpio_mask;
bitmap_set_value8(bits, port_state, offset);
}
return 0;
}
static void gpiomm_gpio_set(struct gpio_chip *chip, unsigned int offset,
int value)
{
struct gpiomm_gpio *const gpiommgpio = gpiochip_get_data(chip);
const unsigned int port = offset / 8;
const unsigned int mask = BIT(offset % 8);
const unsigned int out_port = (port > 2) ? port + 1 : port;
unsigned long flags;
spin_lock_irqsave(&gpiommgpio->lock, flags);
if (value)
gpiommgpio->out_state[port] |= mask;
else
gpiommgpio->out_state[port] &= ~mask;
iowrite8(gpiommgpio->out_state[port], gpiommgpio->base + out_port);
spin_unlock_irqrestore(&gpiommgpio->lock, flags);
}
static void gpiomm_gpio_set_multiple(struct gpio_chip *chip,
unsigned long *mask, unsigned long *bits)
{
struct gpiomm_gpio *const gpiommgpio = gpiochip_get_data(chip);
unsigned long offset;
unsigned long gpio_mask;
size_t index;
void __iomem *port_addr;
unsigned long bitmask;
unsigned long flags;
for_each_set_clump8(offset, gpio_mask, mask, ARRAY_SIZE(ports) * 8) {
index = offset / 8;
port_addr = gpiommgpio->base + ports[index];
bitmask = bitmap_get_value8(bits, offset) & gpio_mask;
spin_lock_irqsave(&gpiommgpio->lock, flags);
/* update output state data and set device gpio register */
gpiommgpio->out_state[index] &= ~gpio_mask;
gpiommgpio->out_state[index] |= bitmask;
iowrite8(gpiommgpio->out_state[index], port_addr);
spin_unlock_irqrestore(&gpiommgpio->lock, flags);
}
}
#define GPIOMM_NGPIO 48
static const char *gpiomm_names[GPIOMM_NGPIO] = {
"Port 1A0", "Port 1A1", "Port 1A2", "Port 1A3", "Port 1A4", "Port 1A5",
"Port 1A6", "Port 1A7", "Port 1B0", "Port 1B1", "Port 1B2", "Port 1B3",
"Port 1B4", "Port 1B5", "Port 1B6", "Port 1B7", "Port 1C0", "Port 1C1",
"Port 1C2", "Port 1C3", "Port 1C4", "Port 1C5", "Port 1C6", "Port 1C7",
"Port 2A0", "Port 2A1", "Port 2A2", "Port 2A3", "Port 2A4", "Port 2A5",
"Port 2A6", "Port 2A7", "Port 2B0", "Port 2B1", "Port 2B2", "Port 2B3",
"Port 2B4", "Port 2B5", "Port 2B6", "Port 2B7", "Port 2C0", "Port 2C1",
"Port 2C2", "Port 2C3", "Port 2C4", "Port 2C5", "Port 2C6", "Port 2C7",
};
static int gpiomm_probe(struct device *dev, unsigned int id)
{
struct gpiomm_gpio *gpiommgpio;
const char *const name = dev_name(dev);
int err;
gpiommgpio = devm_kzalloc(dev, sizeof(*gpiommgpio), GFP_KERNEL);
if (!gpiommgpio)
return -ENOMEM;
if (!devm_request_region(dev, base[id], GPIOMM_EXTENT, name)) {
dev_err(dev, "Unable to lock port addresses (0x%X-0x%X)\n",
base[id], base[id] + GPIOMM_EXTENT);
return -EBUSY;
}
gpiommgpio->base = devm_ioport_map(dev, base[id], GPIOMM_EXTENT);
if (!gpiommgpio->base)
return -ENOMEM;
gpiommgpio->chip.label = name;
gpiommgpio->chip.parent = dev;
gpiommgpio->chip.owner = THIS_MODULE;
gpiommgpio->chip.base = -1;
gpiommgpio->chip.ngpio = GPIOMM_NGPIO;
gpiommgpio->chip.names = gpiomm_names;
gpiommgpio->chip.get_direction = gpiomm_gpio_get_direction;
gpiommgpio->chip.direction_input = gpiomm_gpio_direction_input;
gpiommgpio->chip.direction_output = gpiomm_gpio_direction_output;
gpiommgpio->chip.get = gpiomm_gpio_get;
gpiommgpio->chip.get_multiple = gpiomm_gpio_get_multiple;
gpiommgpio->chip.set = gpiomm_gpio_set;
gpiommgpio->chip.set_multiple = gpiomm_gpio_set_multiple;
spin_lock_init(&gpiommgpio->lock);
err = devm_gpiochip_add_data(dev, &gpiommgpio->chip, gpiommgpio);
if (err) {
dev_err(dev, "GPIO registering failed (%d)\n", err);
return err;
}
/* initialize all GPIO as output */
iowrite8(0x80, gpiommgpio->base + 3);
iowrite8(0x00, gpiommgpio->base);
iowrite8(0x00, gpiommgpio->base + 1);
iowrite8(0x00, gpiommgpio->base + 2);
iowrite8(0x80, gpiommgpio->base + 7);
iowrite8(0x00, gpiommgpio->base + 4);
iowrite8(0x00, gpiommgpio->base + 5);
iowrite8(0x00, gpiommgpio->base + 6);
return 0;
}
static struct isa_driver gpiomm_driver = {
.probe = gpiomm_probe,
.driver = {
.name = "gpio-mm"
},
};
module_isa_driver(gpiomm_driver, num_gpiomm);
MODULE_AUTHOR("William Breathitt Gray <vilhelm.gray@gmail.com>");
MODULE_DESCRIPTION("Diamond Systems GPIO-MM GPIO driver");
MODULE_LICENSE("GPL v2");
Computing file changes ...
