Revision 4e43e64d0f1332fcc503babad4dc31aead7131ca authored by Eric Dumazet on 28 June 2022, 12:12:48 UTC, committed by Jakub Kicinski on 30 June 2022, 03:41:09 UTC
As reported by syzbot, we should not use rcu_dereference()
when rcu_read_lock() is not held.
WARNING: suspicious RCU usage
5.19.0-rc2-syzkaller #0 Not tainted
net/ipv6/addrconf.c:5175 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor326/3617:
#0: ffffffff8d5848e8 (rtnl_mutex){+.+.}-{3:3}, at: netlink_dump+0xae/0xc20 net/netlink/af_netlink.c:2223
stack backtrace:
CPU: 0 PID: 3617 Comm: syz-executor326 Not tainted 5.19.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
in6_dump_addrs+0x12d1/0x1790 net/ipv6/addrconf.c:5175
inet6_dump_addr+0x9c1/0xb50 net/ipv6/addrconf.c:5300
netlink_dump+0x541/0xc20 net/netlink/af_netlink.c:2275
__netlink_dump_start+0x647/0x900 net/netlink/af_netlink.c:2380
netlink_dump_start include/linux/netlink.h:245 [inline]
rtnetlink_rcv_msg+0x73e/0xc90 net/core/rtnetlink.c:6046
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x6eb/0x810 net/socket.c:2492
___sys_sendmsg+0xf3/0x170 net/socket.c:2546
__sys_sendmsg net/socket.c:2575 [inline]
__do_sys_sendmsg net/socket.c:2584 [inline]
__se_sys_sendmsg net/socket.c:2582 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2582
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fixes: 88e2ca308094 ("mld: convert ifmcaddr6 to RCU")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Taehee Yoo <ap420073@gmail.com>
Link: https://lore.kernel.org/r/20220628121248.858695-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent fa152f6
gpio-xgene.c
// SPDX-License-Identifier: GPL-2.0-only
/*
* AppliedMicro X-Gene SoC GPIO Driver
*
* Copyright (c) 2014, Applied Micro Circuits Corporation
* Author: Feng Kan <fkan@apm.com>.
*/
#include <linux/acpi.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/io.h>
#include <linux/spinlock.h>
#include <linux/platform_device.h>
#include <linux/gpio/driver.h>
#include <linux/types.h>
#include <linux/bitops.h>
#define GPIO_SET_DR_OFFSET 0x0C
#define GPIO_DATA_OFFSET 0x14
#define GPIO_BANK_STRIDE 0x0C
#define XGENE_GPIOS_PER_BANK 16
#define XGENE_MAX_GPIO_BANKS 3
#define XGENE_MAX_GPIOS (XGENE_GPIOS_PER_BANK * XGENE_MAX_GPIO_BANKS)
#define GPIO_BIT_OFFSET(x) (x % XGENE_GPIOS_PER_BANK)
#define GPIO_BANK_OFFSET(x) ((x / XGENE_GPIOS_PER_BANK) * GPIO_BANK_STRIDE)
struct xgene_gpio {
struct gpio_chip chip;
void __iomem *base;
spinlock_t lock;
u32 set_dr_val[XGENE_MAX_GPIO_BANKS];
};
static int xgene_gpio_get(struct gpio_chip *gc, unsigned int offset)
{
struct xgene_gpio *chip = gpiochip_get_data(gc);
unsigned long bank_offset;
u32 bit_offset;
bank_offset = GPIO_DATA_OFFSET + GPIO_BANK_OFFSET(offset);
bit_offset = GPIO_BIT_OFFSET(offset);
return !!(ioread32(chip->base + bank_offset) & BIT(bit_offset));
}
static void __xgene_gpio_set(struct gpio_chip *gc, unsigned int offset, int val)
{
struct xgene_gpio *chip = gpiochip_get_data(gc);
unsigned long bank_offset;
u32 setval, bit_offset;
bank_offset = GPIO_SET_DR_OFFSET + GPIO_BANK_OFFSET(offset);
bit_offset = GPIO_BIT_OFFSET(offset) + XGENE_GPIOS_PER_BANK;
setval = ioread32(chip->base + bank_offset);
if (val)
setval |= BIT(bit_offset);
else
setval &= ~BIT(bit_offset);
iowrite32(setval, chip->base + bank_offset);
}
static void xgene_gpio_set(struct gpio_chip *gc, unsigned int offset, int val)
{
struct xgene_gpio *chip = gpiochip_get_data(gc);
unsigned long flags;
spin_lock_irqsave(&chip->lock, flags);
__xgene_gpio_set(gc, offset, val);
spin_unlock_irqrestore(&chip->lock, flags);
}
static int xgene_gpio_get_direction(struct gpio_chip *gc, unsigned int offset)
{
struct xgene_gpio *chip = gpiochip_get_data(gc);
unsigned long bank_offset, bit_offset;
bank_offset = GPIO_SET_DR_OFFSET + GPIO_BANK_OFFSET(offset);
bit_offset = GPIO_BIT_OFFSET(offset);
if (ioread32(chip->base + bank_offset) & BIT(bit_offset))
return GPIO_LINE_DIRECTION_IN;
return GPIO_LINE_DIRECTION_OUT;
}
static int xgene_gpio_dir_in(struct gpio_chip *gc, unsigned int offset)
{
struct xgene_gpio *chip = gpiochip_get_data(gc);
unsigned long flags, bank_offset;
u32 dirval, bit_offset;
bank_offset = GPIO_SET_DR_OFFSET + GPIO_BANK_OFFSET(offset);
bit_offset = GPIO_BIT_OFFSET(offset);
spin_lock_irqsave(&chip->lock, flags);
dirval = ioread32(chip->base + bank_offset);
dirval |= BIT(bit_offset);
iowrite32(dirval, chip->base + bank_offset);
spin_unlock_irqrestore(&chip->lock, flags);
return 0;
}
static int xgene_gpio_dir_out(struct gpio_chip *gc,
unsigned int offset, int val)
{
struct xgene_gpio *chip = gpiochip_get_data(gc);
unsigned long flags, bank_offset;
u32 dirval, bit_offset;
bank_offset = GPIO_SET_DR_OFFSET + GPIO_BANK_OFFSET(offset);
bit_offset = GPIO_BIT_OFFSET(offset);
spin_lock_irqsave(&chip->lock, flags);
dirval = ioread32(chip->base + bank_offset);
dirval &= ~BIT(bit_offset);
iowrite32(dirval, chip->base + bank_offset);
__xgene_gpio_set(gc, offset, val);
spin_unlock_irqrestore(&chip->lock, flags);
return 0;
}
static __maybe_unused int xgene_gpio_suspend(struct device *dev)
{
struct xgene_gpio *gpio = dev_get_drvdata(dev);
unsigned long bank_offset;
unsigned int bank;
for (bank = 0; bank < XGENE_MAX_GPIO_BANKS; bank++) {
bank_offset = GPIO_SET_DR_OFFSET + bank * GPIO_BANK_STRIDE;
gpio->set_dr_val[bank] = ioread32(gpio->base + bank_offset);
}
return 0;
}
static __maybe_unused int xgene_gpio_resume(struct device *dev)
{
struct xgene_gpio *gpio = dev_get_drvdata(dev);
unsigned long bank_offset;
unsigned int bank;
for (bank = 0; bank < XGENE_MAX_GPIO_BANKS; bank++) {
bank_offset = GPIO_SET_DR_OFFSET + bank * GPIO_BANK_STRIDE;
iowrite32(gpio->set_dr_val[bank], gpio->base + bank_offset);
}
return 0;
}
static SIMPLE_DEV_PM_OPS(xgene_gpio_pm, xgene_gpio_suspend, xgene_gpio_resume);
static int xgene_gpio_probe(struct platform_device *pdev)
{
struct xgene_gpio *gpio;
gpio = devm_kzalloc(&pdev->dev, sizeof(*gpio), GFP_KERNEL);
if (!gpio)
return -ENOMEM;
gpio->base = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(gpio->base))
return PTR_ERR(gpio->base);
gpio->chip.ngpio = XGENE_MAX_GPIOS;
spin_lock_init(&gpio->lock);
gpio->chip.parent = &pdev->dev;
gpio->chip.get_direction = xgene_gpio_get_direction;
gpio->chip.direction_input = xgene_gpio_dir_in;
gpio->chip.direction_output = xgene_gpio_dir_out;
gpio->chip.get = xgene_gpio_get;
gpio->chip.set = xgene_gpio_set;
gpio->chip.label = dev_name(&pdev->dev);
gpio->chip.base = -1;
platform_set_drvdata(pdev, gpio);
return devm_gpiochip_add_data(&pdev->dev, &gpio->chip, gpio);
}
static const struct of_device_id xgene_gpio_of_match[] = {
{ .compatible = "apm,xgene-gpio", },
{},
};
#ifdef CONFIG_ACPI
static const struct acpi_device_id xgene_gpio_acpi_match[] = {
{ "APMC0D14", 0 },
{ },
};
#endif
static struct platform_driver xgene_gpio_driver = {
.driver = {
.name = "xgene-gpio",
.of_match_table = xgene_gpio_of_match,
.acpi_match_table = ACPI_PTR(xgene_gpio_acpi_match),
.pm = &xgene_gpio_pm,
},
.probe = xgene_gpio_probe,
};
builtin_platform_driver(xgene_gpio_driver);
Computing file changes ...
