From patchwork Fri May 4 08:14:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sebastian Andrzej Siewior X-Patchwork-Id: 908594 Return-Path: X-Original-To: incoming-imx@patchwork.ozlabs.org Delivered-To: patchwork-incoming-imx@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=linux-arm-kernel-bounces+incoming-imx=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=linutronix.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="b8zq5vIi"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40clG76Rfyz9s27 for ; Fri, 4 May 2018 18:16:15 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=JEzoO6bPrsRNj8cxoIdQHt1ZPE/roUBJSOnPa5VMiB0=; b=b8zq5vIiHdRLXg ae6tuprLrWPv1BaoQvrjVuNKtt1nRoL2WAOgIxfxP3MmFKhe6SV4dm9Q/G7FcUAmihWvu+UpDsoJT J/vUedCjlNUJPKuhAQ18EQ/FWDp02mw1qO7s6mY6TkzAghPLO8ZWhKI2x7vPTjkZ0Ycxr4/6VgBkA q1wNt7LD7apDpwoGZkamaP18w97EVDXayfzIDuuFBXD8jDquS2No5TL6kZ1WzeIjM2O2bHMqzzAnS BWKqURCxke/JGuA1Pl0/79LFZqGJpy/HmTT7CdXrvqxeDUXhKYqYaISgHc7pqCOilrs0CszLVtHcf 6Ccl3TmCkOErsIzokAew==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fEVsq-0003Fl-8v; Fri, 04 May 2018 08:16:04 +0000 Received: from galois.linutronix.de ([2a01:7a0:2:106d:700::1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fEVry-0001S9-QL for linux-arm-kernel@lists.infradead.org; Fri, 04 May 2018 08:15:13 +0000 Received: from bigeasy by Galois.linutronix.de with local (Exim 4.80) (envelope-from ) id 1fEVrc-000702-7s; Fri, 04 May 2018 10:14:48 +0200 Date: Fri, 4 May 2018 10:14:47 +0200 From: Sebastian Andrzej Siewior To: Richard Genoud Subject: [PATCH v2] tty/serial: atmel: use port->name as name in request_irq() Message-ID: <20180504081447.enontsm6jod4xa6g@linutronix.de> References: <20180426150625.q5tqcb7fzchvkb5d@linutronix.de> <20180426151222.6vw67lwqmu6ffgnw@linutronix.de> <0dbf4a4c-71d4-6456-67b9-d4d202acffb7@sorico.fr> <20180502191632.tgda4g5v3rhncx7c@linutronix.de> <4f3f6e7c-2806-1749-1523-72d5c8eb8229@sorico.fr> <20180503124410.n6ze2ngwv6ekjhdr@linutronix.de> <921729c6-7c3f-11cd-8634-044a5c52f810@sorico.fr> <80203f75-f38e-6214-e9b6-8512c5941647@sorico.fr> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <80203f75-f38e-6214-e9b6-8512c5941647@sorico.fr> User-Agent: NeoMutt/20180323 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180504_011511_071186_4961E718 X-CRM114-Status: GOOD ( 13.14 ) X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [2a01:7a0:2:106d:700:0:0:1 listed in] [list.dnswl.org] X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rob Herring , Alexandre Belloni , Peter Hurley , Greg Kroah-Hartman , linux-serial@vger.kernel.org, Jiri Slaby , tglx@linutronix.de, linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+incoming-imx=patchwork.ozlabs.org@lists.infradead.org List-Id: linux-imx-kernel.lists.patchwork.ozlabs.org I was puzzled while looking at /proc/interrupts and random things showed up between reboots. This occurred more often but I realised it later. The "correct" output should be: |38: 11861 atmel-aic5 2 Level ttyS0 but I saw sometimes |38: 6426 atmel-aic5 2 Level tty1 and accounted it wrongly as correct. This is use after free and the former example randomly got the "old" pointer which pointed to the same content. With SLAB_FREELIST_RANDOM and HARDENED I even got |38: 7067 atmel-aic5 2 Level E=Started User Manager for UID 0 or other nonsense. As it turns out the tty, pointer that is accessed in atmel_startup(), is freed() before atmel_shutdown(). It seems to happen quite often that the tty for ttyS0 is allocated and freed while ->shutdown is not invoked. I don't do anything special - just a systemd boot :) Use port->name as the IRQ name for request_irq(). This exists as long as the driver is loaded so no use-after-free here. For backports before v4.12 I suggest to use `"atmel_serial"' instead `port->name' (that member was introduced in f7048b15900f ("tty: serial_core: Add name field to uart_port struct"). Cc: stable@vger.kernel.org Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") Signed-off-by: Sebastian Andrzej Siewior Acked-by: Richard Genoud Acked-by: Rob Herring --- v1…v2: - Bisected and added a Fixes tag - added a note for backporters to v4.9 … v4.12 (pointed out by Richard Genoud) drivers/tty/serial/atmel_serial.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c index e287fe8f10fc..d3189816740e 100644 --- a/drivers/tty/serial/atmel_serial.c +++ b/drivers/tty/serial/atmel_serial.c @@ -1757,7 +1757,6 @@ static int atmel_startup(struct uart_port *port) { struct platform_device *pdev = to_platform_device(port->dev); struct atmel_uart_port *atmel_port = to_atmel_uart_port(port); - struct tty_struct *tty = port->state->port.tty; int retval; /* @@ -1772,8 +1771,7 @@ static int atmel_startup(struct uart_port *port) * Allocate the IRQ */ retval = request_irq(port->irq, atmel_interrupt, - IRQF_SHARED | IRQF_COND_SUSPEND, - tty ? tty->name : "atmel_serial", port); + IRQF_SHARED | IRQF_COND_SUSPEND, port->name, port); if (retval) { dev_err(port->dev, "atmel_startup - Can't get irq\n"); return retval;