Commit b891d11b authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'driver-core-6.17-rc6' of... 

Merge tag 'driver-core-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core

Pull driver core fixes from Danilo Krummrich:

 - Fix UAF in cgroup pressure polling by using kernfs_get_active_of()
   to prevent operations on released file descriptors

 - Fix unresolved intra-doc link in the documentation of struct Device
   when CONFIG_DRM != y

 - Update the DMA Rust MAINTAINERS entry

* tag 'driver-core-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core:
  MAINTAINERS: Update the DMA Rust entry
  kernfs: Fix UAF in polling when open file is released
  rust: device: fix unresolved link to drm::Device
parents 22f20375 f6d2900f

MAINTAINERS

+2 −2
Original line number Diff line number Diff line
@@ -7238,15 +7238,15 @@ F: include/linux/swiotlb.h 
F:	kernel/dma/









DMA MAPPING HELPERS DEVICE DRIVER API [RUST]









M:	Abdiel Janulgue <abdiel.janulgue@gmail.com>









M:	Danilo Krummrich <dakr@kernel.org>









R:	Abdiel Janulgue <abdiel.janulgue@gmail.com>









R:	Daniel Almeida <daniel.almeida@collabora.com>









R:	Robin Murphy <robin.murphy@arm.com>









R:	Andreas Hindborg <a.hindborg@kernel.org>









L:	rust-for-linux@vger.kernel.org









S:	Supported









W:	https://rust-for-linux.com









T:	git https://github.com/Rust-for-Linux/linux.git alloc-next









T:	git git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git









F:	rust/helpers/dma.c









F:	rust/kernel/dma.rs









F:	samples/rust/rust_dma.rs
































fs/kernfs/file.c



+38
−20






























Original line number
Diff line number
Diff line







@@ -70,6 +70,24 @@ static struct kernfs_open_node *of_on(struct kernfs_open_file *of)







					 !list_empty(&of->list));









}



















/* Get active reference to kernfs node for an open file */









static struct kernfs_open_file *kernfs_get_active_of(struct kernfs_open_file *of)









{









	/* Skip if file was already released */









	if (unlikely(of->released))









		return NULL;



















	if (!kernfs_get_active(of->kn))









		return NULL;



















	return of;









}



















static void kernfs_put_active_of(struct kernfs_open_file *of)









{









	return kernfs_put_active(of->kn);









}



















/**









 * kernfs_deref_open_node_locked - Get kernfs_open_node corresponding to @kn









 *








@@ -139,7 +157,7 @@ static void kernfs_seq_stop_active(struct seq_file *sf, void *v)

















	if (ops->seq_stop)









		ops->seq_stop(sf, v);









	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









}



















static void *kernfs_seq_start(struct seq_file *sf, loff_t *ppos)








@@ -152,7 +170,7 @@ static void *kernfs_seq_start(struct seq_file *sf, loff_t *ppos)







	 * the ops aren't called concurrently for the same open file.









	 */









	mutex_lock(&of->mutex);









	if (!kernfs_get_active(of->kn))









	if (!kernfs_get_active_of(of))









		return ERR_PTR(-ENODEV);



















	ops = kernfs_ops(of->kn);








@@ -238,7 +256,7 @@ static ssize_t kernfs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter)







	 * the ops aren't called concurrently for the same open file.









	 */









	mutex_lock(&of->mutex);









	if (!kernfs_get_active(of->kn)) {









	if (!kernfs_get_active_of(of)) {









		len = -ENODEV;









		mutex_unlock(&of->mutex);









		goto out_free;








@@ -252,7 +270,7 @@ static ssize_t kernfs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter)







	else









		len = -EINVAL;



















	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









	mutex_unlock(&of->mutex);



















	if (len < 0)








@@ -323,7 +341,7 @@ static ssize_t kernfs_fop_write_iter(struct kiocb *iocb, struct iov_iter *iter)







	 * the ops aren't called concurrently for the same open file.









	 */









	mutex_lock(&of->mutex);









	if (!kernfs_get_active(of->kn)) {









	if (!kernfs_get_active_of(of)) {









		mutex_unlock(&of->mutex);









		len = -ENODEV;









		goto out_free;








@@ -335,7 +353,7 @@ static ssize_t kernfs_fop_write_iter(struct kiocb *iocb, struct iov_iter *iter)







	else









		len = -EINVAL;



















	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









	mutex_unlock(&of->mutex);



















	if (len > 0)








@@ -357,13 +375,13 @@ static void kernfs_vma_open(struct vm_area_struct *vma)







	if (!of->vm_ops)









		return;



















	if (!kernfs_get_active(of->kn))









	if (!kernfs_get_active_of(of))









		return;



















	if (of->vm_ops->open)









		of->vm_ops->open(vma);



















	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









}



















static vm_fault_t kernfs_vma_fault(struct vm_fault *vmf)








@@ -375,14 +393,14 @@ static vm_fault_t kernfs_vma_fault(struct vm_fault *vmf)







	if (!of->vm_ops)









		return VM_FAULT_SIGBUS;



















	if (!kernfs_get_active(of->kn))









	if (!kernfs_get_active_of(of))









		return VM_FAULT_SIGBUS;



















	ret = VM_FAULT_SIGBUS;









	if (of->vm_ops->fault)









		ret = of->vm_ops->fault(vmf);



















	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









	return ret;









}


















@@ -395,7 +413,7 @@ static vm_fault_t kernfs_vma_page_mkwrite(struct vm_fault *vmf)







	if (!of->vm_ops)









		return VM_FAULT_SIGBUS;



















	if (!kernfs_get_active(of->kn))









	if (!kernfs_get_active_of(of))









		return VM_FAULT_SIGBUS;



















	ret = 0;








@@ -404,7 +422,7 @@ static vm_fault_t kernfs_vma_page_mkwrite(struct vm_fault *vmf)







	else









		file_update_time(file);



















	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









	return ret;









}


















@@ -418,14 +436,14 @@ static int kernfs_vma_access(struct vm_area_struct *vma, unsigned long addr,







	if (!of->vm_ops)









		return -EINVAL;



















	if (!kernfs_get_active(of->kn))









	if (!kernfs_get_active_of(of))









		return -EINVAL;



















	ret = -EINVAL;









	if (of->vm_ops->access)









		ret = of->vm_ops->access(vma, addr, buf, len, write);



















	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









	return ret;









}


















@@ -455,7 +473,7 @@ static int kernfs_fop_mmap(struct file *file, struct vm_area_struct *vma)







	mutex_lock(&of->mutex);



















	rc = -ENODEV;









	if (!kernfs_get_active(of->kn))









	if (!kernfs_get_active_of(of))









		goto out_unlock;



















	ops = kernfs_ops(of->kn);








@@ -490,7 +508,7 @@ static int kernfs_fop_mmap(struct file *file, struct vm_area_struct *vma)







	}









	vma->vm_ops = &kernfs_vm_ops;









out_put:









	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









out_unlock:









	mutex_unlock(&of->mutex);


















@@ -852,7 +870,7 @@ static __poll_t kernfs_fop_poll(struct file *filp, poll_table *wait)







	struct kernfs_node *kn = kernfs_dentry_node(filp->f_path.dentry);









	__poll_t ret;



















	if (!kernfs_get_active(kn))









	if (!kernfs_get_active_of(of))









		return DEFAULT_POLLMASK|EPOLLERR|EPOLLPRI;



















	if (kn->attr.ops->poll)








@@ -860,7 +878,7 @@ static __poll_t kernfs_fop_poll(struct file *filp, poll_table *wait)







	else









		ret = kernfs_generic_poll(of, wait);



















	kernfs_put_active(kn);









	kernfs_put_active_of(of);









	return ret;









}


















@@ -875,7 +893,7 @@ static loff_t kernfs_fop_llseek(struct file *file, loff_t offset, int whence)







	 * the ops aren't called concurrently for the same open file.









	 */









	mutex_lock(&of->mutex);









	if (!kernfs_get_active(of->kn)) {









	if (!kernfs_get_active_of(of)) {









		mutex_unlock(&of->mutex);









		return -ENODEV;









	}








@@ -886,7 +904,7 @@ static loff_t kernfs_fop_llseek(struct file *file, loff_t offset, int whence)







	else









		ret = generic_file_llseek(file, offset, whence);



















	kernfs_put_active(of->kn);









	kernfs_put_active_of(of);









	mutex_unlock(&of->mutex);









	return ret;









}
































rust/kernel/device.rs



+3
−2






























Original line number
Diff line number
Diff line







@@ -138,7 +138,9 @@







/// }









/// ```









///









/// An example for a class device implementation is [`drm::Device`].









/// An example for a class device implementation is









#[cfg_attr(CONFIG_DRM = "y", doc = "[`drm::Device`](kernel::drm::Device).")]









#[cfg_attr(not(CONFIG_DRM = "y"), doc = "`drm::Device`.")]









///









/// # Invariants









///








@@ -151,7 +153,6 @@







/// dropped from any thread.









///









/// [`AlwaysRefCounted`]: kernel::types::AlwaysRefCounted









/// [`drm::Device`]: kernel::drm::Device









/// [`impl_device_context_deref`]: kernel::impl_device_context_deref









/// [`pci::Device`]: kernel::pci::Device









/// [`platform::Device`]: kernel::platform::Device