Re: [PATCH RESEND] chardev: fix error handling in cdev_device_add()

From: Yang Yingliang
Date: Sun Jul 31 2022 - 22:07:31 EST


Hi, Greg

On 2022/7/14 17:33, Greg KH wrote:
On Thu, Jul 14, 2022 at 05:23:55PM +0800, Yang Yingliang wrote:
If dev->devt is not set, cdev_add() will not be called, so if device_add()
fails, cdev_del() is not needed. Fix this by checking dev->devt in error
case.

Fixes: 233ed09d7fda ("chardev: add helper function to register char devs with a struct device")
Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
---
fs/char_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/char_dev.c b/fs/char_dev.c
index ba0ded7842a7..3f667292608c 100644
--- a/fs/char_dev.c
+++ b/fs/char_dev.c
@@ -547,7 +547,7 @@ int cdev_device_add(struct cdev *cdev, struct device *dev)
}
rc = device_add(dev);
- if (rc)
+ if (rc && dev->devt)
cdev_del(cdev);
return rc;
--
2.25.1

Please see https://lore.kernel.org/r/YsLtXYa4kRYEEaX/@kroah.com for why
I will no longer accept patches from Huawei with the "hulk robot" claim
without the required information.
I found this bug by fault injection test and it can be reproduced in the 5.19.0-rc6.
When inject error in device_add(), it triggers the bug.

The FAULT_INJECTION stack is:
[   90.246918][ T1527] FAULT_INJECTION: forcing a failure.
[   90.246918][ T1527] name failslab, interval 1, probability 0, space 0, times 0
[   90.248546][ T1527] CPU: 3 PID: 1527 Comm: 63 Not tainted 5.19.0-rc6-00276-g187506bb1928-dirty #668 3b1a4a46ce78a2173f0a10415bb4c4ff7194a867
[   90.249993][ T1527] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   90.251114][ T1527] Call Trace:
[   90.251500][ T1527]  <TASK>
[   90.251889][ T1527]  dump_stack_lvl+0xe4/0x156
[   90.252661][ T1527]  should_fail.cold.3+0x5/0x1f
[   90.253242][ T1527]  ? device_add+0x10cd/0x1de0
[   90.253835][ T1527]  ? device_add+0x10cd/0x1de0
[   90.254391][ T1527]  should_failslab+0xa/0x20
[   90.254902][ T1527]  kmem_cache_alloc_trace+0x5a/0x2e0
[   90.255496][ T1527]  device_add+0x10cd/0x1de0
[   90.256100][ T1527]  ? rcu_read_lock_held_common+0xe/0xb0
[   90.256951][ T1527]  ? rcu_read_lock_sched_held+0x62/0xf0
[   90.257811][ T1527]  ? rcu_read_lock_bh_held+0xd0/0xd0
[   90.258627][ T1527]  ? iio_dev_release+0x161/0x1c0 [industrialio]
[   90.260110][ T1527]  ? __fw_devlink_link_to_suppliers+0x2c0/0x2c0
[   90.260818][ T1527]  ? write_comp_data+0x2a/0x90
[   90.261366][ T1527]  ? __sanitizer_cov_trace_pc+0x1d/0x50
[   90.262003][ T1527]  ? iio_device_register_eventset+0x6f6/0xea0 [industrialio]
[   90.263365][ T1527]  cdev_device_add+0x130/0x1b0
[   90.263923][ T1527]  __iio_device_register+0x1392/0x1ac0 [industrialio]
[   90.265218][ T1527]  __devm_iio_device_register+0x22/0x90 [industrialio]
[   90.266502][ T1527]  max517_probe+0x3d8/0x6b4 [max517]
[   90.267456][ T1527]  ? max517_write_raw+0x1e0/0x1e0 [max517]
[   90.268472][ T1527]  i2c_device_probe+0x974/0xae0
[   90.269016][ T1527]  ? i2c_device_match+0x120/0x120
[   90.269577][ T1527]  really_probe+0x44a/0xaf0

The kernel reported this warning:
[   90.309159][ T1527] ------------[ cut here ]------------
[   90.309981][ T1527] kobject: '(null)' (000000008ab24cf9): is not initialized, yet kobject_put() is being called.
[   90.311910][ T1527] WARNING: CPU: 3 PID: 1527 at kobject_put+0x24c/0x540
[   90.312975][ T1527] Modules linked in: max517 industrialio spi_stub i2c_stub i2c_dev joydev mousedev intel_rapl_msr input_leds led_class nfit edac_core libnvdimm intel_rapl_common intel_uncore_frequency_common isst_if_common ppdev serio_raw psmouse atkbd kvm_intel libps2 vivaldi_fmap kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd cryptd bochs drm_vram_helper drm_ttm_helper ttm sr_mod evdev drm_kms_helper cdrom mac_hid drm sg drm_panel_orientation_quirks cfbfillrect cfbimgblt parport_pc cfbcopyarea parport rtc_cmos fb_sys_fops floppy syscopyarea sysfillrect i8042 serio sysimgblt ata_generic fb pata_acpi fbdev i2c_piix4 backlight intel_agp tiny_power_button intel_gtt agpgart qemu_fw_cfg button ip_tables x_tables ipv6 crc_ccitt autofs4
[   90.324844][ T1527] CPU: 3 PID: 1527 Comm: 63 Not tainted 5.19.0-rc6-00276-g187506bb1928-dirty #668 3b1a4a46ce78a2173f0a10415bb4c4ff7194a867
[   90.326763][ T1527] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   90.328285][ T1527] RIP: 0010:kobject_put+0x24c/0x540
[   90.329113][ T1527] Code: e8 c9 21 e5 fe 90 48 89 d8 48 c1 e8 03 80 3c 28 00 0f 85 7a 02 00 00 48 8b 33 48 89 da 48 c7 c7 a0 73 ff 88 e8 22 83 ff 00 90 <0f> 0b 90 90 e9 1c fe ff ff e8 96 21 e5 fe 4c 8b 0c 24 48 89 d9 4c
[   90.331985][ T1527] RSP: 0018:ffffc9000496f508 EFLAGS: 00010286
[   90.332902][ T1527] RAX: 0000000000000000 RBX: ffff88800c1b2788 RCX: ffffffff861ac93a
[   90.334079][ T1527] RDX: 0000000000000000 RSI: ffff888005608000 RDI: 0000000000000002
[   90.335248][ T1527] RBP: dffffc0000000000 R08: ffffed1021240346 R09: ffffed1021240346
[   90.336464][ T1527] R10: ffff888109201a2b R11: ffffed1021240345 R12: ffff88800c1b27c4
[   90.337640][ T1527] R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000
[   90.338827][ T1527] FS:  00007fe80c499500(0000) GS:ffff888109000000(0000) knlGS:0000000000000000
[   90.340190][ T1527] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   90.341173][ T1527] CR2: 000055837fa23708 CR3: 0000000005c36001 CR4: 0000000000770ee0
[   90.342307][ T1527] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   90.343140][ T1527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   90.344024][ T1527] PKRU: 55555554
[   90.344562][ T1527] Call Trace:
[   90.345063][ T1527]  <TASK>
[   90.345529][ T1527]  cdev_device_add+0x15e/0x1b0
[   90.346214][ T1527]  __iio_device_register+0x1392/0x1ac0 [industrialio]
[   90.347509][ T1527]  __devm_iio_device_register+0x22/0x90 [industrialio]
[   90.348840][ T1527]  max517_probe+0x3d8/0x6b4 [max517]
[   90.350091][ T1527]  ? max517_write_raw+0x1e0/0x1e0 [max517]
[   90.351093][ T1527]  i2c_device_probe+0x974/0xae0
[   90.351633][ T1527]  ? i2c_device_match+0x120/0x120
[   90.352255][ T1527]  really_probe+0x44a/0xaf0

If attached_buffers_cnt and event_interface of iio_dev_opaque is not set, the 'cdev' is not initialized and the
dev->devt is not set, but cdev_del() is called in error path, then it triggers this bug.

Also, you did not state why this was a RESEND.
https://lore.kernel.org/lkml/1959fa74-b06c-b8bc-d14f-b71e5c4290ee@xxxxxxxxxx/T/
This patch has been sent last year, and the bug can be reproduced, so I tried to resend to fix it.

Thanks,
Yang

Now dropped from my review queue,

greg k-h
.