From 946593d1555921720fa674432e998a1b5931ddac Mon Sep 17 00:00:00 2001 From: Li Zhijian Date: Mon, 18 Mar 2024 14:05:32 +0800 Subject: Revert "firewire: Kill unnecessary buf check in device_attribute.show" This reverts commit 4a2b06ca33763b363038d333274e212db6ff0de1. The previous fix didn't consider callers from other than sysfs. Revert it to fix the NULL dereference kernel: ? sysfs_emit+0xb5/0xc0 kernel: show_immediate+0x13f/0x1d0 [firewire_core] kernel: init_fw_attribute_group+0x81/0x150 [firewire_core] kernel: create_units+0x119/0x160 [firewire_core] kernel: fw_device_init+0x1a9/0x330 [firewire_core] kernel: fw_device_workfn+0x12/0x20 [firewire_core] kernel: process_one_work+0x16f/0x350 kernel: worker_thread+0x306/0x440 kernel: ? __pfx_worker_thread+0x10/0x10 kernel: kthread+0xf2/0x120 kernel: ? __pfx_kthread+0x10/0x10 kernel: ret_from_fork+0x47/0x70 kernel: ? __pfx_kthread+0x10/0x10 kernel: ret_from_fork_asm+0x1b/0x30 kernel: kernel: ---[ end trace 0000000000000000 ]--- kernel: ------------[ cut here ]------------ Fixes: 4a2b06ca3376 ("firewire: Kill unnecessary buf check in device_attribute.show") Reported-by: Takashi Sakamoto Signed-off-by: Li Zhijian Link: https://lore.kernel.org/lkml/625470f3-b196-43f7-9844-fa1cb6da99f8@fujitsu.com/ Signed-off-by: Takashi Sakamoto --- drivers/firewire/core-device.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c index c0976f6268d329..f208a02d0ebf71 100644 --- a/drivers/firewire/core-device.c +++ b/drivers/firewire/core-device.c @@ -322,7 +322,7 @@ static ssize_t show_immediate(struct device *dev, if (value < 0) return -ENOENT; - return sysfs_emit(buf, "0x%06x\n", value); + return buf ? sysfs_emit(buf, "0x%06x\n", value) : 0; } #define IMMEDIATE_ATTR(name, key) \ @@ -334,6 +334,8 @@ static ssize_t show_text_leaf(struct device *dev, struct config_rom_attribute *attr = container_of(dattr, struct config_rom_attribute, attr); const u32 *directories[] = {NULL, NULL}; + size_t bufsize; + char dummy_buf[2]; int i, ret = -ENOENT; down_read(&fw_device_rwsem); @@ -355,9 +357,15 @@ static ssize_t show_text_leaf(struct device *dev, } } + if (buf) { + bufsize = PAGE_SIZE - 1; + } else { + buf = dummy_buf; + bufsize = 1; + } + for (i = 0; i < ARRAY_SIZE(directories) && !!directories[i]; ++i) { - int result = fw_csr_string(directories[i], attr->key, buf, - PAGE_SIZE - 1); + int result = fw_csr_string(directories[i], attr->key, buf, bufsize); // Detected. if (result >= 0) { ret = result; @@ -366,7 +374,7 @@ static ssize_t show_text_leaf(struct device *dev, // in the root directory follows to the directory entry for vendor ID // instead of the immediate value for vendor ID. result = fw_csr_string(directories[i], CSR_DIRECTORY | attr->key, buf, - PAGE_SIZE - 1); + bufsize); if (result >= 0) ret = result; } -- cgit 1.2.3-korg From bfb1ad3c6aab2341ace13222ac0a78e5b4c239c8 Mon Sep 17 00:00:00 2001 From: Takashi Sakamoto Date: Mon, 18 Mar 2024 17:59:14 +0900 Subject: firewire: core: add memo about the caller of show functions for device attributes In the case of firewire core function, the caller of show functions for device attributes is not only sysfs user, but also device initialization. This commit adds memo about it against the typical assumption that the functions are just dedicated to sysfs user. Link: https://lore.kernel.org/lkml/20240318091759.678326-1-o-takashi@sakamocchi.jp/ Signed-off-by: Takashi Sakamoto --- drivers/firewire/core-device.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c index f208a02d0ebf71..e6cdb905eeaca7 100644 --- a/drivers/firewire/core-device.c +++ b/drivers/firewire/core-device.c @@ -322,6 +322,7 @@ static ssize_t show_immediate(struct device *dev, if (value < 0) return -ENOENT; + // Note that this function is also called by init_fw_attribute_group() with NULL pointer. return buf ? sysfs_emit(buf, "0x%06x\n", value) : 0; } @@ -357,6 +358,7 @@ static ssize_t show_text_leaf(struct device *dev, } } + // Note that this function is also called by init_fw_attribute_group() with NULL pointer. if (buf) { bufsize = PAGE_SIZE - 1; } else { -- cgit 1.2.3-korg