[PATCH] staging: vc04_services: vchiq_arm: Fix NULL ptr dereferences

[Stefan Wahren]

Hi Laurent,

Am 19.04.24 um 16:44 schrieb Laurent Pinchart:
> Hi Stefan,
>
> Thank you for the patch.
>
> On Fri, Apr 19, 2024 at 04:26:50PM +0200, Stefan Wahren wrote:
>> The commit 8c9753f63905 ("staging: vc04_services: vchiq_arm: Drop
>> g_cache_line_size") introduced NULL pointer dereferences by
>> messing up usage of device driver data. But the real issue here
>> is the mixed usage of platform and device driver data. So fix
>> this by switching completely to device driver data.
>>
>> Fixes: 8c9753f63905 ("staging: vc04_services: vchiq_arm: Drop g_cache_line_size")
>> Signed-off-by: Stefan Wahren <wahrenst at gmx.net>
>> ---
>>   .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 8 ++++----
>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> index 502ddc0f6e46..3b032d987f0c 100644
>> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
>> @@ -257,7 +257,7 @@ create_pagelist(struct vchiq_instance *instance, char *buf, char __user *ubuf,
>>   	if (count >= INT_MAX - PAGE_SIZE)
>>   		return NULL;
>>
>> -	drv_mgmt = dev_get_drvdata(instance->state->dev->parent);
>> +	drv_mgmt = dev_get_drvdata(instance->state->dev);
>>
>>   	if (buf)
>>   		offset = (uintptr_t)buf & (PAGE_SIZE - 1);
>> @@ -436,7 +436,7 @@ free_pagelist(struct vchiq_instance *instance, struct vchiq_pagelist_info *pagel
>>
>>   	dev_dbg(instance->state->dev, "arm: %pK, %d\n", pagelistinfo->pagelist, actual);
>>
>> -	drv_mgmt = dev_get_drvdata(instance->state->dev->parent);
>> +	drv_mgmt = dev_get_drvdata(instance->state->dev);
>>
>>   	/*
>>   	 * NOTE: dma_unmap_sg must be called before the
>> @@ -497,7 +497,7 @@ free_pagelist(struct vchiq_instance *instance, struct vchiq_pagelist_info *pagel
>>   static int vchiq_platform_init(struct platform_device *pdev, struct vchiq_state *state)
>>   {
>>   	struct device *dev = &pdev->dev;
>> -	struct vchiq_drv_mgmt *drv_mgmt = platform_get_drvdata(pdev);
>> +	struct vchiq_drv_mgmt *drv_mgmt = dev_get_drvdata(dev);
> This hunk and the next one seem to be no-ops. Did you intend to make
> cosmetic changes here, or was something overlooked ?
Yes it was intended. But you are right, i should split it.
>
>>   	struct rpi_firmware *fw = drv_mgmt->fw;
>>   	struct vchiq_slot_zero *vchiq_slot_zero;
>>   	void *slot_mem;
>> @@ -1753,7 +1753,7 @@ static int vchiq_probe(struct platform_device *pdev)
>>   		return -EPROBE_DEFER;
>>
>>   	mgmt->info = info;
>> -	platform_set_drvdata(pdev, mgmt);
>> +	dev_set_drvdata(&pdev->dev, mgmt);
>>
>>   	err = vchiq_platform_init(pdev, &mgmt->state);
>>   	if (err)