From nobody Sun Nov 24 13:43:58 2024
Received: from pv50p00im-ztdg10021101.me.com (pv50p00im-ztdg10021101.me.com
 [17.58.6.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E327E573
	for <linux-kernel@vger.kernel.org>; Tue,  5 Nov 2024 00:21:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=17.58.6.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1730766088; cv=none;
 b=TnLc2fthsq2nVTKFFMST4DGtu2hUHSZVTeMf3D1VoVmJ7sQLm4F8/NDTdt7HiCAxS7lB8+F2Shzg8AxsgP9RiVPzMxRW8ZuG/BG9RZnG/p/O5POadvo1MknUol/K+VEmaKu929nD3YxvmP8CFMFutfFEx4tNyrEUK9OdzizIE4Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1730766088; c=relaxed/simple;
	bh=mQDBnoxyXVmxCL49/5xTQ6KX5/j3OIz2ojb+auRUu10=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=B7a/lMVa8pMy1LB9QiGz+w6myjf4WQkB+hkjnIVkPw5vdtZQMn3Y3mnqnUGZ5EslHQik+3o4LaZhzjsCuHzi6y4nrSsk00JDCkSy8hns8+o/rTqksnsJvMd+kqsdTDMlXdT3WkffdY3rY2NL7fveQLiR+8pEVrtv6wS9BeOEKvU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=icloud.com;
 spf=pass smtp.mailfrom=icloud.com;
 dkim=pass (2048-bit key) header.d=icloud.com header.i=@icloud.com
 header.b=gEYmdjLI; arc=none smtp.client-ip=17.58.6.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=icloud.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=icloud.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=icloud.com header.i=@icloud.com
 header.b="gEYmdjLI"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com;
	s=1a1hai; t=1730766087;
	bh=rm5lLoi3XUYT4KuUUvHO+moVuXskhwLUpd2Qbpm2GUE=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:
	 x-icloud-hme;
	b=gEYmdjLIhOf2sSMdvcEL+e3kBlfkLqGZ/ms3ZzYwRkQA9yQdaFN+Pp2a0vVzCZ5F9
	 Ls1drPwsXFUINVzHMIzy7K5vrZy3EsO0MV8WXHO+5Nm+FajXZEXJKuOtBeW/YL2sLm
	 8gWfjCYOUb2QsOKzEKrTCUfUo8fY6+MvVYygNW05tD2KtiW0BMv90D3bmrp54Zv4JK
	 UOMN8k4N72Ir/jEYwy337k6ipOX58OYOWTSSVceIW7hIFodwDYq966j7//iD1IRe78
	 0Bi3qMicCaFgurtrXS6h7du+MJCD+ue5CfrOed+e57u3qN0eU8+7D37g829QKd9xsr
	 dgnvAEevl709Q==
Received: from [192.168.1.26] (pv50p00im-dlb-asmtp-mailmevip.me.com
 [17.56.9.10])
	by pv50p00im-ztdg10021101.me.com (Postfix) with ESMTPSA id A0445D0027F;
	Tue,  5 Nov 2024 00:21:23 +0000 (UTC)
From: Zijun Hu <zijun_hu@icloud.com>
Date: Tue, 05 Nov 2024 08:20:22 +0800
Subject: [PATCH 1/3] driver core: class: Fix wild pointer dereference in
 API class_dev_iter_next()
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20241105-class_fix-v1-1-80866f9994a5@quicinc.com>
References: <20241105-class_fix-v1-0-80866f9994a5@quicinc.com>
In-Reply-To: <20241105-class_fix-v1-0-80866f9994a5@quicinc.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Zijun Hu <zijun_hu@icloud.com>, linux-kernel@vger.kernel.org,
 Zijun Hu <quic_zijuhu@quicinc.com>, stable@vger.kernel.org
X-Mailer: b4 0.14.1
X-Apple-Remote-Links: v=1;h=KCk=;charset=UTF-8

From: Zijun Hu <quic_zijuhu@quicinc.com>

class_dev_iter_init(struct class_dev_iter *iter, struct class *class, ...)
has return type void, but it does not initialize its output parameter @iter
when suffers class_to_subsys(@class) error, so caller can not detect the
error and call API class_dev_iter_next(@iter) which will dereference wild
pointers of @iter's members as shown by below typical usage:

// @iter's members are wild pointers
struct class_dev_iter iter;

// No change in @iter when the error happens.
class_dev_iter_init(&iter, ...);

// dereference these wild member pointers here.
while (dev =3D class_dev_iter_next(&iter)) { ... }.

Actually, all callers of the API have such usage pattern in kernel tree.
Fix by memset() @iter in API *_init() and error checking @iter in *_next().

Fixes: 7b884b7f24b4 ("driver core: class.c: convert to only use class_to_su=
bsys")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>

---
Alternative fix solutions ever thought about:

1) Use BUG_ON(!sp) instead of error return in class_dev_iter_init().
2) Change class_dev_iter_init()'s type to int, lots of jobs to do.
---
 drivers/base/class.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/base/class.c b/drivers/base/class.c
index cb5359235c70..b331dda002e3 100644
--- a/drivers/base/class.c
+++ b/drivers/base/class.c
@@ -323,8 +323,11 @@ void class_dev_iter_init(struct class_dev_iter *iter, =
const struct class *class,
 	struct subsys_private *sp =3D class_to_subsys(class);
 	struct klist_node *start_knode =3D NULL;
=20
-	if (!sp)
+	memset(iter, 0, sizeof(*iter));
+	if (!sp) {
+		pr_crit("%s: the class was not registered yet\n", __func__);
 		return;
+	}
=20
 	if (start)
 		start_knode =3D &start->p->knode_class;
@@ -351,6 +354,9 @@ struct device *class_dev_iter_next(struct class_dev_ite=
r *iter)
 	struct klist_node *knode;
 	struct device *dev;
=20
+	if (!iter->sp)
+		return NULL;
+
 	while (1) {
 		knode =3D klist_next(&iter->ki);
 		if (!knode)

--=20
2.34.1
From nobody Sun Nov 24 13:43:58 2024
Received: from pv50p00im-ztdg10021101.me.com (pv50p00im-ztdg10021101.me.com
 [17.58.6.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 01C1F1C68F
	for <linux-kernel@vger.kernel.org>; Tue,  5 Nov 2024 00:21:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=17.58.6.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1730766092; cv=none;
 b=D6vUa1E+GizbeXX6/kMOPfshvc5qVjTcAiL5F52u/pGi7DOlRYeLnNXpFWQnlHB/D6z4Pa8SHxw4KiqcePknigGwtcUrfsQnuxe5Qg5uLJdndGFJZ7KH8dZ2kHwni1j74BdXOPiw70kuz18i2xn/j5VXOtX9MCL54OQ1vfv5Cio=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1730766092; c=relaxed/simple;
	bh=duXZD9QtW+mKBSWDee8DW9mWFUvLKMU1YDAzy2Lu5oc=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=BACbBqOAheWfhlkKozj3xWGGFCoNV1UnVn4gJACFRYWRaSLekboAHAslh4Xykht5bwQOmCIV32Hu7cm5D1Myko1EmGFCTOY4lChfwgVayZlBZia5XAjb8v9DLYfjekQCgJcWxHa0jbcfDSQS2oJwZe69DmW6cIxUKNWU00I3bfg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=icloud.com;
 spf=pass smtp.mailfrom=icloud.com;
 dkim=pass (2048-bit key) header.d=icloud.com header.i=@icloud.com
 header.b=LurS4Y/E; arc=none smtp.client-ip=17.58.6.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=icloud.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=icloud.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=icloud.com header.i=@icloud.com
 header.b="LurS4Y/E"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com;
	s=1a1hai; t=1730766090;
	bh=5YXpd3WJ7ylu+cUkGGm1jfujKBmc+KiS9L0FsIucX40=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:
	 x-icloud-hme;
	b=LurS4Y/EQix7CJk+AiGmeMuxrBQ4byGGjhRHfhKRH4k/wKwUIrTEFumYGEDyPG/xR
	 IwkyiuNZSXy2LQWPw6XWP0cqyGN+CagjhlkcmwLnu+4OIDLynoQbh1bGA6970oztzt
	 ZZJFU7d2pCkRZasOfI9OpAM/mZRxqD7CDdUWaL4jsXXMsrttFOMUwM4dUcre9eoR9C
	 t4dEWvN/lLp+q5gRh9UNXCWjPmPwkGr8xHnBUovo2hsLAmFgjwALtxUOeCpQ03oVc2
	 YAlT2f4dtxA9zAtDdXd7mZzzm/va8378VE42LTag1oKzwV0fzS7YBWNj1pdxX0uqw/
	 Y0JNMGNIRYGZw==
Received: from [192.168.1.26] (pv50p00im-dlb-asmtp-mailmevip.me.com
 [17.56.9.10])
	by pv50p00im-ztdg10021101.me.com (Postfix) with ESMTPSA id A4A35D00255;
	Tue,  5 Nov 2024 00:21:27 +0000 (UTC)
From: Zijun Hu <zijun_hu@icloud.com>
Date: Tue, 05 Nov 2024 08:20:23 +0800
Subject: [PATCH 2/3] driver core: class: Correct WARN() message in APIs
 class_(for_each|find)_device()
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20241105-class_fix-v1-2-80866f9994a5@quicinc.com>
References: <20241105-class_fix-v1-0-80866f9994a5@quicinc.com>
In-Reply-To: <20241105-class_fix-v1-0-80866f9994a5@quicinc.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Zijun Hu <zijun_hu@icloud.com>, linux-kernel@vger.kernel.org,
 Zijun Hu <quic_zijuhu@quicinc.com>
X-Mailer: b4 0.14.1
X-Apple-Remote-Links: v=1;h=KCk=;charset=UTF-8

From: Zijun Hu <quic_zijuhu@quicinc.com>

For both API class_for_each_device(const struct class *class, ...) and
class_find_device(const struct class *class, ...), their WARN() messages
prompt @class was not initialized when suffer class_to_subsys(@class)
error, but the error actually means @class was not registered, so these
warning messages are not accurate.

Fix by replacing term initialized with registered within these messages.

Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
---
 drivers/base/class.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/base/class.c b/drivers/base/class.c
index b331dda002e3..e81da280af74 100644
--- a/drivers/base/class.c
+++ b/drivers/base/class.c
@@ -411,7 +411,7 @@ int class_for_each_device(const struct class *class, co=
nst struct device *start,
 	if (!class)
 		return -EINVAL;
 	if (!sp) {
-		WARN(1, "%s called for class '%s' before it was initialized",
+		WARN(1, "%s called for class '%s' before it was registered",
 		     __func__, class->name);
 		return -EINVAL;
 	}
@@ -459,7 +459,7 @@ struct device *class_find_device(const struct class *cl=
ass, const struct device
 	if (!class)
 		return NULL;
 	if (!sp) {
-		WARN(1, "%s called for class '%s' before it was initialized",
+		WARN(1, "%s called for class '%s' before it was registered",
 		     __func__, class->name);
 		return NULL;
 	}

--=20
2.34.1
From nobody Sun Nov 24 13:43:58 2024
Received: from pv50p00im-ztdg10021101.me.com (pv50p00im-ztdg10021101.me.com
 [17.58.6.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 764C91E868
	for <linux-kernel@vger.kernel.org>; Tue,  5 Nov 2024 00:21:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=17.58.6.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1730766095; cv=none;
 b=mtr3Jni+38AztHq9/FVCh/XnkSl/g9hiJtLpK0zx9IcV75saNsywBiXkOLJhnHcFEOMbJhkfHmxiMfWNtTAIT8McpGO5HCGUQUd3RVxK4mNbK0mbZqx1wGua8yD0WXrBQtHbXs5flG/oOe+N8U/Xkwac/7jvtEXRCcC5bNZdQFo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1730766095; c=relaxed/simple;
	bh=T3AQgiqjsuEnMeCbV+0XhVRdlrFrG6GLxSc0iff5QbM=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=hnkcM0L1wsP8h8w97a5Hy19eD7ben7IPMewg5p3f485gpf9SHfFWZ9C7ztB2JnuE5659J4mc4T/IHAYzsDb6aloOwvl0xTKUvAOHY05AZnE3dOmQGA7urG6Z0ZHvzA+uY72OGKLoi4PQekmOJI5BHS/O/7MrpnlXMi40Tg90w64=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=icloud.com;
 spf=pass smtp.mailfrom=icloud.com;
 dkim=pass (2048-bit key) header.d=icloud.com header.i=@icloud.com
 header.b=Kp5YmqM6; arc=none smtp.client-ip=17.58.6.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=icloud.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=icloud.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=icloud.com header.i=@icloud.com
 header.b="Kp5YmqM6"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com;
	s=1a1hai; t=1730766094;
	bh=5Kts4W3mcfFZfFTKYGxweaNOJFKnlXqAWdud+x19Rso=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:
	 x-icloud-hme;
	b=Kp5YmqM6LlQ/+m0nhDUAShTc93ZWWEP81KzDXth+8gqlIk8vuVH6rrXnnFZPrMHkk
	 WsZKdJZtMOqKiWSCgqtxtfgT+RwTShmzkod6ku9b7+8fH1HgH7xGxeuKDXjsfji5NR
	 yggm3Aj9UEe+yrL3nBGFuY82Q6tWo8sZswT0Q/au9SljSnO6qhxkhmAXKm8x1ZFSRi
	 wXsjNh8J0UNThjIBbI5pCf4pLMbO15uA8zsSnVYfrbaAcPZ1kwIb+K6vEeHVA9FmQM
	 HsKg+PrKm9CDnrGNqBAzoR49byPSHNgwpCkswIWnTpajotBTZzNG5eBqc8anJA36Cd
	 gdoRgc+Rn8czg==
Received: from [192.168.1.26] (pv50p00im-dlb-asmtp-mailmevip.me.com
 [17.56.9.10])
	by pv50p00im-ztdg10021101.me.com (Postfix) with ESMTPSA id 28C65D0012D;
	Tue,  5 Nov 2024 00:21:30 +0000 (UTC)
From: Zijun Hu <zijun_hu@icloud.com>
Date: Tue, 05 Nov 2024 08:20:24 +0800
Subject: [PATCH 3/3] driver core: class: Delete a redundant check in APIs
 class_(for_each|find)_device()
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20241105-class_fix-v1-3-80866f9994a5@quicinc.com>
References: <20241105-class_fix-v1-0-80866f9994a5@quicinc.com>
In-Reply-To: <20241105-class_fix-v1-0-80866f9994a5@quicinc.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Zijun Hu <zijun_hu@icloud.com>, linux-kernel@vger.kernel.org,
 Zijun Hu <quic_zijuhu@quicinc.com>
X-Mailer: b4 0.14.1
X-Apple-Remote-Links: v=1;h=KCk=;charset=UTF-8

From: Zijun Hu <quic_zijuhu@quicinc.com>

Delete redundant check (!@class) in both API class_for_each_device() and
class_find_device() with below reasons:

- The check is covered by later check (!@sp).
- Callers are unlikely to call both APIs with NULL class argument.
- Make parameter check consistent with all of other class APIs.

Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
---
 drivers/base/class.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/base/class.c b/drivers/base/class.c
index e81da280af74..120d3aeb52fe 100644
--- a/drivers/base/class.c
+++ b/drivers/base/class.c
@@ -408,8 +408,6 @@ int class_for_each_device(const struct class *class, co=
nst struct device *start,
 	struct device *dev;
 	int error =3D 0;
=20
-	if (!class)
-		return -EINVAL;
 	if (!sp) {
 		WARN(1, "%s called for class '%s' before it was registered",
 		     __func__, class->name);
@@ -456,8 +454,6 @@ struct device *class_find_device(const struct class *cl=
ass, const struct device
 	struct class_dev_iter iter;
 	struct device *dev;
=20
-	if (!class)
-		return NULL;
 	if (!sp) {
 		WARN(1, "%s called for class '%s' before it was registered",
 		     __func__, class->name);

--=20
2.34.1