During platform_device_register, wrongly using struct device
pci_dev as platform_data caused a kmemdup copy of pci_dev. Worse
still, accessing the duplicated device leads to list corruption as its
mutex content (e.g., list, magic) remains the same as the original.
Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
---
drivers/perf/dwc_pcie_pmu.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
index 4ac53167d7ab..fd9d87b4f201 100644
--- a/drivers/perf/dwc_pcie_pmu.c
+++ b/drivers/perf/dwc_pcie_pmu.c
@@ -566,9 +566,7 @@ static int dwc_pcie_register_dev(struct pci_dev *pdev)
u32 sbdf;
sbdf = (pci_domain_nr(pdev->bus) << 16) | PCI_DEVID(pdev->bus->number, pdev->devfn);
- plat_dev = platform_device_register_data(NULL, "dwc_pcie_pmu", sbdf,
- pdev, sizeof(*pdev));
-
+ plat_dev = platform_device_register_simple("platform_dwc_pcie", sbdf, NULL, 0);
if (IS_ERR(plat_dev))
return PTR_ERR(plat_dev);
@@ -620,18 +618,26 @@ static struct notifier_block dwc_pcie_pmu_nb = {
static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
{
- struct pci_dev *pdev = plat_dev->dev.platform_data;
+ struct pci_dev *pdev;
struct dwc_pcie_pmu *pcie_pmu;
char *name;
u32 sbdf;
u16 vsec;
int ret;
+ sbdf = plat_dev->id;
+ pdev = pci_get_domain_bus_and_slot(sbdf >> 16, PCI_BUS_NUM(sbdf & 0xffff),
+ sbdf & 0xff);
+ if (!pdev) {
+ pr_err("No pdev found for the sbdf");
+ return -ENODEV;
+ }
+
vsec = dwc_pcie_des_cap(pdev);
if (!vsec)
return -ENODEV;
- sbdf = plat_dev->id;
+ pci_dev_put(pdev);
name = devm_kasprintf(&plat_dev->dev, GFP_KERNEL, "dwc_rootport_%x", sbdf);
if (!name)
return -ENOMEM;
@@ -646,7 +652,7 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
pcie_pmu->on_cpu = -1;
pcie_pmu->pmu = (struct pmu){
.name = name,
- .parent = &pdev->dev,
+ .parent = &plat_dev->dev,
.module = THIS_MODULE,
.attr_groups = dwc_pcie_attr_groups,
.capabilities = PERF_PMU_CAP_NO_EXCLUDE,
@@ -733,7 +739,7 @@ static int dwc_pcie_pmu_offline_cpu(unsigned int cpu, struct hlist_node *cpuhp_n
static struct platform_driver dwc_pcie_pmu_driver = {
.probe = dwc_pcie_pmu_probe,
- .driver = {.name = "dwc_pcie_pmu",},
+ .driver = {.name = "platform_dwc_pcie",},
};
static void dwc_pcie_cleanup_devices(void)
--
2.39.2
在 2025/2/5 11:14, Yunhui Cui 写道:
> During platform_device_register, wrongly using struct device
> pci_dev as platform_data caused a kmemdup copy of pci_dev. Worse
> still, accessing the duplicated device leads to list corruption as its
> mutex content (e.g., list, magic) remains the same as the original.
>
> Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
> ---
> drivers/perf/dwc_pcie_pmu.c | 20 +++++++++++++-------
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
> index 4ac53167d7ab..fd9d87b4f201 100644
> --- a/drivers/perf/dwc_pcie_pmu.c
> +++ b/drivers/perf/dwc_pcie_pmu.c
> @@ -566,9 +566,7 @@ static int dwc_pcie_register_dev(struct pci_dev *pdev)
> u32 sbdf;
>
> sbdf = (pci_domain_nr(pdev->bus) << 16) | PCI_DEVID(pdev->bus->number, pdev->devfn);
> - plat_dev = platform_device_register_data(NULL, "dwc_pcie_pmu", sbdf,
> - pdev, sizeof(*pdev));
> -
> + plat_dev = platform_device_register_simple("platform_dwc_pcie", sbdf, NULL, 0);
> if (IS_ERR(plat_dev))
> return PTR_ERR(plat_dev);
>
> @@ -620,18 +618,26 @@ static struct notifier_block dwc_pcie_pmu_nb = {
>
> static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
> {
> - struct pci_dev *pdev = plat_dev->dev.platform_data;
> + struct pci_dev *pdev;
> struct dwc_pcie_pmu *pcie_pmu;
> char *name;
> u32 sbdf;
> u16 vsec;
> int ret;
>
> + sbdf = plat_dev->id;
> + pdev = pci_get_domain_bus_and_slot(sbdf >> 16, PCI_BUS_NUM(sbdf & 0xffff),
> + sbdf & 0xff);
> + if (!pdev) {
> + pr_err("No pdev found for the sbdf");
How about also adding the sbdf to print?
> + return -ENODEV;
> + }
> +
> vsec = dwc_pcie_des_cap(pdev);
> if (!vsec)
> return -ENODEV;
>
> - sbdf = plat_dev->id;
> + pci_dev_put(pdev);
> name = devm_kasprintf(&plat_dev->dev, GFP_KERNEL, "dwc_rootport_%x", sbdf);
> if (!name)
> return -ENOMEM;
> @@ -646,7 +652,7 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
> pcie_pmu->on_cpu = -1;
> pcie_pmu->pmu = (struct pmu){
> .name = name,
> - .parent = &pdev->dev,
> + .parent = &plat_dev->dev,
> .module = THIS_MODULE,
> .attr_groups = dwc_pcie_attr_groups,
> .capabilities = PERF_PMU_CAP_NO_EXCLUDE,
> @@ -733,7 +739,7 @@ static int dwc_pcie_pmu_offline_cpu(unsigned int cpu, struct hlist_node *cpuhp_n
>
> static struct platform_driver dwc_pcie_pmu_driver = {
> .probe = dwc_pcie_pmu_probe,
> - .driver = {.name = "dwc_pcie_pmu",},
> + .driver = {.name = "platform_dwc_pcie",},
> };
>
> static void dwc_pcie_cleanup_devices(void)
Hi Shuai,
On Fri, Feb 7, 2025 at 10:36 AM Shuai Xue <xueshuai@linux.alibaba.com> wrote:
>
>
>
> 在 2025/2/5 11:14, Yunhui Cui 写道:
> > During platform_device_register, wrongly using struct device
> > pci_dev as platform_data caused a kmemdup copy of pci_dev. Worse
> > still, accessing the duplicated device leads to list corruption as its
> > mutex content (e.g., list, magic) remains the same as the original.
> >
> > Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
> > ---
> > drivers/perf/dwc_pcie_pmu.c | 20 +++++++++++++-------
> > 1 file changed, 13 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/perf/dwc_pcie_pmu.c b/drivers/perf/dwc_pcie_pmu.c
> > index 4ac53167d7ab..fd9d87b4f201 100644
> > --- a/drivers/perf/dwc_pcie_pmu.c
> > +++ b/drivers/perf/dwc_pcie_pmu.c
> > @@ -566,9 +566,7 @@ static int dwc_pcie_register_dev(struct pci_dev *pdev)
> > u32 sbdf;
> >
> > sbdf = (pci_domain_nr(pdev->bus) << 16) | PCI_DEVID(pdev->bus->number, pdev->devfn);
> > - plat_dev = platform_device_register_data(NULL, "dwc_pcie_pmu", sbdf,
> > - pdev, sizeof(*pdev));
> > -
> > + plat_dev = platform_device_register_simple("platform_dwc_pcie", sbdf, NULL, 0);
> > if (IS_ERR(plat_dev))
> > return PTR_ERR(plat_dev);
> >
> > @@ -620,18 +618,26 @@ static struct notifier_block dwc_pcie_pmu_nb = {
> >
> > static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
> > {
> > - struct pci_dev *pdev = plat_dev->dev.platform_data;
> > + struct pci_dev *pdev;
> > struct dwc_pcie_pmu *pcie_pmu;
> > char *name;
> > u32 sbdf;
> > u16 vsec;
> > int ret;
> >
> > + sbdf = plat_dev->id;
> > + pdev = pci_get_domain_bus_and_slot(sbdf >> 16, PCI_BUS_NUM(sbdf & 0xffff),
> > + sbdf & 0xff);
> > + if (!pdev) {
> > + pr_err("No pdev found for the sbdf");
>
> How about also adding the sbdf to print?
OK, I'll update to v3.
>
> > + return -ENODEV;
> > + }
> > +
> > vsec = dwc_pcie_des_cap(pdev);
> > if (!vsec)
> > return -ENODEV;
> >
> > - sbdf = plat_dev->id;
> > + pci_dev_put(pdev);
> > name = devm_kasprintf(&plat_dev->dev, GFP_KERNEL, "dwc_rootport_%x", sbdf);
> > if (!name)
> > return -ENOMEM;
> > @@ -646,7 +652,7 @@ static int dwc_pcie_pmu_probe(struct platform_device *plat_dev)
> > pcie_pmu->on_cpu = -1;
> > pcie_pmu->pmu = (struct pmu){
> > .name = name,
> > - .parent = &pdev->dev,
> > + .parent = &plat_dev->dev,
> > .module = THIS_MODULE,
> > .attr_groups = dwc_pcie_attr_groups,
> > .capabilities = PERF_PMU_CAP_NO_EXCLUDE,
> > @@ -733,7 +739,7 @@ static int dwc_pcie_pmu_offline_cpu(unsigned int cpu, struct hlist_node *cpuhp_n
> >
> > static struct platform_driver dwc_pcie_pmu_driver = {
> > .probe = dwc_pcie_pmu_probe,
> > - .driver = {.name = "dwc_pcie_pmu",},
> > + .driver = {.name = "platform_dwc_pcie",},
> > };
> >
> > static void dwc_pcie_cleanup_devices(void)
>
Thanks,
Yunhui
© 2016 - 2026 Red Hat, Inc.