drivers/base: fix corrupt device tree

dev_add_child is a very unsafe function. If called multiple times it allows setting the same device to different parents thus corrupting the siblings list. This happens regularly since: | commit c2e568d19c | Author: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> | Date: Sat Nov 3 16:11:05 2012 +0100 | | bus: add bus device | | automatically add it as parent of any bus device if none already specified | | we have now a nice output per bus If for example a FATfs is mounted this nice output per bus often ends with: > `---- fat0 > `---- 0 > `---- 0x86f0000087020031-0x86f000410df27124: /dev/<NULL> > `---- sram00 > `---- 0x00000000-0xffffffffffffffff: /dev/<NULL> > `---- 0x00000000-0xffffffffffffffff: /dev/<NULL> > unable to handle NULL pointer dereference at address 0x0000000c > pc : [<87f08a20>] lr : [<87f08a04>] > sp : 86eff8c0 ip : 87f3fbde fp : ffffffff > r10: ffffffff r9 : 00000000 r8 : 00000003 > r7 : 86f075b8 r6 : 00000002 r5 : ffffffec r4 : 86f07544 > r3 : 00000000 r2 : 43f900b4 r1 : 00000020 r0 : 00000005 > Flags: Nzcv IRQs off FIQs off Mode SVC_32 > [<87f08a20>] (do_devinfo_subtree+0x90/0x130) from [<87f08a90>] (do_devinfo_subtree+0x100/0x130) > > [<87f3e070>] (unwind_backtrace+0x0/0x90) from [<87f28514>] (panic+0x28/0x3c) > [<87f28514>] (panic+0x28/0x3c) from [<87f3e4b8>] (do_exception+0x10/0x14) > [<87f3e4b8>] (do_exception+0x10/0x14) from [<87f3e544>] (do_data_abort+0x2c/0x38) > [<87f3e544>] (do_data_abort+0x2c/0x38) from [<87f3e268>] (data_abort+0x48/0x60) This patch fixes this by adding a device to its parents children list in register_device so that dev_add_child is no longer needed. This function is removed from the tree. Now callers of register_device have to clearly set the parent *before* registering a device. Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Reported-by: Jan Lübbe <jlu@pengutronix.de>
2012-12-12 14:55:40 +01:00 · 2012-12-12 14:55:40 +01:00 · 1a9e93cc81
parent c7c9c88cc2
commit 1a9e93cc81
12 changed files with 19 additions and 47 deletions
--- a/common/console.c
+++ b/common/console.c
@ -151,7 +151,7 @@ int console_register(struct console_device *newcdev)
 	dev->id = DEVICE_ID_DYNAMIC;
 	strcpy(dev->name, "cs");
 	if (newcdev->dev)
-		dev_add_child(newcdev->dev, dev);
+		dev->parent = newcdev->dev;
 	platform_device_register(dev);

 	if (newcdev->setbrg) {
--- a/drivers/base/driver.c
+++ b/drivers/base/driver.c
@ -133,20 +133,20 @@ int register_device(struct device_d *new_device)
 	INIT_LIST_HEAD(&new_device->parameters);
 	INIT_LIST_HEAD(&new_device->active);

-	if (!new_device->bus)
-		return 0;
+	if (new_device->bus) {
+		if (!new_device->parent)
+			new_device->parent = &new_device->bus->dev;

-	if (!new_device->parent) {
-		new_device->parent = &new_device->bus->dev;
-		dev_add_child(new_device->parent, new_device);
+		list_add_tail(&new_device->bus_list, &new_device->bus->device_list);
+
+		bus_for_each_driver(new_device->bus, drv) {
+			if (!match(drv, new_device))
+				break;
+		}
 	}

-	list_add_tail(&new_device->bus_list, &new_device->bus->device_list);
-
-	bus_for_each_driver(new_device->bus, drv) {
-		if (!match(drv, new_device))
-			break;
-	}
+	if (new_device->parent)
+		list_add_tail(&new_device->sibling, &new_device->parent->children);

 	return 0;
 }
@ -186,16 +186,6 @@ int unregister_device(struct device_d *old_dev)
 }
 EXPORT_SYMBOL(unregister_device);

-int dev_add_child(struct device_d *dev, struct device_d *child)
-{
-	child->parent = dev;
-
-	list_add_tail(&child->sibling, &dev->children);
-
-	return 0;
-}
-EXPORT_SYMBOL(dev_add_child);
-
 struct driver_d *get_driver_by_name(const char *name)
 {
 	struct driver_d *drv;
--- a/drivers/i2c/i2c.c
+++ b/drivers/i2c/i2c.c
@ -258,7 +258,6 @@ struct i2c_client *i2c_new_device(struct i2c_adapter *adapter,
 	client->addr = chip->addr;

 	client->dev.parent = &adapter->dev;
-	dev_add_child(client->dev.parent, &client->dev);

 	status = register_device(&client->dev);

@ -403,9 +402,6 @@ int i2c_add_numbered_adapter(struct i2c_adapter *adapter)
 	adapter->dev.id = adapter->nr;
 	strcpy(adapter->dev.name, "i2c");

-	if (adapter->dev.parent)
-		dev_add_child(adapter->dev.parent, &adapter->dev);
-
 	ret = register_device(&adapter->dev);
 	if (ret)
 		return ret;
--- a/drivers/mci/mci-core.c
+++ b/drivers/mci/mci-core.c
@ -1557,7 +1557,7 @@ int mci_register(struct mci_host *host)
 	mci_dev->id = DEVICE_ID_DYNAMIC;
 	strcpy(mci_dev->name, mci_driver.name);
 	mci_dev->platform_data = host;
-	dev_add_child(host->hw_dev, mci_dev);
+	mci_dev->parent = host->hw_dev;

 	return platform_device_register(mci_dev);
 }
--- a/drivers/mtd/core.c
+++ b/drivers/mtd/core.c
@ -184,10 +184,8 @@ int add_mtd_device(struct mtd_info *mtd, char *devname)
 		devname = "mtd";
 	strcpy(mtd->class_dev.name, devname);
 	mtd->class_dev.id = DEVICE_ID_DYNAMIC;
-	if (mtd->parent) {
+	if (mtd->parent)
 		mtd->class_dev.parent = mtd->parent;
-		dev_add_child(mtd->class_dev.parent, &mtd->class_dev);
-	}
 	register_device(&mtd->class_dev);

 	mtd->cdev.ops = &mtd_ops;
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@ -47,8 +47,6 @@ int mdiobus_register(struct mii_bus *bus)
 	bus->dev.id = DEVICE_ID_DYNAMIC;
 	strcpy(bus->dev.name, "miibus");
 	bus->dev.parent = bus->parent;
-	if (bus->parent)
-		dev_add_child(bus->parent, &bus->dev);

 	err = register_device(&bus->dev);
 	if (err) {
@ -157,8 +155,6 @@ static int mdio_bus_probe(struct device_d *_dev)
 	char str[16];

 	dev->attached_dev->phydev = dev;
-	dev->dev.parent = &dev->attached_dev->dev;
-	dev_add_child(dev->dev.parent, _dev);

 	if (drv->probe) {
 		ret = drv->probe(dev);
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@ -157,7 +157,6 @@ static struct phy_device *phy_device_create(struct mii_bus *bus, int addr, int p
 	dev->phy_id = phy_id;

 	dev->bus = bus;
-	dev->dev.parent = bus->parent;
 	dev->dev.bus = &mdio_bus_type;

 	strcpy(dev->dev.name, "phy");
@ -229,6 +228,8 @@ static int phy_register_device(struct phy_device* dev)
 {
 	int ret;

+	dev->dev.parent = &dev->attached_dev->dev;
+
 	ret = register_device(&dev->dev);
 	if (ret)
 		return ret;
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@ -81,7 +81,7 @@ struct spi_device *spi_new_device(struct spi_master *master,
 	proxy->dev.id = DEVICE_ID_DYNAMIC;
 	proxy->dev.type_data = proxy;
 	proxy->dev.device_node = chip->device_node;
-	dev_add_child(master->dev, &proxy->dev);
+	proxy->dev.parent = master->dev;

 	/* drivers may modify this initial i/o setup */
 	status = master->setup(proxy);
--- a/drivers/w1/w1.c
+++ b/drivers/w1/w1.c
@ -413,7 +413,6 @@ static int w1_device_register(struct w1_bus *bus, struct w1_device *dev)
 	dev->bus = bus;

 	dev->dev.parent = &bus->dev;
-	dev_add_child(dev->dev.parent, &dev->dev);

 	ret = register_device(&dev->dev);
 	if (ret)
@ -600,10 +599,7 @@ int w1_bus_register(struct w1_bus *bus)

 	strcpy(bus->dev.name, "w1_bus");
 	bus->dev.id = DEVICE_ID_DYNAMIC;
-
 	bus->dev.parent = bus->parent;
-	if (bus->parent)
-		dev_add_child(bus->parent, &bus->dev);

 	ret = register_device(&bus->dev);
 	if (ret)
--- a/fs/fs.c
+++ b/fs/fs.c
@ -1227,7 +1227,7 @@ int mount(const char *device, const char *fsname, const char *_path)
 		fsdev->cdev = cdev_by_name(device + 5);

 	if (fsdev->cdev) {
-		dev_add_child(fsdev->cdev->dev, &fsdev->dev);
+		fsdev->dev.parent = fsdev->cdev->dev;
 		fsdev->parent_device = fsdev->cdev->dev;
 	}

--- a/include/driver.h
+++ b/include/driver.h
@ -158,11 +158,6 @@ int device_probe(struct device_d *dev);
 */
 int unregister_device(struct device_d *);

-/* Organize devices in a tree. These functions do _not_ register or
- * unregister a device. Only registered devices are allowed here.
- */
-int dev_add_child(struct device_d *dev, struct device_d *child);
-
 /* Iterate over a devices children
 */
 #define device_for_each_child(dev, child) \
--- a/net/eth.c
+++ b/net/eth.c
@ -260,7 +260,7 @@ int eth_register(struct eth_device *edev)
 	edev->dev.id = DEVICE_ID_DYNAMIC;

 	if (edev->parent)
-		dev_add_child(edev->parent, &edev->dev);
+		edev->dev.parent = edev->parent;

 	register_device(&edev->dev);