driver core: check start node in klist_iter_init_node

klist_iter_init_node() takes a node as a start argument. However, this node might not be valid anymore. This patch updates the klist_iter_init_node() and dependent functions to return an error if so. All calling functions have been audited to check for a return code here. Signed-off-by: Hannes Reinecke <hare@suse.de> Cc: Greg Kroah-Hartmann <gregkh@linuxfoundation.org> Cc: Kay Sievers <kay@vrfy.org> Cc: Stable Kernel <stable@kernel.org> Cc: Linux Kernel <linux-kernel@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

driver core: check start node in klist_iter_init_node
klist_iter_init_node() takes a node as a start argument. However, this node might not be valid anymore. This patch updates the klist_iter_init_node() and dependent functions to return an error if so. All calling functions have been audited to check for a return code here. Signed-off-by: Hannes Reinecke <hare@suse.de> Cc: Greg Kroah-Hartmann <gregkh@linuxfoundation.org> Cc: Kay Sievers <kay@vrfy.org> Cc: Stable Kernel <stable@kernel.org> Cc: Linux Kernel <linux-kernel@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
a15d49fd · Hannes Reinecke · Greg Kroah-Hartman · 97ec448a · a15d49fd · a15d49fd
Commit a15d49fd authored Apr 16, 2012 by Hannes Reinecke Committed by Greg Kroah-Hartman Apr 18, 2012
6 changed files
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -296,11 +296,13 @@ int bus_for_each_dev(struct bus_type *bus, struct device *start,
 	if (!bus)
 		return -EINVAL;
-	klist_iter_init_node(&bus->p->klist_devices, &i,
+	error = klist_iter_init_node(&bus->p->klist_devices, &i,
-			     (start ? &start->p->knode_bus : NULL));
+				     (start ? &start->p->knode_bus : NULL));
-	while ((dev = next_device(&i)) && !error)
+	if (!error) {
-		error = fn(dev, data);
+		while ((dev = next_device(&i)) && !error)
-	klist_iter_exit(&i);
+			error = fn(dev, data);
+		klist_iter_exit(&i);
+	}
 	return error;
 }
 EXPORT_SYMBOL_GPL(bus_for_each_dev);
@@ -330,8 +332,10 @@ struct device *bus_find_device(struct bus_type *bus,
 	if (!bus)
 		return NULL;
-	klist_iter_init_node(&bus->p->klist_devices, &i,
+	if (klist_iter_init_node(&bus->p->klist_devices, &i,
-			     (start ? &start->p->knode_bus : NULL));
+				 (start ? &start->p->knode_bus : NULL)) < 0)
+		return NULL;
 	while ((dev = next_device(&i)))
 		if (match(dev, data) && get_device(dev))
 			break;
@@ -384,7 +388,9 @@ struct device *subsys_find_device_by_id(struct bus_type *subsys, unsigned int id
 		return NULL;
 	if (hint) {
-		klist_iter_init_node(&subsys->p->klist_devices, &i, &hint->p->knode_bus);
+		if (klist_iter_init_node(&subsys->p->klist_devices, &i,
+					 &hint->p->knode_bus) < 0)
+			return NULL;
 		dev = next_device(&i);
 		if (dev && dev->id == id && get_device(dev)) {
 			klist_iter_exit(&i);
@@ -446,11 +452,13 @@ int bus_for_each_drv(struct bus_type *bus, struct device_driver *start,
 	if (!bus)
 		return -EINVAL;
-	klist_iter_init_node(&bus->p->klist_drivers, &i,
+	error = klist_iter_init_node(&bus->p->klist_drivers, &i,
-			     start ? &start->p->knode_bus : NULL);
+				     start ? &start->p->knode_bus : NULL);
-	while ((drv = next_driver(&i)) && !error)
+	if (!error) {
-		error = fn(drv, data);
+		while ((drv = next_driver(&i)) && !error)
-	klist_iter_exit(&i);
+			error = fn(drv, data);
+		klist_iter_exit(&i);
+	}
 	return error;
 }
 EXPORT_SYMBOL_GPL(bus_for_each_drv);
@@ -1111,15 +1119,19 @@ EXPORT_SYMBOL_GPL(bus_sort_breadthfirst);
 * otherwise if it is NULL, the iteration starts at the beginning of
 * the list.
 */
-void subsys_dev_iter_init(struct subsys_dev_iter *iter, struct bus_type *subsys,
+int subsys_dev_iter_init(struct subsys_dev_iter *iter, struct bus_type *subsys,
-			  struct device *start, const struct device_type *type)
+			 struct device *start, const struct device_type *type)
 {
 	struct klist_node *start_knode = NULL;
+	int error;
 	if (start)
 		start_knode = &start->p->knode_bus;
-	klist_iter_init_node(&subsys->p->klist_devices, &iter->ki, start_knode);
+	error = klist_iter_init_node(&subsys->p->klist_devices, &iter->ki,
-	iter->type = type;
+				     start_knode);
+	if (!error)
+		iter->type = type;
+	return error;
 }
 EXPORT_SYMBOL_GPL(subsys_dev_iter_init);

--- a/drivers/base/class.c
+++ b/drivers/base/class.c
@@ -301,15 +301,20 @@ void class_destroy(struct class *cls)
 * otherwise if it is NULL, the iteration starts at the beginning of
 * the list.
 */
-void class_dev_iter_init(struct class_dev_iter *iter, struct class *class,
+int class_dev_iter_init(struct class_dev_iter *iter, struct class *class,
-			 struct device *start, const struct device_type *type)
+			struct device *start, const struct device_type *type)
 {
 	struct klist_node *start_knode = NULL;
+	int error;
 	if (start)
 		start_knode = &start->knode_class;
-	klist_iter_init_node(&class->p->klist_devices, &iter->ki, start_knode);
+	error = klist_iter_init_node(&class->p->klist_devices, &iter->ki,
-	iter->type = type;
+				     start_knode);
+	if (!error)
+		iter->type = type;
+	return error;
 }
 EXPORT_SYMBOL_GPL(class_dev_iter_init);
@@ -387,14 +392,15 @@ int class_for_each_device(struct class *class, struct device *start,
 		return -EINVAL;
 	}
-	class_dev_iter_init(&iter, class, start, NULL);
+	error = class_dev_iter_init(&iter, class, start, NULL);
-	while ((dev = class_dev_iter_next(&iter))) {
+	if (!error) {
-		error = fn(dev, data);
+		while ((dev = class_dev_iter_next(&iter))) {
-		if (error)
+			error = fn(dev, data);
-			break;
+			if (error)
+				break;
+		}
+		class_dev_iter_exit(&iter);
 	}
-	class_dev_iter_exit(&iter);
 	return error;
 }
 EXPORT_SYMBOL_GPL(class_for_each_device);
@@ -434,7 +440,9 @@ struct device *class_find_device(struct class *class, struct device *start,
 		return NULL;
 	}
-	class_dev_iter_init(&iter, class, start, NULL);
+	if (class_dev_iter_init(&iter, class, start, NULL) < 0)
+		return NULL;
 	while ((dev = class_dev_iter_next(&iter))) {
 		if (match(dev, data)) {
 			get_device(dev);

--- a/drivers/base/driver.c
+++ b/drivers/base/driver.c
@@ -49,11 +49,13 @@ int driver_for_each_device(struct device_driver *drv, struct device *start,
 	if (!drv)
 		return -EINVAL;
-	klist_iter_init_node(&drv->p->klist_devices, &i,
+	error = klist_iter_init_node(&drv->p->klist_devices, &i,
-			     start ? &start->p->knode_driver : NULL);
+				     start ? &start->p->knode_driver : NULL);
-	while ((dev = next_device(&i)) && !error)
+	if (!error) {
-		error = fn(dev, data);
+		while ((dev = next_device(&i)) && !error)
-	klist_iter_exit(&i);
+			error = fn(dev, data);
+		klist_iter_exit(&i);
+	}
 	return error;
 }
 EXPORT_SYMBOL_GPL(driver_for_each_device);
@@ -83,8 +85,10 @@ struct device *driver_find_device(struct device_driver *drv,
 	if (!drv)
 		return NULL;
-	klist_iter_init_node(&drv->p->klist_devices, &i,
+	if (klist_iter_init_node(&drv->p->klist_devices, &i,
-			     (start ? &start->p->knode_driver : NULL));
+				 (start ? &start->p->knode_driver : NULL)) < 0)
+		return NULL;
 	while ((dev = next_device(&i)))
 		if (match(dev, data) && get_device(dev))
 			break;

--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -128,7 +128,7 @@ struct subsys_dev_iter {
 	struct klist_iter		ki;
 	const struct device_type	*type;
 };
-void subsys_dev_iter_init(struct subsys_dev_iter *iter,
+int subsys_dev_iter_init(struct subsys_dev_iter *iter,
 			 struct bus_type *subsys,
 			 struct device *start,
 			 const struct device_type *type);
@@ -380,10 +380,10 @@ int class_compat_create_link(struct class_compat *cls, struct device *dev,
 void class_compat_remove_link(struct class_compat *cls, struct device *dev,
 			      struct device *device_link);
-extern void class_dev_iter_init(struct class_dev_iter *iter,
+extern int class_dev_iter_init(struct class_dev_iter *iter,
-				struct class *class,
+			       struct class *class,
-				struct device *start,
+			       struct device *start,
-				const struct device_type *type);
+			       const struct device_type *type);
 extern struct device *class_dev_iter_next(struct class_dev_iter *iter);
 extern void class_dev_iter_exit(struct class_dev_iter *iter);

--- a/include/linux/klist.h
+++ b/include/linux/klist.h
@@ -60,7 +60,7 @@ struct klist_iter {
 extern void klist_iter_init(struct klist *k, struct klist_iter *i);
-extern void klist_iter_init_node(struct klist *k, struct klist_iter *i,
+extern int klist_iter_init_node(struct klist *k, struct klist_iter *i,
 				 struct klist_node *n);
 extern void klist_iter_exit(struct klist_iter *i);
 extern struct klist_node *klist_next(struct klist_iter *i);

--- a/lib/klist.c
+++ b/lib/klist.c
@@ -278,13 +278,19 @@ EXPORT_SYMBOL_GPL(klist_node_attached);
 * Similar to klist_iter_init(), but starts the action off with @n,
 * instead of with the list head.
 */
-void klist_iter_init_node(struct klist *k, struct klist_iter *i,
+int klist_iter_init_node(struct klist *k, struct klist_iter *i,
-			  struct klist_node *n)
+			 struct klist_node *n)
 {
+	if (n) {
+		kref_get(&n->n_ref);
+		if (!n->n_klist) {
+			kref_put(&n->n_ref);
+			return -ENODEV;
+		}
+	}
 	i->i_klist = k;
 	i->i_cur = n;
-	if (n)
+	return 0;
-		kref_get(&n->n_ref);
 }
 EXPORT_SYMBOL_GPL(klist_iter_init_node);