memory: mtk-smi: Fix a null dereference for the ostd

Message ID	20211028055056.26378-1-yong.wu@mediatek.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=p3wX=PQ=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B689B6023B From: Yong Wu <yong.wu@mediatek.com> To: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>, Matthias Brugger <matthias.bgg@gmail.com> CC: Krzysztof Kozlowski <krzk@kernel.org>, Joerg Roedel <joro@8bytes.org>, Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>, "Tomasz Figa" <tfiga@chromium.org>, <linux-mediatek@lists.infradead.org>, <srv_heupstream@mediatek.com>, <linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>, <iommu@lists.linux-foundation.org>, <yong.wu@mediatek.com>, <youlin.pei@mediatek.com>, <anan.sun@mediatek.com>, <yi.kuo@mediatek.com>, <anthony.huang@mediatek.com>, Ikjoon Jang <ikjn@chromium.org> Subject: [PATCH] memory: mtk-smi: Fix a null dereference for the ostd Date: Thu, 28 Oct 2021 13:50:56 +0800 Message-ID: <20211028055056.26378-1-yong.wu@mediatek.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
Series	memory: mtk-smi: Fix a null dereference for the ostd \| expand memory: mtk-smi: Fix a null dereference for the ostd

Yong Wu (吴勇) Oct. 28, 2021, 5:50 a.m. UTC

We add the ostd setting for mt8195. It introduces a abort for the
previous SoC which doesn't have ostd setting. This is the log:

Unable to handle kernel NULL pointer dereference at virtual address
0000000000000080
...
pc : mtk_smi_larb_config_port_gen2_general+0x64/0x130
lr : mtk_smi_larb_resume+0x54/0x98
...
Call trace:
 mtk_smi_larb_config_port_gen2_general+0x64/0x130
 pm_generic_runtime_resume+0x2c/0x48
 __genpd_runtime_resume+0x30/0xa8
 genpd_runtime_resume+0x94/0x2c8
 __rpm_callback+0x44/0x150
 rpm_callback+0x6c/0x78
 rpm_resume+0x310/0x558
 __pm_runtime_resume+0x3c/0x88

In the code: larbostd = larb->larb_gen->ostd[larb->larbid],
if "larb->larb_gen->ostd" is null, the "larbostd" is the offset, it is
also a valid value, thus, use the larb->larb_gen->ostd as the condition
inside the "for" loop.

Signed-off-by: Yong Wu <yong.wu@mediatek.com>
---
Hi Krzysztof,
Could you help review and conside this as a fix for the mt8195 patchset?
The mt8195 patchset are not in mainline, thus, I don't know its sha-id,
and don't add Fixes tag.
Thanks
---
 drivers/memory/mtk-smi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Hsin-Yi Wang Oct. 28, 2021, 6:13 a.m. UTC | #1

On Thu, Oct 28, 2021 at 1:51 PM Yong Wu <yong.wu@mediatek.com> wrote:
>
> We add the ostd setting for mt8195. It introduces a abort for the
> previous SoC which doesn't have ostd setting. This is the log:
>
> Unable to handle kernel NULL pointer dereference at virtual address
> 0000000000000080
> ...
> pc : mtk_smi_larb_config_port_gen2_general+0x64/0x130
> lr : mtk_smi_larb_resume+0x54/0x98
> ...
> Call trace:
>  mtk_smi_larb_config_port_gen2_general+0x64/0x130
>  pm_generic_runtime_resume+0x2c/0x48
>  __genpd_runtime_resume+0x30/0xa8
>  genpd_runtime_resume+0x94/0x2c8
>  __rpm_callback+0x44/0x150
>  rpm_callback+0x6c/0x78
>  rpm_resume+0x310/0x558
>  __pm_runtime_resume+0x3c/0x88
>
> In the code: larbostd = larb->larb_gen->ostd[larb->larbid],
> if "larb->larb_gen->ostd" is null, the "larbostd" is the offset, it is
> also a valid value, thus, use the larb->larb_gen->ostd as the condition
> inside the "for" loop.
>
> Signed-off-by: Yong Wu <yong.wu@mediatek.com>

Tested-by: Hsin-Yi Wang <hsinyi@chromium.org>

After applying this patch, mt8183 is no longer crashing.

> ---
> Hi Krzysztof,
> Could you help review and conside this as a fix for the mt8195 patchset?
> The mt8195 patchset are not in mainline, thus, I don't know its sha-id,
> and don't add Fixes tag.
> Thanks
> ---
>  drivers/memory/mtk-smi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
> index b883dcc0bbfa..0262a59a2d6e 100644
> --- a/drivers/memory/mtk-smi.c
> +++ b/drivers/memory/mtk-smi.c
> @@ -257,7 +257,7 @@ static void mtk_smi_larb_config_port_gen2_general(struct device *dev)
>         if (MTK_SMI_CAPS(flags_general, MTK_SMI_FLAG_SW_FLAG))
>                 writel_relaxed(SMI_LARB_SW_FLAG_1, larb->base + SMI_LARB_SW_FLAG);
>
> -       for (i = 0; i < SMI_LARB_PORT_NR_MAX && larbostd && !!larbostd[i]; i++)
> +       for (i = 0; i < SMI_LARB_PORT_NR_MAX && larb->larb_gen->ostd && !!larbostd[i]; i++)
>                 writel_relaxed(larbostd[i], larb->base + SMI_LARB_OSTDL_PORTx(i));
>
>         for_each_set_bit(i, (unsigned long *)larb->mmu, 32) {
> --
> 2.18.0
>
>
> _______________________________________________
> Linux-mediatek mailing list
> Linux-mediatek@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-mediatek

Krzysztof Kozlowski Oct. 29, 2021, 5:35 p.m. UTC | #2

On 28/10/2021 07:50, Yong Wu wrote:
> We add the ostd setting for mt8195. It introduces a abort for the
> previous SoC which doesn't have ostd setting. This is the log:
> 
> Unable to handle kernel NULL pointer dereference at virtual address
> 0000000000000080
> ...
> pc : mtk_smi_larb_config_port_gen2_general+0x64/0x130
> lr : mtk_smi_larb_resume+0x54/0x98
> ...
> Call trace:
>  mtk_smi_larb_config_port_gen2_general+0x64/0x130
>  pm_generic_runtime_resume+0x2c/0x48
>  __genpd_runtime_resume+0x30/0xa8
>  genpd_runtime_resume+0x94/0x2c8
>  __rpm_callback+0x44/0x150
>  rpm_callback+0x6c/0x78
>  rpm_resume+0x310/0x558
>  __pm_runtime_resume+0x3c/0x88
> 
> In the code: larbostd = larb->larb_gen->ostd[larb->larbid],
> if "larb->larb_gen->ostd" is null, the "larbostd" is the offset, it is
> also a valid value, thus, use the larb->larb_gen->ostd as the condition
> inside the "for" loop.

You need to write more clearly, what you are fixing here.

> 
> Signed-off-by: Yong Wu <yong.wu@mediatek.com>
> ---
> Hi Krzysztof,
> Could you help review and conside this as a fix for the mt8195 patchset?
> The mt8195 patchset are not in mainline, thus, I don't know its sha-id,
> and don't add Fixes tag.
> Thanks
> ---
>  drivers/memory/mtk-smi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
> index b883dcc0bbfa..0262a59a2d6e 100644
> --- a/drivers/memory/mtk-smi.c
> +++ b/drivers/memory/mtk-smi.c
> @@ -257,7 +257,7 @@ static void mtk_smi_larb_config_port_gen2_general(struct device *dev)
>  	if (MTK_SMI_CAPS(flags_general, MTK_SMI_FLAG_SW_FLAG))
>  		writel_relaxed(SMI_LARB_SW_FLAG_1, larb->base + SMI_LARB_SW_FLAG);
>  
> -	for (i = 0; i < SMI_LARB_PORT_NR_MAX && larbostd && !!larbostd[i]; i++)
> +	for (i = 0; i < SMI_LARB_PORT_NR_MAX && larb->larb_gen->ostd && !!larbostd[i]; i++)
>  		writel_relaxed(larbostd[i], larb->base + SMI_LARB_OSTDL_PORTx(i));

The code does not look good. You have already a dereference at line 244:

	const u8 *larbostd = larb->larb_gen->ostd[larb->larbid];

You are not fixing the NULL pointer dereference.

>  
>  	for_each_set_bit(i, (unsigned long *)larb->mmu, 32) {
> 


Best regards,
Krzysztof

Yong Wu (吴勇) Nov. 1, 2021, 6:09 a.m. UTC | #3

On Fri, 2021-10-29 at 19:35 +0200, Krzysztof Kozlowski wrote:
> On 28/10/2021 07:50, Yong Wu wrote:
> > We add the ostd setting for mt8195. It introduces a abort for the
> > previous SoC which doesn't have ostd setting. This is the log:
> > 
> > Unable to handle kernel NULL pointer dereference at virtual address
> > 0000000000000080
> > ...
> > pc : mtk_smi_larb_config_port_gen2_general+0x64/0x130
> > lr : mtk_smi_larb_resume+0x54/0x98
> > ...
> > Call trace:
> >  mtk_smi_larb_config_port_gen2_general+0x64/0x130
> >  pm_generic_runtime_resume+0x2c/0x48
> >  __genpd_runtime_resume+0x30/0xa8
> >  genpd_runtime_resume+0x94/0x2c8
> >  __rpm_callback+0x44/0x150
> >  rpm_callback+0x6c/0x78
> >  rpm_resume+0x310/0x558
> >  __pm_runtime_resume+0x3c/0x88
> > 
> > In the code: larbostd = larb->larb_gen->ostd[larb->larbid],
> > if "larb->larb_gen->ostd" is null, the "larbostd" is the offset, it
> > is
> > also a valid value, thus, use the larb->larb_gen->ostd as the
> > condition
> > inside the "for" loop.
> 
> You need to write more clearly, what you are fixing here.
> 
> > 
> > Signed-off-by: Yong Wu <yong.wu@mediatek.com>
> > ---
> > Hi Krzysztof,
> > Could you help review and conside this as a fix for the mt8195
> > patchset?
> > The mt8195 patchset are not in mainline, thus, I don't know its
> > sha-id,
> > and don't add Fixes tag.
> > Thanks
> > ---
> >  drivers/memory/mtk-smi.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
> > index b883dcc0bbfa..0262a59a2d6e 100644
> > --- a/drivers/memory/mtk-smi.c
> > +++ b/drivers/memory/mtk-smi.c
> > @@ -257,7 +257,7 @@ static void
> > mtk_smi_larb_config_port_gen2_general(struct device *dev)
> >  	if (MTK_SMI_CAPS(flags_general, MTK_SMI_FLAG_SW_FLAG))
> >  		writel_relaxed(SMI_LARB_SW_FLAG_1, larb->base +
> > SMI_LARB_SW_FLAG);
> >  
> > -	for (i = 0; i < SMI_LARB_PORT_NR_MAX && larbostd &&
> > !!larbostd[i]; i++)
> > +	for (i = 0; i < SMI_LARB_PORT_NR_MAX && larb->larb_gen->ostd &&
> > !!larbostd[i]; i++)
> >  		writel_relaxed(larbostd[i], larb->base +
> > SMI_LARB_OSTDL_PORTx(i));
> 
> The code does not look good. You have already a dereference at line
> 244:
> 
> 	const u8 *larbostd = larb->larb_gen->ostd[larb->larbid];

if larb->larb_gen->ostd is null, larbostd is the offset, e.g. 0x80 in
the log above. thus, we can not use "larbostd[i]" in the "for" loop.

sorry for the unreadable. In this case, is the change ok?

or like this:

-const u8 *larbostd = larb->larb_gen->ostd[larb->larbid];
+const u8 *larbostd = larb->larb_gen->ostd ? larb->larb_gen-ostd[larb-
>larbid] : NULL;

or add a explicit "if":
 if (larb->larb_gen->ostd)
   larbostd = xxx.

Which one do you prefer?

Thanks.

> 
> You are not fixing the NULL pointer dereference.
> 
> >  
> >  	for_each_set_bit(i, (unsigned long *)larb->mmu, 32) {
> > 
> 
> 
> Best regards,
> Krzysztof

Krzysztof Kozlowski Nov. 1, 2021, 8:45 a.m. UTC | #4

On 01/11/2021 07:09, Yong Wu wrote:
> On Fri, 2021-10-29 at 19:35 +0200, Krzysztof Kozlowski wrote:
>> On 28/10/2021 07:50, Yong Wu wrote:
>>> We add the ostd setting for mt8195. It introduces a abort for the
>>> previous SoC which doesn't have ostd setting. This is the log:
>>>
>>> Unable to handle kernel NULL pointer dereference at virtual address
>>> 0000000000000080
>>> ...
>>> pc : mtk_smi_larb_config_port_gen2_general+0x64/0x130
>>> lr : mtk_smi_larb_resume+0x54/0x98
>>> ...
>>> Call trace:
>>>  mtk_smi_larb_config_port_gen2_general+0x64/0x130
>>>  pm_generic_runtime_resume+0x2c/0x48
>>>  __genpd_runtime_resume+0x30/0xa8
>>>  genpd_runtime_resume+0x94/0x2c8
>>>  __rpm_callback+0x44/0x150
>>>  rpm_callback+0x6c/0x78
>>>  rpm_resume+0x310/0x558
>>>  __pm_runtime_resume+0x3c/0x88
>>>
>>> In the code: larbostd = larb->larb_gen->ostd[larb->larbid],
>>> if "larb->larb_gen->ostd" is null, the "larbostd" is the offset, it
>>> is
>>> also a valid value, thus, use the larb->larb_gen->ostd as the
>>> condition
>>> inside the "for" loop.
>>
>> You need to write more clearly, what you are fixing here.
>>
>>>
>>> Signed-off-by: Yong Wu <yong.wu@mediatek.com>
>>> ---
>>> Hi Krzysztof,
>>> Could you help review and conside this as a fix for the mt8195
>>> patchset?
>>> The mt8195 patchset are not in mainline, thus, I don't know its
>>> sha-id,
>>> and don't add Fixes tag.
>>> Thanks
>>> ---
>>>  drivers/memory/mtk-smi.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-smi.c
>>> index b883dcc0bbfa..0262a59a2d6e 100644
>>> --- a/drivers/memory/mtk-smi.c
>>> +++ b/drivers/memory/mtk-smi.c
>>> @@ -257,7 +257,7 @@ static void
>>> mtk_smi_larb_config_port_gen2_general(struct device *dev)
>>>  	if (MTK_SMI_CAPS(flags_general, MTK_SMI_FLAG_SW_FLAG))
>>>  		writel_relaxed(SMI_LARB_SW_FLAG_1, larb->base +
>>> SMI_LARB_SW_FLAG);
>>>  
>>> -	for (i = 0; i < SMI_LARB_PORT_NR_MAX && larbostd &&
>>> !!larbostd[i]; i++)
>>> +	for (i = 0; i < SMI_LARB_PORT_NR_MAX && larb->larb_gen->ostd &&
>>> !!larbostd[i]; i++)
>>>  		writel_relaxed(larbostd[i], larb->base +
>>> SMI_LARB_OSTDL_PORTx(i));
>>
>> The code does not look good. You have already a dereference at line
>> 244:
>>
>> 	const u8 *larbostd = larb->larb_gen->ostd[larb->larbid];
> 
> if larb->larb_gen->ostd is null, larbostd is the offset, e.g. 0x80 in
> the log above. thus, we can not use "larbostd[i]" in the "for" loop.
> 
> sorry for the unreadable. In this case, is the change ok?

No, it's ok, I did not check the type of ostd and it's confusing a bit
that it is defined as a pointer to an array but you actually use it as
array of pointers to 32-elemenet arrays... Anyway I was mistaken and
there will be indeed no dereference at the assignment, but for code
clarity I would still prefer to do the check earlier, so:

> 
> or like this:
> 
> -const u8 *larbostd = larb->larb_gen->ostd[larb->larbid];
> +const u8 *larbostd = larb->larb_gen->ostd ? larb->larb_gen-ostd[larb-
>> larbid] : NULL;

Although I think now the proper type should be explicit.
mtk_smi_larb_mt8195_ostd is an 28-element array of
SMI_LARB_PORT_NR_MAX-element u8 arrays, therefore struct
mtk_smi_larb_gen should be:
	const u8 (*ostd)[][SMI_LARB_PORT_NR_MAX];

Right?


Best regards,
Krzysztof

Yong Wu (吴勇) Nov. 1, 2021, 10:40 a.m. UTC | #5

On Mon, 2021-11-01 at 09:45 +0100, Krzysztof Kozlowski wrote:
> On 01/11/2021 07:09, Yong Wu wrote:
> > On Fri, 2021-10-29 at 19:35 +0200, Krzysztof Kozlowski wrote:
> > > On 28/10/2021 07:50, Yong Wu wrote:
> > > > We add the ostd setting for mt8195. It introduces a abort for
> > > > the
> > > > previous SoC which doesn't have ostd setting. This is the log:
> > > > 
> > > > Unable to handle kernel NULL pointer dereference at virtual
> > > > address
> > > > 0000000000000080
> > > > ...
> > > > pc : mtk_smi_larb_config_port_gen2_general+0x64/0x130
> > > > lr : mtk_smi_larb_resume+0x54/0x98
> > > > ...
> > > > Call trace:
> > > >  mtk_smi_larb_config_port_gen2_general+0x64/0x130
> > > >  pm_generic_runtime_resume+0x2c/0x48
> > > >  __genpd_runtime_resume+0x30/0xa8
> > > >  genpd_runtime_resume+0x94/0x2c8
> > > >  __rpm_callback+0x44/0x150
> > > >  rpm_callback+0x6c/0x78
> > > >  rpm_resume+0x310/0x558
> > > >  __pm_runtime_resume+0x3c/0x88
> > > > 
> > > > In the code: larbostd = larb->larb_gen->ostd[larb->larbid],
> > > > if "larb->larb_gen->ostd" is null, the "larbostd" is the
> > > > offset, it
> > > > is
> > > > also a valid value, thus, use the larb->larb_gen->ostd as the
> > > > condition
> > > > inside the "for" loop.
> > > 
> > > You need to write more clearly, what you are fixing here.
> > > 
> > > > 
> > > > Signed-off-by: Yong Wu <yong.wu@mediatek.com>
> > > > ---
> > > > Hi Krzysztof,
> > > > Could you help review and conside this as a fix for the mt8195
> > > > patchset?
> > > > The mt8195 patchset are not in mainline, thus, I don't know its
> > > > sha-id,
> > > > and don't add Fixes tag.
> > > > Thanks
> > > > ---
> > > >  drivers/memory/mtk-smi.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > 
> > > > diff --git a/drivers/memory/mtk-smi.c b/drivers/memory/mtk-
> > > > smi.c
> > > > index b883dcc0bbfa..0262a59a2d6e 100644
> > > > --- a/drivers/memory/mtk-smi.c
> > > > +++ b/drivers/memory/mtk-smi.c
> > > > @@ -257,7 +257,7 @@ static void
> > > > mtk_smi_larb_config_port_gen2_general(struct device *dev)
> > > >  	if (MTK_SMI_CAPS(flags_general, MTK_SMI_FLAG_SW_FLAG))
> > > >  		writel_relaxed(SMI_LARB_SW_FLAG_1, larb->base +
> > > > SMI_LARB_SW_FLAG);
> > > >  
> > > > -	for (i = 0; i < SMI_LARB_PORT_NR_MAX && larbostd &&
> > > > !!larbostd[i]; i++)
> > > > +	for (i = 0; i < SMI_LARB_PORT_NR_MAX && larb->larb_gen-
> > > > >ostd &&
> > > > !!larbostd[i]; i++)
> > > >  		writel_relaxed(larbostd[i], larb->base +
> > > > SMI_LARB_OSTDL_PORTx(i));
> > > 
> > > The code does not look good. You have already a dereference at
> > > line
> > > 244:
> > > 
> > > 	const u8 *larbostd = larb->larb_gen->ostd[larb->larbid];
> > 
> > if larb->larb_gen->ostd is null, larbostd is the offset, e.g. 0x80
> > in
> > the log above. thus, we can not use "larbostd[i]" in the "for"
> > loop.
> > 
> > sorry for the unreadable. In this case, is the change ok?
> 
> No, it's ok, I did not check the type of ostd and it's confusing a
> bit
> that it is defined as a pointer to an array but you actually use it
> as
> array of pointers to 32-elemenet arrays... Anyway I was mistaken and
> there will be indeed no dereference at the assignment, but for code
> clarity I would still prefer to do the check earlier, so:
> 
> > 
> > or like this:
> > 
> > -const u8 *larbostd = larb->larb_gen->ostd[larb->larbid];
> > +const u8 *larbostd = larb->larb_gen->ostd ? larb->larb_gen-
> > ostd[larb-
> > > larbid] : NULL;
> 
> Although I think now the proper type should be explicit.
> mtk_smi_larb_mt8195_ostd is an 28-element array of
> SMI_LARB_PORT_NR_MAX-element u8 arrays, therefore struct
> mtk_smi_larb_gen should be:
> 	const u8 (*ostd)[][SMI_LARB_PORT_NR_MAX];

mt8195_ostd only is a 2 dimensional array,
static const u8 mtk_smi_larb_mt8195_ostd[][SMI_LARB_PORT_NR_MAX];

If using this, it will cause build fail:

.../drivers/memory/mtk-smi.c:359:23: error: initialization from
incompatible pointer type [-Werror=incompatible-pointer-types]
  .ostd              = mtk_smi_larb_mt8195_ostd,
                       ^~~~~~~~~~~~~~~~~~~~~~~~

More background about this 2 dimensional array:
The platform have many larbs(up to MTK_LARB_NR_MAX), each a larb have
many ports(up to SMI_LARB_PORT_NR_MAX). In the
function(*_config_port_gen2_general), we will update the value for each
a port inside a larb, thus we need a pointer point to the line of that
larb.

If I miss something, please tell me. or how to manage this will be
better.

Thanks.

> 
> Right?
> 
> 
> Best regards,
> Krzysztof

memory: mtk-smi: Fix a null dereference for the ostd

Commit Message

Comments

Patch