| Message ID | 20240820-pmic-glink-v6-11-races-v3-0-eec53c750a04@quicinc.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | soc: qcom: pmic_glink: v6.11-rc bug fixes | expand |
On Tue, 20 Aug 2024 13:29:29 -0700, Bjorn Andersson wrote: > Amit and Johan both reported a NULL pointer dereference in the > pmic_glink client code during initialization, and Stephen Boyd pointed > out the problem (race condition). > > While investigating, and writing the fix, I noticed that > ucsi_unregister() is called in atomic context but tries to sleep, and I > also noticed that the condition for when to inform the pmic_glink client > drivers when the remote has gone down is just wrong. > > [...] Applied, thanks! [1/3] soc: qcom: pmic_glink: Fix race during initialization commit: e4bff3088afc459687ed90c6584c443bcb5fba90 [2/3] usb: typec: ucsi: Move unregister out of atomic section commit: 15f19bc3de2ab0a5ece2e6aa34f626b38e9317cc [3/3] soc: qcom: pmic_glink: Actually communicate when remote goes down commit: 8d856ad26551f9a9f428a73bf422e81c98e774ae Best regards,
Amit and Johan both reported a NULL pointer dereference in the pmic_glink client code during initialization, and Stephen Boyd pointed out the problem (race condition). While investigating, and writing the fix, I noticed that ucsi_unregister() is called in atomic context but tries to sleep, and I also noticed that the condition for when to inform the pmic_glink client drivers when the remote has gone down is just wrong. So, let's fix all three. As mentioned in the commit message for the UCSI fix, I have a series in the works that makes the GLINK callback happen in a sleepable context, which would remove the need for the clients list to be protected by a spinlock, and removing the work scheduling. This is however not -rc material... In addition to the NULL pointer dereference, there is the -ECANCELED issue reported here: https://lore.kernel.org/all/Zqet8iInnDhnxkT9@hovoldconsulting.com/ Johan reports that these fixes do not address that issue. Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> --- Changes in v3: - Renamed new_client()/register_client() to client_alloc()/client_register() - Actually refer the correct commit in patch 2 - Parenthesis around comparison in patch 2 - IRQ context -> atomic context in commit message of patch 2 - Fixed typo in patch 3 subject - Link to v2: https://lore.kernel.org/r/20240819-pmic-glink-v6-11-races-v2-0-88fe3ab1f0e2@quicinc.com Changes in v2: - Refer to the correct commit in the ucsi_unregister() patch. - Updated wording in the same commit message about the new error message in the log. - Changed the data type of the introduced state variables, opted to go for a bool as we only represent two states (and I would like to further clean this up going forward) - Initialized the spinlock - Link to v1: https://lore.kernel.org/r/20240818-pmic-glink-v6-11-races-v1-0-f87c577e0bc9@quicinc.com --- Bjorn Andersson (3): soc: qcom: pmic_glink: Fix race during initialization usb: typec: ucsi: Move unregister out of atomic section soc: qcom: pmic_glink: Actually communicate when remote goes down drivers/power/supply/qcom_battmgr.c | 16 ++++++++----- drivers/soc/qcom/pmic_glink.c | 40 ++++++++++++++++++++++---------- drivers/soc/qcom/pmic_glink_altmode.c | 17 +++++++++----- drivers/usb/typec/ucsi/ucsi_glink.c | 43 ++++++++++++++++++++++++++--------- include/linux/soc/qcom/pmic_glink.h | 11 +++++---- 5 files changed, 87 insertions(+), 40 deletions(-) --- base-commit: 2fd613d27928293eaa87788b10e8befb6805cd42 change-id: 20240818-pmic-glink-v6-11-races-363f5964c339 Best regards,