Message ID | 20240819-pmic-glink-v6-11-races-v2-1-88fe3ab1f0e2@quicinc.com (mailing list archive) |
---|---|
State | Handled Elsewhere, archived |
Headers | show |
Series | soc: qcom: pmic_glink: v6.11-rc bug fixes | expand |
Hi, On Mon, Aug 19, 2024 at 01:07:45PM GMT, Bjorn Andersson wrote: > As pointed out by Stephen Boyd it is possible that during initialization > of the pmic_glink child drivers, the protection-domain notifiers fires, > and the associated work is scheduled, before the client registration > returns and as a result the local "client" pointer has been initialized. > > The outcome of this is a NULL pointer dereference as the "client" > pointer is blindly dereferenced. > > Timeline provided by Stephen: > CPU0 CPU1 > ---- ---- > ucsi->client = NULL; > devm_pmic_glink_register_client() > client->pdr_notify(client->priv, pg->client_state) > pmic_glink_ucsi_pdr_notify() > schedule_work(&ucsi->register_work) > <schedule away> > pmic_glink_ucsi_register() > ucsi_register() > pmic_glink_ucsi_read_version() > pmic_glink_ucsi_read() > pmic_glink_ucsi_read() > pmic_glink_send(ucsi->client) > <client is NULL BAD> > ucsi->client = client // Too late! > > This code is identical across the altmode, battery manager and usci > child drivers. > > Resolve this by splitting the allocation of the "client" object and the > registration thereof into two operations. > > This only happens if the protection domain registry is populated at the > time of registration, which by the introduction of commit '1ebcde047c54 > ("soc: qcom: add pd-mapper implementation")' became much more likely. > > Reported-by: Amit Pundir <amit.pundir@linaro.org> > Closes: https://lore.kernel.org/all/CAMi1Hd2_a7TjA7J9ShrAbNOd_CoZ3D87twmO5t+nZxC9sX18tA@mail.gmail.com/ > Reported-by: Johan Hovold <johan@kernel.org> > Closes: https://lore.kernel.org/all/ZqiyLvP0gkBnuekL@hovoldconsulting.com/ > Reported-by: Stephen Boyd <swboyd@chromium.org> > Closes: https://lore.kernel.org/all/CAE-0n52JgfCBWiFQyQWPji8cq_rCsviBpW-m72YitgNfdaEhQg@mail.gmail.com/ > Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") > Cc: stable@vger.kernel.org > Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> > Tested-by: Amit Pundir <amit.pundir@linaro.org> > Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> > --- I expect this to go through SOC tree: Acked-by: Sebastian Reichel <sebastian.reichel@collabora.com> -- Sebastian > drivers/power/supply/qcom_battmgr.c | 16 ++++++++++------ > drivers/soc/qcom/pmic_glink.c | 28 ++++++++++++++++++---------- > drivers/soc/qcom/pmic_glink_altmode.c | 17 +++++++++++------ > drivers/usb/typec/ucsi/ucsi_glink.c | 16 ++++++++++------ > include/linux/soc/qcom/pmic_glink.h | 11 ++++++----- > 5 files changed, 55 insertions(+), 33 deletions(-) > > diff --git a/drivers/power/supply/qcom_battmgr.c b/drivers/power/supply/qcom_battmgr.c > index 49bef4a5ac3f..df90a470c51a 100644 > --- a/drivers/power/supply/qcom_battmgr.c > +++ b/drivers/power/supply/qcom_battmgr.c > @@ -1387,12 +1387,16 @@ static int qcom_battmgr_probe(struct auxiliary_device *adev, > "failed to register wireless charing power supply\n"); > } > > - battmgr->client = devm_pmic_glink_register_client(dev, > - PMIC_GLINK_OWNER_BATTMGR, > - qcom_battmgr_callback, > - qcom_battmgr_pdr_notify, > - battmgr); > - return PTR_ERR_OR_ZERO(battmgr->client); > + battmgr->client = devm_pmic_glink_new_client(dev, PMIC_GLINK_OWNER_BATTMGR, > + qcom_battmgr_callback, > + qcom_battmgr_pdr_notify, > + battmgr); > + if (IS_ERR(battmgr->client)) > + return PTR_ERR(battmgr->client); > + > + pmic_glink_register_client(battmgr->client); > + > + return 0; > } > > static const struct auxiliary_device_id qcom_battmgr_id_table[] = { > diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c > index 9ebc0ba35947..58ec91767d79 100644 > --- a/drivers/soc/qcom/pmic_glink.c > +++ b/drivers/soc/qcom/pmic_glink.c > @@ -66,15 +66,14 @@ static void _devm_pmic_glink_release_client(struct device *dev, void *res) > spin_unlock_irqrestore(&pg->client_lock, flags); > } > > -struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, > - unsigned int id, > - void (*cb)(const void *, size_t, void *), > - void (*pdr)(void *, int), > - void *priv) > +struct pmic_glink_client *devm_pmic_glink_new_client(struct device *dev, > + unsigned int id, > + void (*cb)(const void *, size_t, void *), > + void (*pdr)(void *, int), > + void *priv) > { > struct pmic_glink_client *client; > struct pmic_glink *pg = dev_get_drvdata(dev->parent); > - unsigned long flags; > > client = devres_alloc(_devm_pmic_glink_release_client, sizeof(*client), GFP_KERNEL); > if (!client) > @@ -85,6 +84,18 @@ struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, > client->cb = cb; > client->pdr_notify = pdr; > client->priv = priv; > + INIT_LIST_HEAD(&client->node); > + > + devres_add(dev, client); > + > + return client; > +} > +EXPORT_SYMBOL_GPL(devm_pmic_glink_new_client); > + > +void pmic_glink_register_client(struct pmic_glink_client *client) > +{ > + struct pmic_glink *pg = client->pg; > + unsigned long flags; > > mutex_lock(&pg->state_lock); > spin_lock_irqsave(&pg->client_lock, flags); > @@ -95,11 +106,8 @@ struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, > spin_unlock_irqrestore(&pg->client_lock, flags); > mutex_unlock(&pg->state_lock); > > - devres_add(dev, client); > - > - return client; > } > -EXPORT_SYMBOL_GPL(devm_pmic_glink_register_client); > +EXPORT_SYMBOL_GPL(pmic_glink_register_client); > > int pmic_glink_send(struct pmic_glink_client *client, void *data, size_t len) > { > diff --git a/drivers/soc/qcom/pmic_glink_altmode.c b/drivers/soc/qcom/pmic_glink_altmode.c > index 1e0808b3cb93..e4f5059256e5 100644 > --- a/drivers/soc/qcom/pmic_glink_altmode.c > +++ b/drivers/soc/qcom/pmic_glink_altmode.c > @@ -520,12 +520,17 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev, > return ret; > } > > - altmode->client = devm_pmic_glink_register_client(dev, > - altmode->owner_id, > - pmic_glink_altmode_callback, > - pmic_glink_altmode_pdr_notify, > - altmode); > - return PTR_ERR_OR_ZERO(altmode->client); > + altmode->client = devm_pmic_glink_new_client(dev, > + altmode->owner_id, > + pmic_glink_altmode_callback, > + pmic_glink_altmode_pdr_notify, > + altmode); > + if (IS_ERR(altmode->client)) > + return PTR_ERR(altmode->client); > + > + pmic_glink_register_client(altmode->client); > + > + return 0; > } > > static const struct auxiliary_device_id pmic_glink_altmode_id_table[] = { > diff --git a/drivers/usb/typec/ucsi/ucsi_glink.c b/drivers/usb/typec/ucsi/ucsi_glink.c > index 16c328497e0b..ac53a81c2a81 100644 > --- a/drivers/usb/typec/ucsi/ucsi_glink.c > +++ b/drivers/usb/typec/ucsi/ucsi_glink.c > @@ -367,12 +367,16 @@ static int pmic_glink_ucsi_probe(struct auxiliary_device *adev, > ucsi->port_orientation[port] = desc; > } > > - ucsi->client = devm_pmic_glink_register_client(dev, > - PMIC_GLINK_OWNER_USBC, > - pmic_glink_ucsi_callback, > - pmic_glink_ucsi_pdr_notify, > - ucsi); > - return PTR_ERR_OR_ZERO(ucsi->client); > + ucsi->client = devm_pmic_glink_new_client(dev, PMIC_GLINK_OWNER_USBC, > + pmic_glink_ucsi_callback, > + pmic_glink_ucsi_pdr_notify, > + ucsi); > + if (IS_ERR(ucsi->client)) > + return PTR_ERR(ucsi->client); > + > + pmic_glink_register_client(ucsi->client); > + > + return 0; > } > > static void pmic_glink_ucsi_remove(struct auxiliary_device *adev) > diff --git a/include/linux/soc/qcom/pmic_glink.h b/include/linux/soc/qcom/pmic_glink.h > index fd124aa18c81..aedde76d7e13 100644 > --- a/include/linux/soc/qcom/pmic_glink.h > +++ b/include/linux/soc/qcom/pmic_glink.h > @@ -23,10 +23,11 @@ struct pmic_glink_hdr { > > int pmic_glink_send(struct pmic_glink_client *client, void *data, size_t len); > > -struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, > - unsigned int id, > - void (*cb)(const void *, size_t, void *), > - void (*pdr)(void *, int), > - void *priv); > +struct pmic_glink_client *devm_pmic_glink_new_client(struct device *dev, > + unsigned int id, > + void (*cb)(const void *, size_t, void *), > + void (*pdr)(void *, int), > + void *priv); > +void pmic_glink_register_client(struct pmic_glink_client *client); > > #endif > > -- > 2.34.1 >
On Mon, Aug 19, 2024 at 01:07:45PM -0700, Bjorn Andersson wrote: > As pointed out by Stephen Boyd it is possible that during initialization > of the pmic_glink child drivers, the protection-domain notifiers fires, > and the associated work is scheduled, before the client registration > returns and as a result the local "client" pointer has been initialized. > > The outcome of this is a NULL pointer dereference as the "client" > pointer is blindly dereferenced. > > Timeline provided by Stephen: > CPU0 CPU1 > ---- ---- > ucsi->client = NULL; > devm_pmic_glink_register_client() > client->pdr_notify(client->priv, pg->client_state) > pmic_glink_ucsi_pdr_notify() > schedule_work(&ucsi->register_work) > <schedule away> > pmic_glink_ucsi_register() > ucsi_register() > pmic_glink_ucsi_read_version() > pmic_glink_ucsi_read() > pmic_glink_ucsi_read() > pmic_glink_send(ucsi->client) > <client is NULL BAD> > ucsi->client = client // Too late! > > This code is identical across the altmode, battery manager and usci > child drivers. > > Resolve this by splitting the allocation of the "client" object and the > registration thereof into two operations. > > This only happens if the protection domain registry is populated at the > time of registration, which by the introduction of commit '1ebcde047c54 > ("soc: qcom: add pd-mapper implementation")' became much more likely. > > Reported-by: Amit Pundir <amit.pundir@linaro.org> > Closes: https://lore.kernel.org/all/CAMi1Hd2_a7TjA7J9ShrAbNOd_CoZ3D87twmO5t+nZxC9sX18tA@mail.gmail.com/ > Reported-by: Johan Hovold <johan@kernel.org> > Closes: https://lore.kernel.org/all/ZqiyLvP0gkBnuekL@hovoldconsulting.com/ > Reported-by: Stephen Boyd <swboyd@chromium.org> > Closes: https://lore.kernel.org/all/CAE-0n52JgfCBWiFQyQWPji8cq_rCsviBpW-m72YitgNfdaEhQg@mail.gmail.com/ > Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") > Cc: stable@vger.kernel.org > Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> > Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> > Tested-by: Amit Pundir <amit.pundir@linaro.org> > Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> > diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c > index 9ebc0ba35947..58ec91767d79 100644 > --- a/drivers/soc/qcom/pmic_glink.c > +++ b/drivers/soc/qcom/pmic_glink.c > @@ -66,15 +66,14 @@ static void _devm_pmic_glink_release_client(struct device *dev, void *res) > spin_unlock_irqrestore(&pg->client_lock, flags); > } > > -struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, > - unsigned int id, > - void (*cb)(const void *, size_t, void *), > - void (*pdr)(void *, int), > - void *priv) > +struct pmic_glink_client *devm_pmic_glink_new_client(struct device *dev, Please consider renaming this one devm_pmic_glink_alloc_client() (or devm_pmic_glink_client_alloc()) which is more conventional for kernel code than using "new". > + unsigned int id, > + void (*cb)(const void *, size_t, void *), > + void (*pdr)(void *, int), > + void *priv) > { > struct pmic_glink_client *client; > struct pmic_glink *pg = dev_get_drvdata(dev->parent); > - unsigned long flags; > > client = devres_alloc(_devm_pmic_glink_release_client, sizeof(*client), GFP_KERNEL); > if (!client) Looks good otherwise: Reviewed-by: Johan Hovold <johan+linaro@kernel.org> Johan
diff --git a/drivers/power/supply/qcom_battmgr.c b/drivers/power/supply/qcom_battmgr.c index 49bef4a5ac3f..df90a470c51a 100644 --- a/drivers/power/supply/qcom_battmgr.c +++ b/drivers/power/supply/qcom_battmgr.c @@ -1387,12 +1387,16 @@ static int qcom_battmgr_probe(struct auxiliary_device *adev, "failed to register wireless charing power supply\n"); } - battmgr->client = devm_pmic_glink_register_client(dev, - PMIC_GLINK_OWNER_BATTMGR, - qcom_battmgr_callback, - qcom_battmgr_pdr_notify, - battmgr); - return PTR_ERR_OR_ZERO(battmgr->client); + battmgr->client = devm_pmic_glink_new_client(dev, PMIC_GLINK_OWNER_BATTMGR, + qcom_battmgr_callback, + qcom_battmgr_pdr_notify, + battmgr); + if (IS_ERR(battmgr->client)) + return PTR_ERR(battmgr->client); + + pmic_glink_register_client(battmgr->client); + + return 0; } static const struct auxiliary_device_id qcom_battmgr_id_table[] = { diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c index 9ebc0ba35947..58ec91767d79 100644 --- a/drivers/soc/qcom/pmic_glink.c +++ b/drivers/soc/qcom/pmic_glink.c @@ -66,15 +66,14 @@ static void _devm_pmic_glink_release_client(struct device *dev, void *res) spin_unlock_irqrestore(&pg->client_lock, flags); } -struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, - unsigned int id, - void (*cb)(const void *, size_t, void *), - void (*pdr)(void *, int), - void *priv) +struct pmic_glink_client *devm_pmic_glink_new_client(struct device *dev, + unsigned int id, + void (*cb)(const void *, size_t, void *), + void (*pdr)(void *, int), + void *priv) { struct pmic_glink_client *client; struct pmic_glink *pg = dev_get_drvdata(dev->parent); - unsigned long flags; client = devres_alloc(_devm_pmic_glink_release_client, sizeof(*client), GFP_KERNEL); if (!client) @@ -85,6 +84,18 @@ struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, client->cb = cb; client->pdr_notify = pdr; client->priv = priv; + INIT_LIST_HEAD(&client->node); + + devres_add(dev, client); + + return client; +} +EXPORT_SYMBOL_GPL(devm_pmic_glink_new_client); + +void pmic_glink_register_client(struct pmic_glink_client *client) +{ + struct pmic_glink *pg = client->pg; + unsigned long flags; mutex_lock(&pg->state_lock); spin_lock_irqsave(&pg->client_lock, flags); @@ -95,11 +106,8 @@ struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, spin_unlock_irqrestore(&pg->client_lock, flags); mutex_unlock(&pg->state_lock); - devres_add(dev, client); - - return client; } -EXPORT_SYMBOL_GPL(devm_pmic_glink_register_client); +EXPORT_SYMBOL_GPL(pmic_glink_register_client); int pmic_glink_send(struct pmic_glink_client *client, void *data, size_t len) { diff --git a/drivers/soc/qcom/pmic_glink_altmode.c b/drivers/soc/qcom/pmic_glink_altmode.c index 1e0808b3cb93..e4f5059256e5 100644 --- a/drivers/soc/qcom/pmic_glink_altmode.c +++ b/drivers/soc/qcom/pmic_glink_altmode.c @@ -520,12 +520,17 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev, return ret; } - altmode->client = devm_pmic_glink_register_client(dev, - altmode->owner_id, - pmic_glink_altmode_callback, - pmic_glink_altmode_pdr_notify, - altmode); - return PTR_ERR_OR_ZERO(altmode->client); + altmode->client = devm_pmic_glink_new_client(dev, + altmode->owner_id, + pmic_glink_altmode_callback, + pmic_glink_altmode_pdr_notify, + altmode); + if (IS_ERR(altmode->client)) + return PTR_ERR(altmode->client); + + pmic_glink_register_client(altmode->client); + + return 0; } static const struct auxiliary_device_id pmic_glink_altmode_id_table[] = { diff --git a/drivers/usb/typec/ucsi/ucsi_glink.c b/drivers/usb/typec/ucsi/ucsi_glink.c index 16c328497e0b..ac53a81c2a81 100644 --- a/drivers/usb/typec/ucsi/ucsi_glink.c +++ b/drivers/usb/typec/ucsi/ucsi_glink.c @@ -367,12 +367,16 @@ static int pmic_glink_ucsi_probe(struct auxiliary_device *adev, ucsi->port_orientation[port] = desc; } - ucsi->client = devm_pmic_glink_register_client(dev, - PMIC_GLINK_OWNER_USBC, - pmic_glink_ucsi_callback, - pmic_glink_ucsi_pdr_notify, - ucsi); - return PTR_ERR_OR_ZERO(ucsi->client); + ucsi->client = devm_pmic_glink_new_client(dev, PMIC_GLINK_OWNER_USBC, + pmic_glink_ucsi_callback, + pmic_glink_ucsi_pdr_notify, + ucsi); + if (IS_ERR(ucsi->client)) + return PTR_ERR(ucsi->client); + + pmic_glink_register_client(ucsi->client); + + return 0; } static void pmic_glink_ucsi_remove(struct auxiliary_device *adev) diff --git a/include/linux/soc/qcom/pmic_glink.h b/include/linux/soc/qcom/pmic_glink.h index fd124aa18c81..aedde76d7e13 100644 --- a/include/linux/soc/qcom/pmic_glink.h +++ b/include/linux/soc/qcom/pmic_glink.h @@ -23,10 +23,11 @@ struct pmic_glink_hdr { int pmic_glink_send(struct pmic_glink_client *client, void *data, size_t len); -struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev, - unsigned int id, - void (*cb)(const void *, size_t, void *), - void (*pdr)(void *, int), - void *priv); +struct pmic_glink_client *devm_pmic_glink_new_client(struct device *dev, + unsigned int id, + void (*cb)(const void *, size_t, void *), + void (*pdr)(void *, int), + void *priv); +void pmic_glink_register_client(struct pmic_glink_client *client); #endif