| Message ID | 20230814072436.3757-2-biju.das.jz@bp.renesas.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Geert Uytterhoeven |
| Headers | show |
| Series | Fix NULL pointer dereference in RZ/{G2L,V2M,A2} pinctrl driver | expand |
Mon, Aug 14, 2023 at 08:24:34AM +0100, Biju Das kirjoitti: > Fix the below random NULL pointer crash during boot by serializing > pinctrl group and function creation/remove calls in > rzg2l_dt_subnode_to_map() with mutex lock. > Crash logs: > [ 15.310036] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 > [ 15.354291] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 > [ 15.870714] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 > [ 15.939989] Internal error: Oops: 0000000096000004 2 PREEMPT SMP > [ 15.946285] Modules linked in: drm_shmem_helper rzg2l_mipi_dsi videobuf2_common display_connector gpu_sched mc drm_kms_helper rcar_fcp drm rcar_canfd snd_soc_wm8978 rtc_isl1208 can_dev rzg2l_adc snd_soc_rz_ssi renesas_rpc_if spi_rspi backlight ipv6 > [ 15.969077] CPU: 1 PID: 117 Comm: systemd-udevd Tainted: G D 6.5.0-rc4-next-20230801-00013-gd1819ab30a54 #986 > [ 15.980351] Hardware name: Renesas SMARC EVK based on r9a07g054l2 (DT) > [ 15.986857] pstate: 40400005 (nZcv daif +PAN UAO -TCO -DIT -SSBS BTYPE=-) > [ 15.993797] pc : __pi_strcmp+0x20/0x140 > [ 15.997647] lr : pinmux_func_name_to_selector+0x68/0xa4 > [ 16.002876] sp : ffff800082d9b5a0 > [ 16.006210] x29: ffff800082d9b5a0 x28: 0000000000000002 x27: ffff00000cda7080 > [ 16.013338] x26: 0000000000000002 x25: ffff00000a1f26c0 x24: ffff00000cda7080 > [ 16.020456] x23: ffff800081224960 x22: ffff00007fc2e598 x21: 000000000000000c > [ 16.027571] x20: ffff00000b6c8840 x19: 000000000000000b x18: 0000000000000002 > [ 16.034686] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 > [ 16.041799] x14: 0000000000000001 x13: 0000000000068a68 x12: 0000000000000040 > [ 16.048913] x11: ffff00000b092ff8 x10: 0000ffff803d1a68 x9 : ffff00000b6c8888 > [ 16.056028] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 > [ 16.063142] x5 : ffff00000b092ff8 x4 : ffff00000b093078 x3 : 0000000000000000 > [ 16.070256] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00007fc2e598 > [ 16.077370] Call trace: > [ 16.079807] __pi_strcmp+0x20/0x140 > [ 16.083296] pinmux_generic_add_function+0x34/0xcc > [ 16.088077] rzg2l_dt_subnode_to_map+0x314/0x44c > [ 16.092682] rzg2l_dt_node_to_map+0x164/0x194 > [ 16.097025] pinctrl_dt_to_map+0x218/0x37c > [ 16.101107] create_pinctrl+0x70/0x3d8 Submitting Patches says why the above is too noisy for the commit message. Please, amend accordingly.
Hi Andy, Thanks for the feedback. > Subject: Re: [PATCH 1/3] pinctrl: renesas: rzg2l: Fix NULL pointer > dereference in rzg2l_dt_subnode_to_map() > > Mon, Aug 14, 2023 at 08:24:34AM +0100, Biju Das kirjoitti: > > Fix the below random NULL pointer crash during boot by serializing > > pinctrl group and function creation/remove calls in > > rzg2l_dt_subnode_to_map() with mutex lock. > > > Crash logs: > > [ 15.310036] Unable to handle kernel NULL pointer dereference at > virtual address 0000000000000000 > > [ 15.354291] Unable to handle kernel NULL pointer dereference at > virtual address 0000000000000000 > > [ 15.870714] [0000000000000000] pgd=0000000000000000, > p4d=0000000000000000 > > [ 15.939989] Internal error: Oops: 0000000096000004 2 PREEMPT SMP > > [ 15.946285] Modules linked in: drm_shmem_helper rzg2l_mipi_dsi > videobuf2_common display_connector gpu_sched mc drm_kms_helper rcar_fcp > drm rcar_canfd snd_soc_wm8978 rtc_isl1208 can_dev rzg2l_adc snd_soc_rz_ssi > renesas_rpc_if spi_rspi backlight ipv6 > > [ 15.969077] CPU: 1 PID: 117 Comm: systemd-udevd Tainted: G D > 6.5.0-rc4-next-20230801-00013-gd1819ab30a54 #986 > > [ 15.980351] Hardware name: Renesas SMARC EVK based on r9a07g054l2 > (DT) > > [ 15.986857] pstate: 40400005 (nZcv daif +PAN UAO -TCO -DIT -SSBS > BTYPE=-) > > [ 15.993797] pc : __pi_strcmp+0x20/0x140 > > [ 15.997647] lr : pinmux_func_name_to_selector+0x68/0xa4 > > [ 16.002876] sp : ffff800082d9b5a0 > > [ 16.006210] x29: ffff800082d9b5a0 x28: 0000000000000002 x27: > ffff00000cda7080 > > [ 16.013338] x26: 0000000000000002 x25: ffff00000a1f26c0 x24: > ffff00000cda7080 > > [ 16.020456] x23: ffff800081224960 x22: ffff00007fc2e598 x21: > 000000000000000c > > [ 16.027571] x20: ffff00000b6c8840 x19: 000000000000000b x18: > 0000000000000002 > > [ 16.034686] x17: 0000000000000000 x16: 0000000000000000 x15: > 0000000000000000 > > [ 16.041799] x14: 0000000000000001 x13: 0000000000068a68 x12: > 0000000000000040 > > [ 16.048913] x11: ffff00000b092ff8 x10: 0000ffff803d1a68 x9 : > ffff00000b6c8888 > > [ 16.056028] x8 : 0101010101010101 x7 : 0000000000000000 x6 : > 0000000000000000 > > [ 16.063142] x5 : ffff00000b092ff8 x4 : ffff00000b093078 x3 : > 0000000000000000 > > [ 16.070256] x2 : 0000000000000000 x1 : 0000000000000000 x0 : > ffff00007fc2e598 > > [ 16.077370] Call trace: > > [ 16.079807] __pi_strcmp+0x20/0x140 > > [ 16.083296] pinmux_generic_add_function+0x34/0xcc > > [ 16.088077] rzg2l_dt_subnode_to_map+0x314/0x44c > > [ 16.092682] rzg2l_dt_node_to_map+0x164/0x194 > > [ 16.097025] pinctrl_dt_to_map+0x218/0x37c > > [ 16.101107] create_pinctrl+0x70/0x3d8 > > Submitting Patches says why the above is too noisy for the commit message. > Please, amend accordingly. OK, got it as per[1], this should be. Unable to handle kernel NULL pointer dereference at virtual address Call trace: __pi_strcmp+0x20/0x140 pinmux_generic_add_function+0x34/0xcc rzg2l_dt_subnode_to_map+0x314/0x44c rzg2l_dt_node_to_map+0x164/0x194 pinctrl_dt_to_map+0x218/0x37c create_pinctrl+0x70/0x3d8 [1] https://docs.kernel.org/process/submitting-patches.html#backtraces-in-commit-messages I will send V2 with these changes. Cheers, Biju
On Mon, Aug 14, 2023 at 9:24 AM Biju Das <biju.das.jz@bp.renesas.com> wrote: > Fix the below random NULL pointer crash during boot by serializing > pinctrl group and function creation/remove calls in > rzg2l_dt_subnode_to_map() with mutex lock. What about using, hehe, scoped guards? Bartosz premiered the use of this and I already like it a lot... see: https://lore.kernel.org/linux-gpio/20230812183635.5478-1-brgl@bgdev.pl/ Yours, Linus Walleij
Hi Linus, On Tue, Aug 15, 2023 at 11:14 AM Linus Walleij <linus.walleij@linaro.org> wrote: > On Mon, Aug 14, 2023 at 9:24 AM Biju Das <biju.das.jz@bp.renesas.com> wrote: > > Fix the below random NULL pointer crash during boot by serializing > > pinctrl group and function creation/remove calls in > > rzg2l_dt_subnode_to_map() with mutex lock. > > What about using, hehe, scoped guards? Bartosz premiered the use > of this and I already like it a lot... see: > https://lore.kernel.org/linux-gpio/20230812183635.5478-1-brgl@bgdev.pl/ Quoting the other Linus: "We should probably also strive to avoid it for bug-fixes that end up going to stable." https://lore.kernel.org/all/CAHk-=wjsb5gZTvhXofPCQthk48S9_bSGohXKU8x8XDnf7=bROw@mail.gmail.com Gr{oetje,eeting}s, Geert
On Tue, Aug 15, 2023 at 11:32 AM Geert Uytterhoeven <geert@linux-m68k.org> wrote: > On Tue, Aug 15, 2023 at 11:14 AM Linus Walleij <linus.walleij@linaro.org> wrote: > > On Mon, Aug 14, 2023 at 9:24 AM Biju Das <biju.das.jz@bp.renesas.com> wrote: > > > Fix the below random NULL pointer crash during boot by serializing > > > pinctrl group and function creation/remove calls in > > > rzg2l_dt_subnode_to_map() with mutex lock. > > > > What about using, hehe, scoped guards? Bartosz premiered the use > > of this and I already like it a lot... see: > > https://lore.kernel.org/linux-gpio/20230812183635.5478-1-brgl@bgdev.pl/ > > Quoting the other Linus: > > "We should probably also strive to avoid it for bug-fixes that end up > going to stable." > > https://lore.kernel.org/all/CAHk-=wjsb5gZTvhXofPCQthk48S9_bSGohXKU8x8XDnf7=bROw@mail.gmail.com Right, I missed it's an urgent fix :/ Let's put a mental note to sweep over the driver once this is done and see if we can use scoped guards to avoid more problems in the future? Yours, Linus Walleij
diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c index 4f34f8f24bde..8a14cbb56449 100644 --- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c +++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c @@ -11,6 +11,7 @@ #include <linux/interrupt.h> #include <linux/io.h> #include <linux/module.h> +#include <linux/mutex.h> #include <linux/of.h> #include <linux/of_irq.h> #include <linux/platform_device.h> @@ -153,6 +154,7 @@ struct rzg2l_pinctrl { unsigned int hwirq[RZG2L_TINT_MAX_INTERRUPT]; spinlock_t lock; + struct mutex mutex; /* serialize adding groups and functions */ }; static const unsigned int iolh_groupa_mA[] = { 2, 4, 8, 12 }; @@ -362,10 +364,12 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, name = np->name; } + mutex_lock(&pctrl->mutex); /* Register a single pin group listing all the pins we read from DT */ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); if (gsel < 0) { ret = gsel; + mutex_unlock(&pctrl->mutex); goto done; } @@ -380,6 +384,8 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, goto remove_group; } + mutex_unlock(&pctrl->mutex); + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; maps[idx].data.mux.group = name; maps[idx].data.mux.function = name; @@ -391,6 +397,7 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, remove_group: pinctrl_generic_remove_group(pctldev, gsel); + mutex_unlock(&pctrl->mutex); done: *index = idx; kfree(configs); @@ -1503,6 +1510,7 @@ static int rzg2l_pinctrl_probe(struct platform_device *pdev) spin_lock_init(&pctrl->lock); spin_lock_init(&pctrl->bitmap_lock); + mutex_init(&pctrl->mutex); platform_set_drvdata(pdev, pctrl);
Fix the below random NULL pointer crash during boot by serializing pinctrl group and function creation/remove calls in rzg2l_dt_subnode_to_map() with mutex lock. Crash logs: [ 15.310036] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 15.354291] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 15.870714] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 15.939989] Internal error: Oops: 0000000096000004 2 PREEMPT SMP [ 15.946285] Modules linked in: drm_shmem_helper rzg2l_mipi_dsi videobuf2_common display_connector gpu_sched mc drm_kms_helper rcar_fcp drm rcar_canfd snd_soc_wm8978 rtc_isl1208 can_dev rzg2l_adc snd_soc_rz_ssi renesas_rpc_if spi_rspi backlight ipv6 [ 15.969077] CPU: 1 PID: 117 Comm: systemd-udevd Tainted: G D 6.5.0-rc4-next-20230801-00013-gd1819ab30a54 #986 [ 15.980351] Hardware name: Renesas SMARC EVK based on r9a07g054l2 (DT) [ 15.986857] pstate: 40400005 (nZcv daif +PAN UAO -TCO -DIT -SSBS BTYPE=-) [ 15.993797] pc : __pi_strcmp+0x20/0x140 [ 15.997647] lr : pinmux_func_name_to_selector+0x68/0xa4 [ 16.002876] sp : ffff800082d9b5a0 [ 16.006210] x29: ffff800082d9b5a0 x28: 0000000000000002 x27: ffff00000cda7080 [ 16.013338] x26: 0000000000000002 x25: ffff00000a1f26c0 x24: ffff00000cda7080 [ 16.020456] x23: ffff800081224960 x22: ffff00007fc2e598 x21: 000000000000000c [ 16.027571] x20: ffff00000b6c8840 x19: 000000000000000b x18: 0000000000000002 [ 16.034686] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 16.041799] x14: 0000000000000001 x13: 0000000000068a68 x12: 0000000000000040 [ 16.048913] x11: ffff00000b092ff8 x10: 0000ffff803d1a68 x9 : ffff00000b6c8888 [ 16.056028] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 [ 16.063142] x5 : ffff00000b092ff8 x4 : ffff00000b093078 x3 : 0000000000000000 [ 16.070256] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00007fc2e598 [ 16.077370] Call trace: [ 16.079807] __pi_strcmp+0x20/0x140 [ 16.083296] pinmux_generic_add_function+0x34/0xcc [ 16.088077] rzg2l_dt_subnode_to_map+0x314/0x44c [ 16.092682] rzg2l_dt_node_to_map+0x164/0x194 [ 16.097025] pinctrl_dt_to_map+0x218/0x37c [ 16.101107] create_pinctrl+0x70/0x3d8 Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") Cc: stable@kernel.org Tested-by: Chris Paterson <Chris.Paterson2@renesas.com> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> --- drivers/pinctrl/renesas/pinctrl-rzg2l.c | 8 ++++++++ 1 file changed, 8 insertions(+)