From patchwork Tue Sep 28 19:56:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lino Sanfilippo X-Patchwork-Id: 12523689 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F179C433EF for ; Tue, 28 Sep 2021 19:58:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 568E661157 for ; Tue, 28 Sep 2021 19:58:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242390AbhI1UAC (ORCPT ); Tue, 28 Sep 2021 16:00:02 -0400 Received: from mout.gmx.net ([212.227.15.18]:40437 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242525AbhI1UAB (ORCPT ); Tue, 28 Sep 2021 16:00:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1632859067; bh=950+H6zcMyRuuZltaXExuXwLbPiKm4N7Nqzoz5IS+ho=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=PeM1eF0KvzKhjLNc/CRJVBq5UyevRkFIyO3oWgbjhBe1NyJKSfBUORjx5o6gxgxeu 89HM5VbaDswa0WrdyeqyIPABzMmAdwYiQIbyZYp6JCRXVX94IyvwJVKMclymDcZ0ZQ IVOYQ5FngkFN3VU8q4AskHaadJNDO0GaORE8qC54= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from Venus.fritz.box ([46.223.119.124]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MmlXA-1nDxds43JW-00jv95; Tue, 28 Sep 2021 21:57:47 +0200 From: Lino Sanfilippo To: broonie@kernel.org, f.fainelli@gmail.com Cc: rjui@broadcom.com, sbranden@broadcom.com, bcm-kernel-feedback-list@broadcom.com, nsaenz@kernel.org, linux-spi@vger.kernel.org, linux-rpi-kernel@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, jgg@ziepe.ca, p.rosenberger@kunbus.com, linux-integrity@vger.kernel.org, Lino Sanfilippo , stable@vger.kernel.org Subject: [PATCH] spi: bcm2835: do not unregister controller in shutdown handler Date: Tue, 28 Sep 2021 21:56:57 +0200 Message-Id: <20210928195657.5573-1-LinoSanfilippo@gmx.de> X-Mailer: git-send-email 2.33.0 MIME-Version: 1.0 X-Provags-ID: V03:K1://1RGDldizjVvhp5TlhlUqpmOlMqfM8sYBCBHUC1cik40Y8GcTk lcIte5jutwp0x3rEhG1X1ppsUbnmx1C4qE6I+Uwy5peQWZKzPyTfGSk92HP97c2LuZHHJ5P jNtjj5D4vkb98QtkEDMx9rl6Hlsngg/LyPPRtXsYr7SgoeV4JDGBDd5Rjj67FvwDlvqffCj BTk2JZWLnH8GpOaBuFRqg== X-UI-Out-Filterresults: notjunk:1;V03:K0:fK/50CUMqaU=:zV/lz+hruJoKMFgNqPcCWH SlMDruu2kYUlUXHnbj0YGzdTV+j2PhGIaFVp9Z0XaboQ6Wg3TIQrL4rtIh+WqEgmuOOC4DK5t YawyTJ8OOCbSWjOciF9SlejrSKHBTckpcS9gTJj4JGUNy10pyWwpNKwinGLIYq2uGJKscnjP5 qMcRH/qoh2EYcGqWSLZF/PKR1Ui63NgT479RkwvAEtWIYc3XhzS/1/KCTzUdfkPldomjFhP8o e81JWm263XwjzQGB8J51E6vh2IkzTtooi4mZsCvoshMKtFCS+bY1V/+cPDaPLXS3GenLwbi2l KkurxveLH0fN2cCuib6vfYD4xH7loN1jsHMaqF8224I8nuUIVCe0HdOJcx1zDIRiMbdBgoo5M zpkfNgEHIXNJUaDu8Tif32I8uDIN+fqSOyq2K4NDWxWcXUfM+qw4DF580u0dkG/sUsQhnhicF CkiYyH5JYOCH4o58xP0xT3/Xs6oD8hSoYZbJIawhYKMrJVgePMi/wCi4BV9+AdVTMEuIBQeY4 KR4tjANETdFHrTDvx+zUeSQajB4fC2AEji23eGM37LqKq1P78HDdzOHR3KJdac9P1+55al4Ai gneWNNc4TUi5hW5llenFDQs43Nt6I5yLxyomb/cJn/yKrYqoVy8PK1fz1TyrC/GqV1K2Honn0 sLpuvQTHJhrG0DTnvrngj3hUYfQJDoGOxoRH6TnZoKO+Kyq0zhp6W0oPCYX33OpOOr0Hu3+wx we6kTtrW+icAL5xTru2mes16WIqV/FiGmgV6TXZ0DFd1deVKdOT75B4bMwcfSMdbAtAQT/Jmg QTGETr05qXsTH7+ch1CaVAP1jxbKfwA14mKBFOZGIKMz/5XgujLS8K3A3hijqF6vOSfLPM3e5 1lJJfR1M9YfxlK1hRrSIE8mgfUoeOiYBb+cDdOnqWHEEnCkXBSC8BzXD358OAv60RL3BR0HWx FuiatnbUyPbBXowr2Tq+68NfqsoU5WR5NFRhXffk+yXjMrbXN6kNdF1/auhHbXwGtNZ7QWp4p NfCuGKTZSPvGhDSTCXOV+dzFM2n6g6zawOG218GOB96hihQd68JBejodY75LRgBLQifC0oh3i crUetjzl8hWyjE= Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org Do not unregister the SPI controller in the shutdown handler. The reason to avoid this is that controller unregistration results in the slave devices remove() handler being called which may be unexpected for slave drivers at system shutdown. One example is if the BCM2835 driver is used together with the TPM SPI driver: At system shutdown first the TPM chip devices (pre) shutdown handler (tpm_class_shutdown) is called, stopping the chip and setting an operations pointer to NULL. Then since the BCM2835 shutdown handler unregisters the SPI controller the TPM SPI remove function (tpm_tis_spi_remove) is also called. In case of TPM 2 this function accesses the now nullified operations pointer, resulting in the following NULL pointer access: [ 174.078277] 8<--- cut here --- [ 174.078288] Unable to handle kernel NULL pointer dereference at virtual address 00000034 [ 174.078293] pgd = 557a5fc9 [ 174.078300] [00000034] *pgd=031cf003, *pmd=00000000 [ 174.078317] Internal error: Oops: 206 [#1] SMP ARM [ 174.078323] Modules linked in: tpm_tis_spi tpm_tis_core tpm spidev gpio_pca953x mcp320x rtc_pcf2127 industrialio regmap_i2c regmap_spi 8021q garp stp llc ftdi_sio6 [ 174.078441] CPU: 3 PID: 1 Comm: systemd-shutdow Tainted: G WC 5.10.27-rt36-C4LS+ #1 [ 174.078448] Hardware name: BCM2835 [ 174.078451] PC is at tpm_chip_start+0x1c/0xc0 [tpm] [ 174.078492] LR is at tpm_chip_unregister+0xc0/0xe0 [tpm] [ 174.078525] pc : [] lr : [] psr: 20000013 [ 174.078529] sp : c1903c38 ip : c1903c50 fp : c1903c4c [ 174.078533] r10: c1aca054 r9 : c0e77b28 r8 : c311c000 [ 174.078537] r7 : 00000000 r6 : bf262010 r5 : c323fbf8 r4 : c323f800 [ 174.078541] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : c323f800 [ 174.078546] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 174.078553] Control: 30c5383d Table: 02a47980 DAC: f7bd3313 [ 174.078556] Process systemd-shutdow (pid: 1, stack limit = 0xa0551b1d) [ 174.078561] Stack: (0xc1903c38 to 0xc1904000) [ 174.078566] 3c20: c323f800 c323fbf8 [ 174.078574] 3c40: c1903c64 c1903c50 bf2447c8 bf244070 c323f800 c3498800 c1903c7c c1903c68 [ 174.078581] 3c60: bf260190 bf244714 c3498800 c3498800 c1903c94 c1903c80 c08b9fa8 bf26017c [ 174.078588] 3c80: c3498800 00000000 c1903cb4 c1903c98 c0862b20 c08b9f7c c1aaf730 c3498800 [ 174.078595] 3ca0: c12fc9d0 00000000 c1903cc4 c1903cb8 c0862bf4 c0862a1c c1903ce4 c1903cc8 [ 174.078602] 3cc0: c08612d0 c0862be0 c3498800 00005744 c08ba298 00000000 c1903d2c c1903ce8 [ 174.078609] 3ce0: c085c61c c0861200 ffffe000 c13404c0 c0781f40 c0e77b28 c1903d2c c1205048 [ 174.078616] 3d00: c0332c3c c3498800 00000000 c08ba298 c13fdd7c c1356018 c0e77b28 c1aca054 [ 174.078623] 3d20: c1903d44 c1903d30 c085c8d0 c085c498 c3498800 00000000 c1903d5c c1903d48 [ 174.078630] 3d40: c08ba294 c085c8c0 c311c000 00000000 c1903d6c c1903d60 c08ba2b0 c08ba25c [ 174.078638] 3d60: c1903d9c c1903d70 c085bb90 c08ba2a4 c1903d8c c369a080 c369a114 c1205048 [ 174.078645] 3d80: c1903da4 c311c000 c311c000 00000000 c1903dbc c1903da0 c08ba748 c085bb2c [ 174.078651] 3da0: c311c380 c311c000 00000000 c13fdd7c c1903ddc c1903dc0 bf168534 c08ba718 [ 174.078659] 3dc0: c1aca000 c1a75010 c1aca010 c13fdd7c c1903df4 c1903de0 bf168588 bf16850c [ 174.078666] 3de0: c1aca014 c1a75010 c1903e04 c1903df8 c0863ca0 bf168578 c1903e3c c1903e08 [ 174.078673] 3e00: c085fc90 c0863c80 c1903e3c c0e77b18 c0248888 00000000 00000000 8855a600 [ 174.078680] 3e20: c120f1cc fee1dead c1902000 00000058 c1903e4c c1903e40 c0249eb0 c085fb00 [ 174.078687] 3e40: c1903e64 c1903e50 c0249fa0 c0249e78 01234567 00000000 c1903f94 c1903e68 [ 174.078694] 3e60: c024a244 c0249f90 c1903ed4 c2ec5180 00000024 c1903f58 00000005 c0441f50 [ 174.078701] 3e80: c1903ec4 c1903e90 c0441d94 c0498350 00000000 c1903ea0 c0739fa4 00000024 [ 174.078708] 3ea0: c2ec5180 c1903f58 c1903ed4 c2ec5180 00000005 00000000 c1903f4c c1903ec8 [ 174.078715] 3ec0: c0441f50 c0425938 c1903ed0 c1903ed4 00000000 00000005 00000000 00000024 [ 174.078722] 3ee0: c1903eec 00000005 c020007c bec81250 00000004 bec81f62 00000010 bec81264 [ 174.078729] 3f00: 00000005 bec8131c 0000000a b6d0ef50 00000001 c0200e70 ffffe000 c13404c0 [ 174.078736] 3f20: 00000000 c04673e8 c1903f4c c1205048 c2ec5180 bec8128c 00000000 00000000 [ 174.078743] 3f40: c1903f94 c1903f50 c04420d0 c0441eb4 00000000 c13404c0 00000000 00000000 [ 174.078750] 3f60: c1903f94 c1205048 c0332c3c c1205048 bec8131c 00000000 00000000 00000000 [ 174.078757] 3f80: 00000058 c0200204 c1903fa4 c1903f98 c024a398 c024a13c 00000000 c1903fa8 [ 174.078764] 3fa0: c0200040 c024a38c 00000000 00000000 fee1dead 28121969 01234567 8855a600 [ 174.078771] 3fc0: 00000000 00000000 00000000 00000058 00000fff bec81be8 00000000 00456b80 [ 174.078778] 3fe0: 00468e3c bec81b68 004534a8 b6e4ba38 60000010 fee1dead 00000000 00000000 [ 174.078782] Backtrace: [ 174.078786] [] (tpm_chip_start [tpm]) from [] (tpm_chip_unregister+0xc0/0xe0 [tpm]) [ 174.078853] r5:c323fbf8 r4:c323f800 [ 174.078855] [] (tpm_chip_unregister [tpm]) from [] (tpm_tis_spi_remove+0x20/0x30 [tpm_tis_spi]) [ 174.078899] r5:c3498800 r4:c323f800 [ 174.078901] [] (tpm_tis_spi_remove [tpm_tis_spi]) from [] (spi_drv_remove+0x38/0x50) [ 174.078923] r5:c3498800 r4:c3498800 [ 174.078926] [] (spi_drv_remove) from [] (device_release_driver_internal+0x110/0x1c4) [ 174.078942] r5:00000000 r4:c3498800 [ 174.078945] [] (device_release_driver_internal) from [] (device_release_driver+0x20/0x24) [ 174.078959] r7:00000000 r6:c12fc9d0 r5:c3498800 r4:c1aaf730 [ 174.078962] [] (device_release_driver) from [] (bus_remove_device+0xdc/0x108) [ 174.078973] [] (bus_remove_device) from [] (device_del+0x190/0x428) [ 174.078989] r7:00000000 r6:c08ba298 r5:00005744 r4:c3498800 [ 174.078992] [] (device_del) from [] (device_unregister+0x1c/0x30) [ 174.079009] r10:c1aca054 r9:c0e77b28 r8:c1356018 r7:c13fdd7c r6:c08ba298 r5:00000000 [ 174.079013] r4:c3498800 [ 174.079015] [] (device_unregister) from [] (spi_unregister_device+0x44/0x48) [ 174.079030] r5:00000000 r4:c3498800 [ 174.079033] [] (spi_unregister_device) from [] (__unregister+0x18/0x20) [ 174.079048] r5:00000000 r4:c311c000 [ 174.079050] [] (__unregister) from [] (device_for_each_child+0x70/0xb4) [ 174.079064] [] (device_for_each_child) from [] (spi_unregister_controller+0x3c/0x134) [ 174.079081] r6:00000000 r5:c311c000 r4:c311c000 [ 174.079083] [] (spi_unregister_controller) from [] (bcm2835_spi_remove+0x34/0x6c [spi_bcm2835]) [ 174.079104] r7:c13fdd7c r6:00000000 r5:c311c000 r4:c311c380 [ 174.079107] [] (bcm2835_spi_remove [spi_bcm2835]) from [] (bcm2835_spi_shutdown+0x1c/0x38 [spi_bcm2835]) [ 174.079130] r7:c13fdd7c r6:c1aca010 r5:c1a75010 r4:c1aca000 [ 174.079132] [] (bcm2835_spi_shutdown [spi_bcm2835]) from [] (platform_drv_shutdown+0x2c/0x30) [ 174.079150] r5:c1a75010 r4:c1aca014 [ 174.079153] [] (platform_drv_shutdown) from [] (device_shutdown+0x19c/0x24c) [ 174.079164] [] (device_shutdown) from [] (kernel_restart_prepare+0x44/0x48) [ 174.079183] r10:00000058 r9:c1902000 r8:fee1dead r7:c120f1cc r6:8855a600 r5:00000000 [ 174.079186] r4:00000000 [ 174.079189] [] (kernel_restart_prepare) from [] (kernel_restart+0x1c/0x60) [ 174.079203] [] (kernel_restart) from [] (__do_sys_reboot+0x114/0x1f8) [ 174.079218] r5:00000000 r4:01234567 [ 174.079221] [] (__do_sys_reboot) from [] (sys_reboot+0x18/0x1c) [ 174.079238] r8:c0200204 r7:00000058 r6:00000000 r5:00000000 r4:00000000 [ 174.079241] [] (sys_reboot) from [] (ret_fast_syscall+0x0/0x28) [ 174.079254] Exception stack(0xc1903fa8 to 0xc1903ff0) [ 174.079260] 3fa0: 00000000 00000000 fee1dead 28121969 01234567 8855a600 [ 174.079267] 3fc0: 00000000 00000000 00000000 00000058 00000fff bec81be8 00000000 00456b80 [ 174.079273] 3fe0: 00468e3c bec81b68 004534a8 b6e4ba38 [ 174.079280] Code: e52de004 e8bd4000 e5903410 e1a04000 (e5932034) [ 174.079285] ---[ end trace 33e1042219f38210 ]--- [ 174.879428] Kernel panic - not syncing: [ 174.879432] Attempted to kill init! exitcode=0x0000000b Fix this by only shutting down the hardware and not unregistering the SPI controller in the drivers shutdown handler. Fixes: 118eb0e52eb7 ("spi: bcm2835: Implement shutdown callback") Cc: stable@vger.kernel.org Signed-off-by: Lino Sanfilippo --- The first attempt to fix this was with an extra check in the tpm chip driver (see https://marc.info/?l=linux-integrity&m=163129718414118&w=2) to avoid the NULL pointer access. Then Jason Gunthorpe noted that the real issue was the BCM driver unregistering the chip in the shutdown handler(see https://marc.info/?l=linux-integrity&m=163129718414118&w=2) which led me to this solution. This patch has been tested on a Raspberry Pi 5.10 kernel with a SLB 9670 TPM chip. drivers/spi/spi-bcm2835.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) base-commit: 0513e464f9007b70b96740271a948ca5ab6e7dd7 diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c index 775c0bf2f923..a2e4dafc7dff 100644 --- a/drivers/spi/spi-bcm2835.c +++ b/drivers/spi/spi-bcm2835.c @@ -1390,15 +1390,11 @@ static int bcm2835_spi_probe(struct platform_device *pdev) return err; } -static int bcm2835_spi_remove(struct platform_device *pdev) +static void bcm2835_spi_shutdown(struct platform_device *pdev) { struct spi_controller *ctlr = platform_get_drvdata(pdev); struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); - bcm2835_debugfs_remove(bs); - - spi_unregister_controller(ctlr); - bcm2835_dma_release(ctlr, bs); /* Clear FIFOs, and disable the HW block */ @@ -1406,17 +1402,20 @@ static int bcm2835_spi_remove(struct platform_device *pdev) BCM2835_SPI_CS_CLEAR_RX | BCM2835_SPI_CS_CLEAR_TX); clk_disable_unprepare(bs->clk); - - return 0; } -static void bcm2835_spi_shutdown(struct platform_device *pdev) +static int bcm2835_spi_remove(struct platform_device *pdev) { - int ret; + struct spi_controller *ctlr = platform_get_drvdata(pdev); + struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); - ret = bcm2835_spi_remove(pdev); - if (ret) - dev_err(&pdev->dev, "failed to shutdown\n"); + bcm2835_debugfs_remove(bs); + + spi_unregister_controller(ctlr); + + bcm2835_spi_shutdown(pdev); + + return 0; } static const struct of_device_id bcm2835_spi_match[] = {