2019-10-19 08:23:19

by Lee Jones

[permalink] [raw]
Subject: [PATCH 0/2] mfd: mfd-core: Honour disabled devices

This set ensures that devices set to 'disabled' in DT are not registered.

It comes about after 2 seperate reports.

https://www.spinics.net/lists/arm-kernel/msg366309.html
https://lkml.org/lkml/2019/8/22/1350

Lee Jones (2):
mfd: mfd-core: Allocate reference counting memory directly to the
platform device
mfd: mfd-core: Honour Device Tree's request to disable a child-device

drivers/mfd/mfd-core.c | 47 +++++++++++++++++++++---------------------
1 file changed, 23 insertions(+), 24 deletions(-)

--
2.17.1


2019-10-19 08:23:26

by Lee Jones

[permalink] [raw]
Subject: [PATCH 1/2] mfd: mfd-core: Allocate reference counting memory directly to the platform device

MFD provides reference counting (for the 2 consumers who actually use it!)
via mfd_cell's 'usage_count' member. However, since MFD cells become
read-only (const), MFD needs to allocate writable memory and assign it to
'usage_count' before first registration. It currently does this by
allocating enough memory for all requested child devices (yes, even disabled
ones - but we'll get to that) and assigning the base pointer plus sub-device
index to each device in the cell.

The difficulty comes when trying to free that memory. During the removal of
the parent device, MFD unregisters each child device, keeping a tally on the
lowest memory location pointed to by a child device's 'usage_count'. Once
all of the children are unregistered, the lowest memory location must be the
base address of the previously allocated array, right?

Well yes, until we try to honour the disabling of devices via Device Tree
for instance. If the first child device in the provided batch is disabled,
simply skipping registration (and consequentially deregistration) will mean
that the first device's 'usage_count' pointer will not be accounted for when
attempting to find the base. In which case, MFD will assume the first non-
disabled 'usage_count' pointer is the base and subsequently attempt to
erroneously free it.

We can avoid all of this hoop jumping by simply allocating memory to each
single child device before it is considered read-only. We can then free
it on a per-device basis during deregistration.

Signed-off-by: Lee Jones <[email protected]>
---
drivers/mfd/mfd-core.c | 42 ++++++++++++++++++------------------------
1 file changed, 18 insertions(+), 24 deletions(-)

diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
index 23276a80e3b4..eafdadd58e8b 100644
--- a/drivers/mfd/mfd-core.c
+++ b/drivers/mfd/mfd-core.c
@@ -61,9 +61,10 @@ int mfd_cell_disable(struct platform_device *pdev)
EXPORT_SYMBOL(mfd_cell_disable);

static int mfd_platform_add_cell(struct platform_device *pdev,
- const struct mfd_cell *cell,
- atomic_t *usage_count)
+ const struct mfd_cell *cell)
{
+ atomic_t *usage_count;
+
if (!cell)
return 0;

@@ -71,7 +72,14 @@ static int mfd_platform_add_cell(struct platform_device *pdev,
if (!pdev->mfd_cell)
return -ENOMEM;

+ usage_count = kcalloc(1, sizeof(*usage_count), GFP_KERNEL);
+ if (!usage_count) {
+ kfree(pdev->mfd_cell);
+ return -ENOMEM;
+ }
+
pdev->mfd_cell->usage_count = usage_count;
+
return 0;
}

@@ -134,7 +142,7 @@ static inline void mfd_acpi_add_device(const struct mfd_cell *cell,
#endif

static int mfd_add_device(struct device *parent, int id,
- const struct mfd_cell *cell, atomic_t *usage_count,
+ const struct mfd_cell *cell,
struct resource *mem_base,
int irq_base, struct irq_domain *domain)
{
@@ -196,7 +204,7 @@ static int mfd_add_device(struct device *parent, int id,
goto fail_alias;
}

- ret = mfd_platform_add_cell(pdev, cell, usage_count);
+ ret = mfd_platform_add_cell(pdev, cell);
if (ret)
goto fail_alias;

@@ -286,16 +294,9 @@ int mfd_add_devices(struct device *parent, int id,
{
int i;
int ret;
- atomic_t *cnts;
-
- /* initialize reference counting for all cells */
- cnts = kcalloc(n_devs, sizeof(*cnts), GFP_KERNEL);
- if (!cnts)
- return -ENOMEM;

for (i = 0; i < n_devs; i++) {
- atomic_set(&cnts[i], 0);
- ret = mfd_add_device(parent, id, cells + i, cnts + i, mem_base,
+ ret = mfd_add_device(parent, id, cells + i, mem_base,
irq_base, domain);
if (ret)
goto fail;
@@ -306,17 +307,15 @@ int mfd_add_devices(struct device *parent, int id,
fail:
if (i)
mfd_remove_devices(parent);
- else
- kfree(cnts);
+
return ret;
}
EXPORT_SYMBOL(mfd_add_devices);

-static int mfd_remove_devices_fn(struct device *dev, void *c)
+static int mfd_remove_devices_fn(struct device *dev, void *data)
{
struct platform_device *pdev;
const struct mfd_cell *cell;
- atomic_t **usage_count = c;

if (dev->type != &mfd_dev_type)
return 0;
@@ -327,9 +326,7 @@ static int mfd_remove_devices_fn(struct device *dev, void *c)
regulator_bulk_unregister_supply_alias(dev, cell->parent_supplies,
cell->num_parent_supplies);

- /* find the base address of usage_count pointers (for freeing) */
- if (!*usage_count || (cell->usage_count < *usage_count))
- *usage_count = cell->usage_count;
+ kfree(cell->usage_count);

platform_device_unregister(pdev);
return 0;
@@ -337,10 +334,7 @@ static int mfd_remove_devices_fn(struct device *dev, void *c)

void mfd_remove_devices(struct device *parent)
{
- atomic_t *cnts = NULL;
-
- device_for_each_child_reverse(parent, &cnts, mfd_remove_devices_fn);
- kfree(cnts);
+ device_for_each_child_reverse(parent, NULL, mfd_remove_devices_fn);
}
EXPORT_SYMBOL(mfd_remove_devices);

@@ -404,7 +398,7 @@ int mfd_clone_cell(const char *cell, const char **clones, size_t n_clones)
cell_entry.name = clones[i];
/* don't give up if a single call fails; just report error */
if (mfd_add_device(pdev->dev.parent, -1, &cell_entry,
- cell_entry.usage_count, NULL, 0, NULL))
+ NULL, 0, NULL))
dev_err(dev, "failed to create platform device '%s'\n",
clones[i]);
}
--
2.17.1

2019-10-19 08:39:04

by Daniel Thompson

[permalink] [raw]
Subject: Re: [PATCH 1/2] mfd: mfd-core: Allocate reference counting memory directly to the platform device

On Fri, Oct 18, 2019 at 01:26:46PM +0100, Lee Jones wrote:
> MFD provides reference counting (for the 2 consumers who actually use it!)
> via mfd_cell's 'usage_count' member. However, since MFD cells become
> read-only (const), MFD needs to allocate writable memory and assign it to
> 'usage_count' before first registration. It currently does this by
> allocating enough memory for all requested child devices (yes, even disabled
> ones - but we'll get to that) and assigning the base pointer plus sub-device
> index to each device in the cell.
>
> The difficulty comes when trying to free that memory. During the removal of
> the parent device, MFD unregisters each child device, keeping a tally on the
> lowest memory location pointed to by a child device's 'usage_count'. Once
> all of the children are unregistered, the lowest memory location must be the
> base address of the previously allocated array, right?
>
> Well yes, until we try to honour the disabling of devices via Device Tree
> for instance. If the first child device in the provided batch is disabled,
> simply skipping registration (and consequentially deregistration) will mean
> that the first device's 'usage_count' pointer will not be accounted for when
> attempting to find the base. In which case, MFD will assume the first non-
> disabled 'usage_count' pointer is the base and subsequently attempt to
> erroneously free it.
>
> We can avoid all of this hoop jumping by simply allocating memory to each
> single child device before it is considered read-only. We can then free
> it on a per-device basis during deregistration.
>
> Signed-off-by: Lee Jones <[email protected]>
> ---
> drivers/mfd/mfd-core.c | 42 ++++++++++++++++++------------------------
> 1 file changed, 18 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
> index 23276a80e3b4..eafdadd58e8b 100644
> --- a/drivers/mfd/mfd-core.c
> +++ b/drivers/mfd/mfd-core.c
> @@ -404,7 +398,7 @@ int mfd_clone_cell(const char *cell, const char **clones, size_t n_clones)
> cell_entry.name = clones[i];
> /* don't give up if a single call fails; just report error */
> if (mfd_add_device(pdev->dev.parent, -1, &cell_entry,
> - cell_entry.usage_count, NULL, 0, NULL))
> + NULL, 0, NULL))

I think this change is broken.

Cloned cells are supposed to share the same reference counter as their
template and this change results in each clone having its own counter.
That means the "the 2 consumers who actually use it" will both end up
calling cs5535_mfd_res_enable() (and whichever loses the race will fail
to probe).

To be honest it might be easier to move the request_region() into
cs5535_mfd_probe() and rip out the entire reference counting mechanism
since at that point it would be unused (the other callers of
mfd_cell_enable() look safe w/o a counter).


Daniel.

> dev_err(dev, "failed to create platform device '%s'\n",
> clones[i]);
> }
> --
> 2.17.1
>

2019-10-19 09:56:35

by Lee Jones

[permalink] [raw]
Subject: Re: [PATCH 1/2] mfd: mfd-core: Allocate reference counting memory directly to the platform device

On Fri, 18 Oct 2019, Daniel Thompson wrote:

> On Fri, Oct 18, 2019 at 01:26:46PM +0100, Lee Jones wrote:
> > MFD provides reference counting (for the 2 consumers who actually use it!)
> > via mfd_cell's 'usage_count' member. However, since MFD cells become
> > read-only (const), MFD needs to allocate writable memory and assign it to
> > 'usage_count' before first registration. It currently does this by
> > allocating enough memory for all requested child devices (yes, even disabled
> > ones - but we'll get to that) and assigning the base pointer plus sub-device
> > index to each device in the cell.
> >
> > The difficulty comes when trying to free that memory. During the removal of
> > the parent device, MFD unregisters each child device, keeping a tally on the
> > lowest memory location pointed to by a child device's 'usage_count'. Once
> > all of the children are unregistered, the lowest memory location must be the
> > base address of the previously allocated array, right?
> >
> > Well yes, until we try to honour the disabling of devices via Device Tree
> > for instance. If the first child device in the provided batch is disabled,
> > simply skipping registration (and consequentially deregistration) will mean
> > that the first device's 'usage_count' pointer will not be accounted for when
> > attempting to find the base. In which case, MFD will assume the first non-
> > disabled 'usage_count' pointer is the base and subsequently attempt to
> > erroneously free it.
> >
> > We can avoid all of this hoop jumping by simply allocating memory to each
> > single child device before it is considered read-only. We can then free
> > it on a per-device basis during deregistration.
> >
> > Signed-off-by: Lee Jones <[email protected]>
> > ---
> > drivers/mfd/mfd-core.c | 42 ++++++++++++++++++------------------------
> > 1 file changed, 18 insertions(+), 24 deletions(-)
> >
> > diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
> > index 23276a80e3b4..eafdadd58e8b 100644
> > --- a/drivers/mfd/mfd-core.c
> > +++ b/drivers/mfd/mfd-core.c
> > @@ -404,7 +398,7 @@ int mfd_clone_cell(const char *cell, const char **clones, size_t n_clones)
> > cell_entry.name = clones[i];
> > /* don't give up if a single call fails; just report error */
> > if (mfd_add_device(pdev->dev.parent, -1, &cell_entry,
> > - cell_entry.usage_count, NULL, 0, NULL))
> > + NULL, 0, NULL))
>
> I think this change is broken.
>
> Cloned cells are supposed to share the same reference counter as their
> template and this change results in each clone having its own counter.
> That means the "the 2 consumers who actually use it" will both end up
> calling cs5535_mfd_res_enable() (and whichever loses the race will fail
> to probe).
>
> To be honest it might be easier to move the request_region() into
> cs5535_mfd_probe() and rip out the entire reference counting mechanism
> since at that point it would be unused (the other callers of
> mfd_cell_enable() look safe w/o a counter).

Thanks for the review. Great point(s).

I will fix this and submit a v2 shortly.

> > dev_err(dev, "failed to create platform device '%s'\n",
> > clones[i]);
> > }

--
Lee Jones [李琼斯]
Linaro Services Technical Lead
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog