If a probe function returns -EPROBE_DEFER after creating another device
there is a change of ending up in a probe deferral loop, (see commit
fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER"). In case
of the qcom-pmic-typec driver the tcpm_register_port() function looks up
external resources (USB role switch and inherently via called
typec_register_port() USB-C muxes, switches and retimers).
In order to prevent such probe-defer loops caused by qcom-pmic-typec
driver, use the API added by Johan Hovold and move HPD bridge
registration to the end of the probe function.
The devm_drm_dp_hpd_bridge_add() is called at the end of the probe
function after all TCPM start functions. This is done as a way to
overcome a different problem, the DRM subsystem can not properly cope
with the DRM bridges being destroyed once the bridge is attached. Having
this function call at the end of the probe function prevents possible
DRM bridge device creation followed by destruction in case one of the
TCPM start functions returns an error.
Reported-by: Caleb Connolly <[email protected]>
Acked-by: Bryan O'Donoghue <[email protected]>
Signed-off-by: Dmitry Baryshkov <[email protected]>
---
Changes in v3:
- Updated commit message to explain my decisions (Johan).
- Link to v2: https://lore.kernel.org/r/[email protected]
Changes in v2:
- Fix commit message (Bryan)
- Link to v1: https://lore.kernel.org/r/[email protected]
---
drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
index e48412cdcb0f..96b41efae318 100644
--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
+++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c
@@ -41,7 +41,7 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
struct device_node *np = dev->of_node;
const struct pmic_typec_resources *res;
struct regmap *regmap;
- struct device *bridge_dev;
+ struct auxiliary_device *bridge_dev;
u32 base;
int ret;
@@ -92,7 +92,7 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
if (!tcpm->tcpc.fwnode)
return -EINVAL;
- bridge_dev = drm_dp_hpd_bridge_register(tcpm->dev, to_of_node(tcpm->tcpc.fwnode));
+ bridge_dev = devm_drm_dp_hpd_bridge_alloc(tcpm->dev, to_of_node(tcpm->tcpc.fwnode));
if (IS_ERR(bridge_dev))
return PTR_ERR(bridge_dev);
@@ -110,6 +110,10 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
if (ret)
goto fwnode_remove;
+ ret = devm_drm_dp_hpd_bridge_add(tcpm->dev, bridge_dev);
+ if (ret)
+ goto fwnode_remove;
+
return 0;
fwnode_remove:
---
base-commit: 6bd343537461b57f3efe5dfc5fc193a232dfef1e
change-id: 20240405-qc-pmic-typec-hpd-split-22804201902b
Best regards,
--
Dmitry Baryshkov <[email protected]>
On Tue, Apr 16, 2024 at 05:18:56AM +0300, Dmitry Baryshkov wrote:
> If a probe function returns -EPROBE_DEFER after creating another device
> there is a change of ending up in a probe deferral loop, (see commit
> fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER"). In case
> of the qcom-pmic-typec driver the tcpm_register_port() function looks up
> external resources (USB role switch and inherently via called
> typec_register_port() USB-C muxes, switches and retimers).
>
> In order to prevent such probe-defer loops caused by qcom-pmic-typec
> driver, use the API added by Johan Hovold and move HPD bridge
> registration to the end of the probe function.
>
> The devm_drm_dp_hpd_bridge_add() is called at the end of the probe
> function after all TCPM start functions. This is done as a way to
> overcome a different problem, the DRM subsystem can not properly cope
> with the DRM bridges being destroyed once the bridge is attached. Having
> this function call at the end of the probe function prevents possible
> DRM bridge device creation followed by destruction in case one of the
> TCPM start functions returns an error.
You're still not explaining why it is ok to move registration of the
bridge to after starting the port and pdphy.
Perhaps it's obvious to you but it should still go in the commit message
as such a change is potentially something that could end up causing
trouble (e.g. enabling interrupts before all resources have been setup
and registered).
As I've mentioned before, I'm also sceptical to papering over the DRM
issue in each and every driver registering a bridge. These late error
paths would normally not be taken, unlike the earlier ones which can be
triggered by probe deferrals and which we have to fix also for the probe
deferral loops.
> @@ -92,7 +92,7 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
> if (!tcpm->tcpc.fwnode)
> return -EINVAL;
>
> - bridge_dev = drm_dp_hpd_bridge_register(tcpm->dev, to_of_node(tcpm->tcpc.fwnode));
> + bridge_dev = devm_drm_dp_hpd_bridge_alloc(tcpm->dev, to_of_node(tcpm->tcpc.fwnode));
> if (IS_ERR(bridge_dev))
> return PTR_ERR(bridge_dev);
>
> @@ -110,6 +110,10 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev)
> if (ret)
> goto fwnode_remove;
>
> + ret = devm_drm_dp_hpd_bridge_add(tcpm->dev, bridge_dev);
> + if (ret)
> + goto fwnode_remove;
This is leaking resources and can lead to a use-after-free.
When looking at the driver, I noticed that the existing error handling
is already broken so I just sent a fix here:
https://lore.kernel.org/lkml/[email protected]/
You should rebase on that series and not introduce further issues with
the new bridge-add error path.
> +
> return 0;
>
> fwnode_remove:
Johan