2021-10-12 10:17:45

by Srinivas Kandagatla

[permalink] [raw]
Subject: [PATCH] soundwire: bus: stop dereferencing invalid slave pointer

Slave pointer is invalid after end of list iteration, using this
would result in below Memory abort.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
...
Call trace:
__dev_printk+0x34/0x7c
_dev_warn+0x6c/0x90
sdw_bus_exit_clk_stop+0x194/0x1d0
swrm_runtime_resume+0x13c/0x238
pm_generic_runtime_resume+0x2c/0x48
__rpm_callback+0x44/0x150
rpm_callback+0x6c/0x78
rpm_resume+0x314/0x558
rpm_resume+0x378/0x558
rpm_resume+0x378/0x558
__pm_runtime_resume+0x3c/0x88

Use bus->dev instead to print this error message.

Fixes: b50bb8ba369cd ("soundwire: bus: handle -ENODATA errors in clock stop/start sequences")
Signed-off-by: Srinivas Kandagatla <[email protected]>
---
drivers/soundwire/bus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c
index 1b115734a8f6..67369e941d0d 100644
--- a/drivers/soundwire/bus.c
+++ b/drivers/soundwire/bus.c
@@ -1110,7 +1110,7 @@ int sdw_bus_exit_clk_stop(struct sdw_bus *bus)
if (!simple_clk_stop) {
ret = sdw_bus_wait_for_clk_prep_deprep(bus, SDW_BROADCAST_DEV_NUM);
if (ret < 0)
- dev_warn(&slave->dev, "clock stop deprepare wait failed:%d\n", ret);
+ dev_warn(bus->dev, "clock stop deprepare wait failed:%d\n", ret);
}

list_for_each_entry(slave, &bus->slaves, node) {
--
2.21.0


2021-10-12 14:57:43

by Pierre-Louis Bossart

[permalink] [raw]
Subject: Re: [PATCH] soundwire: bus: stop dereferencing invalid slave pointer



On 10/12/21 5:15 AM, Srinivas Kandagatla wrote:
> Slave pointer is invalid after end of list iteration, using this
> would result in below Memory abort.
>
> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
> ...
> Call trace:
> __dev_printk+0x34/0x7c
> _dev_warn+0x6c/0x90
> sdw_bus_exit_clk_stop+0x194/0x1d0
> swrm_runtime_resume+0x13c/0x238
> pm_generic_runtime_resume+0x2c/0x48
> __rpm_callback+0x44/0x150
> rpm_callback+0x6c/0x78
> rpm_resume+0x314/0x558
> rpm_resume+0x378/0x558
> rpm_resume+0x378/0x558
> __pm_runtime_resume+0x3c/0x88
>
> Use bus->dev instead to print this error message.
>
> Fixes: b50bb8ba369cd ("soundwire: bus: handle -ENODATA errors in clock stop/start sequences")
> Signed-off-by: Srinivas Kandagatla <[email protected]>

Nice catch, even if the 'slave' pointer was valid it makes no sense to
use this device for a bus-level operation. Using the bus->dev is the
right thing to do.

Reviewed-by: Pierre-Louis Bossart <[email protected]>

> ---
> drivers/soundwire/bus.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c
> index 1b115734a8f6..67369e941d0d 100644
> --- a/drivers/soundwire/bus.c
> +++ b/drivers/soundwire/bus.c
> @@ -1110,7 +1110,7 @@ int sdw_bus_exit_clk_stop(struct sdw_bus *bus)
> if (!simple_clk_stop) {
> ret = sdw_bus_wait_for_clk_prep_deprep(bus, SDW_BROADCAST_DEV_NUM);
> if (ret < 0)
> - dev_warn(&slave->dev, "clock stop deprepare wait failed:%d\n", ret);
> + dev_warn(bus->dev, "clock stop deprepare wait failed:%d\n", ret);
> }
>
> list_for_each_entry(slave, &bus->slaves, node) {
>

2021-10-20 15:26:13

by Vinod Koul

[permalink] [raw]
Subject: Re: [PATCH] soundwire: bus: stop dereferencing invalid slave pointer

On 12-10-21, 11:15, Srinivas Kandagatla wrote:
> Slave pointer is invalid after end of list iteration, using this
> would result in below Memory abort.

Applied, thanks

--
~Vinod