Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp981551ybe; Thu, 19 Sep 2019 06:57:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqykGvQqwsp5X6HSgnMaI5DzYhN5q/yZr7HpUeYqWIUieTJKtBb/zpKVAGUvKeiDt9zLJXXN X-Received: by 2002:a17:906:1385:: with SMTP id f5mr14521239ejc.145.1568901478781; Thu, 19 Sep 2019 06:57:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568901478; cv=none; d=google.com; s=arc-20160816; b=NvNKVe/+naF3Hkc7SHEUVLvzdPsbo4qBY3HxNJUemm3H23DdmCltN48K1tL0fnhcnV AePC+tB68fdTBrV6T7AAj13u1DLDEOyPHfQN6fSSlfL2+8lf308Ag1Za+K9H2aSmUXlm tb7yXuUyXondlhsb30czuDjrvaGEAcEa67f1ll7CbjLfRQLsrhyyQN76fx+IK7malWfj kXLw3tKlwewlJkF/NozrloMuEldR2Yfd0MSi76alD+wr3y33fnH3Q+o30vXZ5wMqdul5 3HvvxDukRJbacJ9r0Zt9ydugm922sjiDQOQ10WaMNwzuI02os58SV7hAKXMmNxv5akt2 C9vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=cBFg3FlLDGjTb7+afbM4C01prxoJW9TdjyJXjo+BiFs=; b=M27CcRCR6EuVWa97YTCeNEUe0LF5wD7pgQkqgSExUxMlMtIkzRtc7Im1E9p5V8yv9d FnLh+VdJwbHHHga5YpKq1UpRC+E1RcyfSQObv0VNlU88fXXH9ay1mWw5hJUiZ3PoOf6h otv1sBK6FuGMKbq+sbBj8k0KS9hyOnWOB/72tjmPMoCtD0FRYbwgwxgNcgppz3kltD0c tffylJZBiYcBWhrIcNTGsgx1/WHa5DRmbz/+ZJy3GQf5Rw6AxbBYTF2u8h8eMsxmIJxE w9puCfZGUIuUQYKK7X6wGqehmddM2SnhAVWKCCoPBra5TkOsh5V3q6/tchjJAqyiZ43S Mmdw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y9si5144468edp.305.2019.09.19.06.57.35; Thu, 19 Sep 2019 06:57:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732189AbfISNEc (ORCPT + 99 others); Thu, 19 Sep 2019 09:04:32 -0400 Received: from bhuna.collabora.co.uk ([46.235.227.227]:40256 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731958AbfISNEb (ORCPT ); Thu, 19 Sep 2019 09:04:31 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: eballetbo) with ESMTPSA id B787728E9D2 Subject: Re: [PATCH] platform/chrome: cros_ec_rpmsg: Fix race with host command when probe failed. To: Pi-Hsun Shih Cc: Benson Leung , Guenter Roeck , open list References: <20190904062613.86401-1-pihsun@chromium.org> From: Enric Balletbo i Serra Message-ID: <2c8e467f-fb78-4a2c-f6e4-c04336591bb9@collabora.com> Date: Thu, 19 Sep 2019 15:04:26 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <20190904062613.86401-1-pihsun@chromium.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 4/9/19 8:26, Pi-Hsun Shih wrote: > Since the rpmsg_endpoint is created before probe is called, it's > possible that a host event is received during cros_ec_register, and > there would be some pending work in the host_event_work workqueue while > cros_ec_register is called. > > If cros_ec_register fails, when the leftover work in host_event_work > run, the ec_dev from the drvdata of the rpdev could be already set to > NULL, causing kernel crash when trying to run cros_ec_get_next_event. > > Fix this by creating the rpmsg_endpoint by ourself, and when > cros_ec_register fails (or on remove), destroy the endpoint first (to > make sure there's no more new calls to cros_ec_rpmsg_callback), and then > cancel all works in the host_event_work workqueue. > > Fixes: 2de89fd98958 ("platform/chrome: cros_ec: Add EC host command support using rpmsg") > Signed-off-by: Pi-Hsun Shih > --- Added the stable tag and applied for 5.4, the patches went to linux-next some time ago, so sorry for late notice. Thanks, Enric > drivers/platform/chrome/cros_ec_rpmsg.c | 33 +++++++++++++++++++++---- > 1 file changed, 28 insertions(+), 5 deletions(-) > > diff --git a/drivers/platform/chrome/cros_ec_rpmsg.c b/drivers/platform/chrome/cros_ec_rpmsg.c > index 8b6bd775cc9a..0c3738c3244d 100644 > --- a/drivers/platform/chrome/cros_ec_rpmsg.c > +++ b/drivers/platform/chrome/cros_ec_rpmsg.c > @@ -41,6 +41,7 @@ struct cros_ec_rpmsg { > struct rpmsg_device *rpdev; > struct completion xfer_ack; > struct work_struct host_event_work; > + struct rpmsg_endpoint *ept; > }; > > /** > @@ -72,7 +73,6 @@ static int cros_ec_pkt_xfer_rpmsg(struct cros_ec_device *ec_dev, > struct cros_ec_command *ec_msg) > { > struct cros_ec_rpmsg *ec_rpmsg = ec_dev->priv; > - struct rpmsg_device *rpdev = ec_rpmsg->rpdev; > struct ec_host_response *response; > unsigned long timeout; > int len; > @@ -85,7 +85,7 @@ static int cros_ec_pkt_xfer_rpmsg(struct cros_ec_device *ec_dev, > dev_dbg(ec_dev->dev, "prepared, len=%d\n", len); > > reinit_completion(&ec_rpmsg->xfer_ack); > - ret = rpmsg_send(rpdev->ept, ec_dev->dout, len); > + ret = rpmsg_send(ec_rpmsg->ept, ec_dev->dout, len); > if (ret) { > dev_err(ec_dev->dev, "rpmsg send failed\n"); > return ret; > @@ -196,11 +196,24 @@ static int cros_ec_rpmsg_callback(struct rpmsg_device *rpdev, void *data, > return 0; > } > > +static struct rpmsg_endpoint * > +cros_ec_rpmsg_create_ept(struct rpmsg_device *rpdev) > +{ > + struct rpmsg_channel_info chinfo = {}; > + > + strscpy(chinfo.name, rpdev->id.name, RPMSG_NAME_SIZE); > + chinfo.src = rpdev->src; > + chinfo.dst = RPMSG_ADDR_ANY; > + > + return rpmsg_create_ept(rpdev, cros_ec_rpmsg_callback, NULL, chinfo); > +} > + > static int cros_ec_rpmsg_probe(struct rpmsg_device *rpdev) > { > struct device *dev = &rpdev->dev; > struct cros_ec_rpmsg *ec_rpmsg; > struct cros_ec_device *ec_dev; > + int ret; > > ec_dev = devm_kzalloc(dev, sizeof(*ec_dev), GFP_KERNEL); > if (!ec_dev) > @@ -225,7 +238,18 @@ static int cros_ec_rpmsg_probe(struct rpmsg_device *rpdev) > INIT_WORK(&ec_rpmsg->host_event_work, > cros_ec_rpmsg_host_event_function); > > - return cros_ec_register(ec_dev); > + ec_rpmsg->ept = cros_ec_rpmsg_create_ept(rpdev); > + if (!ec_rpmsg->ept) > + return -ENOMEM; > + > + ret = cros_ec_register(ec_dev); > + if (ret < 0) { > + rpmsg_destroy_ept(ec_rpmsg->ept); > + cancel_work_sync(&ec_rpmsg->host_event_work); > + return ret; > + } > + > + return 0; > } > > static void cros_ec_rpmsg_remove(struct rpmsg_device *rpdev) > @@ -234,7 +258,7 @@ static void cros_ec_rpmsg_remove(struct rpmsg_device *rpdev) > struct cros_ec_rpmsg *ec_rpmsg = ec_dev->priv; > > cros_ec_unregister(ec_dev); > - > + rpmsg_destroy_ept(ec_rpmsg->ept); > cancel_work_sync(&ec_rpmsg->host_event_work); > } > > @@ -271,7 +295,6 @@ static struct rpmsg_driver cros_ec_driver_rpmsg = { > }, > .probe = cros_ec_rpmsg_probe, > .remove = cros_ec_rpmsg_remove, > - .callback = cros_ec_rpmsg_callback, > }; > > module_rpmsg_driver(cros_ec_driver_rpmsg); >