Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp794625pxb;
        Tue, 3 Nov 2020 12:43:44 -0800 (PST)
X-Google-Smtp-Source: ABdhPJytzC5DF2/lsdiKGZqrvQAEfoBylGOlDqmXbF0lQYINp8R/g2UIBzED8/toP3EukdlH9246
X-Received: by 2002:a17:906:8387:: with SMTP id p7mr16159698ejx.511.1604436224445;
        Tue, 03 Nov 2020 12:43:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1604436224; cv=none;
        d=google.com; s=arc-20160816;
        b=vk7OYgqlpEcMiu9SSo9Wf71UD8MFBzJ1IayKAF14xlZ79dt4kOGw7aP4eV7ItC3d87
         c1gRHQNwglm4jUNlBf3E9+XP0HqITzKDkt+AOCYo3HXI2LezZ9AricPY/q5gKnu/uAGz
         Ri+3TyVWbu3gjQF+h1teLv1xH/ZmYB1MqhQJWd1UYIv85H90WJCqf2qVTqf9Zf67GEAE
         PUkieR7qOhqIBciPPl9Sol+dvaE2zNM2wwTQtqSb4Q0BkjMfFldWb01T1psALMv6Qvma
         wtaruJYjSu+ZG5Az/ojvyCS0epPaWwAGwH3yrT7LBUE0ZoeZ2/1z8U5A9GOD5sa19UbI
         HGAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=+XFZfloWd0nHlWjoZyM+QxWy995Kr8DmKSWaxm7LMq8=;
        b=dT1XgFNu3c+Z9sxxe0JvLAfQC0U26kHOLWEs5ZN/CZytvO0VM9oa7U3W9SWG+ppE4n
         MKZNCA/G7Afr3bMNTts+uLu/oJr3ywejhc02lcQnyFCq8XI/eZr0CkvNNUvrVKPXoX5v
         8oM5+F9+Ehiy6b+3p1m1HRosYrDj/2X4/3kMb/IDMTKQrzs+zuPNi5IYdXojSTHu/ZuD
         1k0h8lhdPKAnF4qDY9/1+Ga3oSYAQ+KiCIxliBBO10HtkwHm/te4Xwtcr7E+O/vmM+yh
         96udW8M7ldKdVzwMyJaZvk7wTO3uHHq5H+kMBovL/r1Q1V/LwTgYcDVLGGtc/cxGWapN
         6znA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=YQ6UxySi;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r13si13783390edb.164.2020.11.03.12.43.21;
        Tue, 03 Nov 2020 12:43:44 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=YQ6UxySi;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730117AbgKCUjy (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Tue, 3 Nov 2020 15:39:54 -0500
Received: from mail.kernel.org ([198.145.29.99]:50940 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730113AbgKCUjx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Nov 2020 15:39:53 -0500
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C0D2022226;
        Tue,  3 Nov 2020 20:39:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1604435992;
        bh=iGEgOCDkbm1xGN4RoEK1TxS/V9O+IkxdIQz+aBqBTxY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=YQ6UxySiNH0NvXNUKejqIvkwk49rTJMnaDsjFbXrH2xnCcx1BscpwUmesVH5lEnZy
         2Bpf3z9B/MxcHyzbclR4kffuxxNpz4pCYvs1S+RWcRlzjN3uCLibwewwudttWimmCD
         q8HNPhti3/Vpf7wdzuOjEEFF9xuymSeat79bS8gY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Cristian Marussi <cristian.marussi@arm.com>,
        Sudeep Holla <sudeep.holla@arm.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.9 019/391] firmware: arm_scmi: Fix locking in notifications
Date:   Tue,  3 Nov 2020 21:31:10 +0100
Message-Id: <20201103203349.219858293@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201103203348.153465465@linuxfoundation.org>
References: <20201103203348.153465465@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Cristian Marussi <cristian.marussi@arm.com>

[ Upstream commit c7821c2d9c0dda0adf2bcf88e79b02a19a430be4 ]

When a protocol registers its events, the notification core takes care
to rescan the hashtable of pending event handlers and activate all the
possibly existent handlers referring to any of the events that are just
registered by the new protocol. When a pending handler becomes active
the core requests and enables the corresponding events in the SCMI
firmware.

If, for whatever reason, the enable fails, such invalid event handler
must be finally removed and freed. Let us ensure to use the
scmi_put_active_handler() helper which handles properly the needed
additional locking.

Failing to properly acquire all the needed mutexes exposes a race that
leads to the following splat being observed:

 WARNING: CPU: 0 PID: 388 at lib/refcount.c:28 refcount_warn_saturate+0xf8/0x148
 Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development
 	Platform, BIOS EDK II Jun 30 2020
 pstate: 40000005 (nZcv daif -PAN -UAO BTYPE=--)
 pc : refcount_warn_saturate+0xf8/0x148
 lr : refcount_warn_saturate+0xf8/0x148
 Call trace:
  refcount_warn_saturate+0xf8/0x148
  scmi_put_handler_unlocked.isra.10+0x204/0x208
  scmi_put_handler+0x50/0xa0
  scmi_unregister_notifier+0x1bc/0x240
  scmi_notify_tester_remove+0x4c/0x68 [dummy_scmi_consumer]
  scmi_dev_remove+0x54/0x68
  device_release_driver_internal+0x114/0x1e8
  driver_detach+0x58/0xe8
  bus_remove_driver+0x88/0xe0
  driver_unregister+0x38/0x68
  scmi_driver_unregister+0x1c/0x28
  scmi_drv_exit+0x1c/0xae0 [dummy_scmi_consumer]
  __arm64_sys_delete_module+0x1a4/0x268
  el0_svc_common.constprop.3+0x94/0x178
  do_el0_svc+0x2c/0x98
  el0_sync_handler+0x148/0x1a8
  el0_sync+0x158/0x180

Link: https://lore.kernel.org/r/20201013133109.49821-1-cristian.marussi@arm.com
Fixes: e7c215f358a35 ("firmware: arm_scmi: Add notification callbacks-registration")
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/firmware/arm_scmi/notify.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/drivers/firmware/arm_scmi/notify.c b/drivers/firmware/arm_scmi/notify.c
index 4731daaacd19e..4d9f6de3a7fae 100644
--- a/drivers/firmware/arm_scmi/notify.c
+++ b/drivers/firmware/arm_scmi/notify.c
@@ -1403,15 +1403,21 @@ static void scmi_protocols_late_init(struct work_struct *work)
 				"finalized PENDING handler - key:%X\n",
 				hndl->key);
 			ret = scmi_event_handler_enable_events(hndl);
+			if (ret) {
+				dev_dbg(ni->handle->dev,
+					"purging INVALID handler - key:%X\n",
+					hndl->key);
+				scmi_put_active_handler(ni, hndl);
+			}
 		} else {
 			ret = scmi_valid_pending_handler(ni, hndl);
-		}
-		if (ret) {
-			dev_dbg(ni->handle->dev,
-				"purging PENDING handler - key:%X\n",
-				hndl->key);
-			/* this hndl can be only a pending one */
-			scmi_put_handler_unlocked(ni, hndl);
+			if (ret) {
+				dev_dbg(ni->handle->dev,
+					"purging PENDING handler - key:%X\n",
+					hndl->key);
+				/* this hndl can be only a pending one */
+				scmi_put_handler_unlocked(ni, hndl);
+			}
 		}
 	}
 	mutex_unlock(&ni->pending_mtx);
-- 
2.27.0