Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp150017pxt; Thu, 5 Aug 2021 21:17:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJ31a3W0wH9bAkFZkuGUh4yxCIX/ZYfFqdM5pt8xy3M6x7xopfB+APQwxhBv2B+18xMe8M X-Received: by 2002:a6b:db18:: with SMTP id t24mr159724ioc.163.1628223419936; Thu, 05 Aug 2021 21:16:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628223419; cv=none; d=google.com; s=arc-20160816; b=U7Msr6HUarD9Jwyu9wzbXtfjmx/HzN/NF76AOb5Nlj24i45qwE+Q9FOVbvdKAvbkhb oTkTjjk1ccqs36K2WR5+bkE6Q5/ZvirvjrJjantSLwMdAuNwPo+8yWqY2ULjppXJCwY1 DnPBIeE1kpMKsMcupPwEJO97Njr4ytNSwQtS9pw4dK3Hujs25x/s/ib2EKL9JmoT568v R2SW6pBb7ZzyST383JHWticufyBWLGkc+okXM5XhA/zf44j2/gspWALfwZNNb2J9n4d7 sNClBp6/VGYmp+xN+JQwjvEmrk/fSG0c9V3lzD8DnDDICG0QO/hbJZlwf9EF+MXIVmYv 2g7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=SsBMOCXcw1KTxHPV+Kx5Z5bw2rNQDy5iy70OREmZWIc=; b=yyXX0oN66uCBfY3cCzDHTyS9ezfcAyT81BZ2HRCrzxb07a6DCgjwZrXbrzQnbiOjfp DMdbIjey5w0awpTkW1Rtr/kbB02d4VsgupOS2N2i1nEYinxYmI3jhBuTVE3G5Mm+TkSM vrvQR8MVDU9oLN9flpSgOu+PUs2UDvNAp4o3MBjjoEX9c2hgFWy2HMKBYSFIZEblmU/y n0n3ZllMHrbm9B4O2K/5hMX7+QLCbzcJYqvugpwbkPzHHLgWKqUgwP8CoexslVJw64RR 5CBehkS1sqOsw6EqDVWJznpN3lg4utdi21weINerdC81NdQabgMrh6itqnIZf8231pJt zriA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=oXkOZHyK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si7432625ilj.31.2021.08.05.21.16.46; Thu, 05 Aug 2021 21:16:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=oXkOZHyK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234583AbhHEVt7 (ORCPT + 99 others); Thu, 5 Aug 2021 17:49:59 -0400 Received: from linux.microsoft.com ([13.77.154.182]:49542 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233838AbhHEVt6 (ORCPT ); Thu, 5 Aug 2021 17:49:58 -0400 Received: by linux.microsoft.com (Postfix, from userid 1046) id 7B5A020B36E8; Thu, 5 Aug 2021 14:49:43 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 7B5A020B36E8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1628200183; bh=SsBMOCXcw1KTxHPV+Kx5Z5bw2rNQDy5iy70OREmZWIc=; h=From:To:Cc:Subject:Date:From; b=oXkOZHyKUuC3XHtMyeHfLTBX18n/T/JnQV2JiH0J18vsgBq0pdKd0cTYb8co0WT/h Cy1jGM5FdJummXe47j0UdWO/DJJcl/GWapTNCsabAkulcmaso/bEdKMqLn6WVG5Mo/ TX0MX+BToTMZex0J54PhVWkLmmR/rYD7p44aRlpY= From: Dhananjay Phadke To: linux-i2c@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Wolfram Sang , Ray Jui , bcm-kernel-feedback-list@broadcom.com, Rayagonda Kokatanur , Dhananjay Phadke Subject: [PATCH] i2c: iproc: fix race between client unreg and tasklet Date: Thu, 5 Aug 2021 14:49:05 -0700 Message-Id: <1628200145-4962-1-git-send-email-dphadke@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Similar NULL deref was originally fixed by graceful teardown sequence - https://lore.kernel.org/linux-i2c/1597106560-79693-1-git-send-email-dphadke@linux.microsoft.com After this, a tasklet was added to take care of FIFO full condition for large i2c transaction. https://lore.kernel.org/linux-arm-kernel/20201102035433.6774-1-rayagonda.kokatanur@broadcom.com/ This introduced regression, a new race condition between tasklet enabling interrupts and client unreg teardown sequence. Kill tasklet before unreg_slave() masks bits in IE_OFFSET. Updated teardown sequence - (1) disable_irq() (2) Kill tasklet (3) Mask event enable bits in control reg (4) Erase slave address (avoid further writes to rx fifo) (5) Flush tx and rx FIFOs (6) Clear pending event (interrupt) bits in status reg (7) Set client pointer to NULL (8) enable_irq() -- Unable to handle kernel read from unreadable memory at virtual address 0000000000000320 Mem abort info: ESR = 0x96000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000009212a000 [0000000000000320] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 96000004 [#1] SMP CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O Hardware name: Overlake (DT) pstate: 40400085 (nZcv daIf +PAN -UAO -TCO BTYPE=--) pc : bcm_iproc_i2c_slave_isr+0x2b8/0x8e4 lr : bcm_iproc_i2c_slave_isr+0x1c8/0x8e4 sp : ffff800010003e70 x29: ffff800010003e80 x28: ffffda017acdc000 x27: ffffda017b0ae000 x26: ffff800010004000 x25: ffff800010000000 x24: ffffda017af4a168 x23: 0000000000000073 x22: 0000000000000000 x21: 0000000001400000 x20: 0000000001000000 x19: ffff06f09583f880 x18: 00000000fa83b2da x17: 000000000000b67e x16: 0000000002edb2f3 x15: 00000000000002c7 x14: 00000000000002c7 x13: 0000000000000006 x12: 0000000000000033 x11: 0000000000000000 x10: 0000000001000000 x9 : 0000000003289312 x8 : 0000000003289311 x7 : 02d0cd03a303adbc x6 : 02d18e7f0a4dfc6c x5 : 02edb2f33f76ea68 x4 : 00000000fa83b2da x3 : ffffda017af43cd0 x2 : ffff800010003e74 x1 : 0000000001400000 x0 : 0000000000000000 Call trace: bcm_iproc_i2c_slave_isr+0x2b8/0x8e4 bcm_iproc_i2c_isr+0x178/0x290 __handle_irq_event_percpu+0xd0/0x200 handle_irq_event+0x60/0x1a0 handle_fasteoi_irq+0x130/0x220 __handle_domain_irq+0x8c/0xcc gic_handle_irq+0xc0/0x120 el1_irq+0xcc/0x180 finish_task_switch+0x100/0x1d8 __schedule+0x61c/0x7a0 schedule_idle+0x28/0x44 do_idle+0x254/0x28c cpu_startup_entry+0x28/0x2c rest_init+0xc4/0xd0 arch_call_rest_init+0x14/0x1c start_kernel+0x33c/0x3b8 Code: f9423260 910013e2 11000509 b9047a69 (f9419009) ---[ end trace 4781455b2a7bec15 ]--- Fixes: 4d658451c9d6 ("i2c: iproc: handle rx fifo full interrupt") Signed-off-by: Dhananjay Phadke --- drivers/i2c/busses/i2c-bcm-iproc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/i2c/busses/i2c-bcm-iproc.c b/drivers/i2c/busses/i2c-bcm-iproc.c index cceaf69279a9..6304d1dd2dd6 100644 --- a/drivers/i2c/busses/i2c-bcm-iproc.c +++ b/drivers/i2c/busses/i2c-bcm-iproc.c @@ -1224,14 +1224,14 @@ static int bcm_iproc_i2c_unreg_slave(struct i2c_client *slave) disable_irq(iproc_i2c->irq); + tasklet_kill(&iproc_i2c->slave_rx_tasklet); + /* disable all slave interrupts */ tmp = iproc_i2c_rd_reg(iproc_i2c, IE_OFFSET); tmp &= ~(IE_S_ALL_INTERRUPT_MASK << IE_S_ALL_INTERRUPT_SHIFT); iproc_i2c_wr_reg(iproc_i2c, IE_OFFSET, tmp); - tasklet_kill(&iproc_i2c->slave_rx_tasklet); - /* Erase the slave address programmed */ tmp = iproc_i2c_rd_reg(iproc_i2c, S_CFG_SMBUS_ADDR_OFFSET); tmp &= ~BIT(S_CFG_EN_NIC_SMB_ADDR3_SHIFT); -- 2.17.1