Received: by 2002:ab2:4a89:0:b0:1f4:a8b6:6e69 with SMTP id w9csp327132lqj; Wed, 10 Apr 2024 11:32:26 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU7gfI8KsihOIgLIHe58ayjuMlgyqIh1O6p1acHdjsNTpFAKZ/6sbegduaBLE2Vubcxl6SZjreHOqCAUYE7Gf7jnkKUCyRiIFeRbIjOVg== X-Google-Smtp-Source: AGHT+IGXhKl+ko5UzbT0xSw9qTd0FzNqq/FPd0gP+QmZG9k2RBukhsLspKgZbzrQoRzK5KaRQ5X2 X-Received: by 2002:a17:903:48c:b0:1e4:3f8d:12ca with SMTP id jj12-20020a170903048c00b001e43f8d12camr3446727plb.14.1712773945858; Wed, 10 Apr 2024 11:32:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712773945; cv=pass; d=google.com; s=arc-20160816; b=MdWdZ23sJQW07sfFv04nc74GOuCV2aRpSunk05Is5NsUxFk6cVqnusbCOk5KTxHv34 ypnMnXUGVs65ey47PKNr+0mU1Rj9HoN7zy2kwvQ2wTNEbHWnC7fxjZt2dXaEbKxJ9gkK 7oi1S1bWbV9CaWQLmn0u91rPjVyqoe8ziIy5uEn7x8YXNBd3YbnslMP49vRCAIW499M0 ZC3dI8E4K1+n5ryiBReo6edA8LOKKvt2kSAqPyP5hqzQs4C66h/DRjaIgPjgNYBeLrRl 9fjjDcejL76S6AmDXph3ifgw0Anx+xu7HH+7Vp8PGODsduebRbfW3kLj5Foaq9VgvyCs k65Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:feedback-id:dkim-signature:dkim-signature; bh=LbUIMEaLarj+aDrxCGb4vfWzJ9bAenM4+MVOHeGEsfE=; fh=BSqyUUmkUwWJkvEk/kTyHtVTY+kOKMu51VpAr5tI6ME=; b=XUiMXpUNbhuybwpqyG1LrkJGbgMzuOI3mSuOlgzgOeI5txVeVAqJPLWW0oPfUVlx8A QTn66pqRoHJapGeboyge2rFhzaZkdb49K5CnD8Ldbb0zJ1GX8y/U3zntxWHkCXO2/UH8 yhUOaFL+FHHBAhcFRkNB+Vsbc0A6ppGR22sKaG2iakUXD5sd5/Y2KByLGF7U/EG0HO+m usKGyw7VHv6oZGli8jo7llI7IHvdvp/QPJQONzKJmN+9aK5ZOnPkru9LmPYtkS4yPlBS zj11EcaiJRkSNfeq71hlQOQdV/RXJ+2hwHCy/zS11gIGr3qVh4wt3ryVSkwLYk09jCxp Yo9g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@noahloomans.com header.s=fm3 header.b=nrvZCq6v; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=cJ61S3u+; arc=pass (i=1 spf=pass spfdomain=noahloomans.com dkim=pass dkdomain=noahloomans.com dkim=pass dkdomain=messagingengine.com); spf=pass (google.com: domain of linux-kernel+bounces-139206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-139206-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id k3-20020a170902f28300b001e23066e237si10793807plc.233.2024.04.10.11.32.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Apr 2024 11:32:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-139206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@noahloomans.com header.s=fm3 header.b=nrvZCq6v; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=cJ61S3u+; arc=pass (i=1 spf=pass spfdomain=noahloomans.com dkim=pass dkdomain=noahloomans.com dkim=pass dkdomain=messagingengine.com); spf=pass (google.com: domain of linux-kernel+bounces-139206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-139206-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 2500B28D30F for ; Wed, 10 Apr 2024 18:30:32 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E06291802B9; Wed, 10 Apr 2024 18:29:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=noahloomans.com header.i=@noahloomans.com header.b="nrvZCq6v"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="cJ61S3u+" Received: from fhigh8-smtp.messagingengine.com (fhigh8-smtp.messagingengine.com [103.168.172.159]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A36E1802A1; Wed, 10 Apr 2024 18:29:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=103.168.172.159 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712773795; cv=none; b=UVKZZH7a2ZuN7SKEGdH4Q4+3xyWGg8DJc3L0d01QehF+PEQVzB99ZnpB4Ccug1qMtzY1ssWAAGo/tw+0Mopxm+GSYAr1zON0+g9Rt0MEMD72tDxld5bYPqYewgii9iwirr8rx9qFgYrSfwivb0SLVz5sX7mY353/4hRDh4TEAB0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712773795; c=relaxed/simple; bh=SQCDWCsQ5RNLOnzg0m93ZoSRZmhabER90bEkvWudsp0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=NG1jurEktWddgHtjaqtJxqZJZFjxy0tTHTjIEqARdExr/am19JrOkAkkokk5kXk3YY5JWcUTdYwqsA/YQrlKDKy+GFO+cvv47QAwkirD6kHdzIASMZobABWwEEMNrjsVu7M/6PKogpbKhegvEIs3dlBh3ZzzxrCSotB7IGbIkjk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=noahloomans.com; spf=pass smtp.mailfrom=noahloomans.com; dkim=pass (2048-bit key) header.d=noahloomans.com header.i=@noahloomans.com header.b=nrvZCq6v; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=cJ61S3u+; arc=none smtp.client-ip=103.168.172.159 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=noahloomans.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=noahloomans.com Received: from compute7.internal (compute7.nyi.internal [10.202.2.48]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 092251140153; Wed, 10 Apr 2024 14:29:51 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Wed, 10 Apr 2024 14:29:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=noahloomans.com; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm3; t=1712773791; x=1712860191; bh=LbUIMEaLar j+aDrxCGb4vfWzJ9bAenM4+MVOHeGEsfE=; b=nrvZCq6voGlzTaAYlA7+V89VmA i6rDnIWF0oWMi+3YUNi1MpAXl0dGmRNkU+zQE5vLm47h67n7O0Gy6pLnkuexOH5D EH4wr4evQOd35b4FdJdp11Q0BC1sxuld9Ac64UHe0feh8HACjKU3ruhNsyUONAO+ tgLAewXORydyCiim/WXIHOLVb67jP7j05oI/C0rwcs0wfrK7LUV8XL5CvnZwvn5v 3kPUQ4knBO2shraPC8ThOCwhrmAJkAY9V7un0EWlsPelbaqecQETkJEzwsWj/liJ gCSOW7Xc+zhsgzuTK0HVLi6ws9+ettC+uBr1v9czwP2/hfFYNN/0d7M/XfNg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1712773791; x=1712860191; bh=LbUIMEaLarj+aDrxCGb4vfWzJ9bA enM4+MVOHeGEsfE=; b=cJ61S3u+6iCgepsfGMIsDn03EcpAJ1IIOQmOzoy239AZ UFrYCzJ/qQPqNzGZvBGU+7+zwMg8Py8N4yK/+Uo/6o+Fo05HCS1ri71qlkHxmqav kekxy4+hK0taK6gwf5TnWrcklAbWg1ZthCvLY4h57BSMIJOC5+vuSLkq4+fE6YTw 9rRgPFyBLJw1QEKUdg2AA7rFq6RVDbS2r//x8xJIVGW94g7HNdramBJOQEmucsBt mSlZptI23Lr95MGe8YxxI5yRkvOmW+aqr37RZn0eCx41VWcQSoosMI8+Ftfq4rt2 JC7N2zrejh0Q2Q4YPvD4EXcSFl3nMW9VvjsuiB3iJg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudehiedguddvfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefpohgrhhcu nfhoohhmrghnshcuoehnohgrhhesnhhorghhlhhoohhmrghnshdrtghomheqnecuggftrf grthhtvghrnhepkeetieeguedvkeevfeekleehuedtjeefkeffledvhffhhefgtdejffeh gfehgeetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epnhhorghhsehnohgrhhhlohhomhgrnhhsrdgtohhm X-ME-Proxy: Feedback-ID: i93394469:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 10 Apr 2024 14:29:49 -0400 (EDT) From: Noah Loomans To: Bhanu Prakash Maiya Cc: Benson Leung , Tzung-Bi Shih , Guenter Roeck , Robert Zieba , chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org, Noah Loomans , stable@vger.kernel.org Subject: [PATCH] platform/chrome: cros_ec_uart: properly fix race condition Date: Wed, 10 Apr 2024 20:26:19 +0200 Message-ID: <20240410182618.169042-2-noah@noahloomans.com> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The cros_ec_uart_probe() function calls devm_serdev_device_open() before it calls serdev_device_set_client_ops(). This can trigger a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CPU: 5 PID: 103 Comm: kworker/u16:3 Not tainted 6.8.4-zen1-1-zen #1 4a88f2661038c2a3bb69aa70fb41a5735338823c Hardware name: Google Morphius/Morphius, BIOS MrChromebox-4.22.2-1-g2a93624aebf 01/22/2024 Workqueue: events_unbound flush_to_ldisc RIP: 0010:ttyport_receive_buf+0x3f/0xf0 ... Call Trace: ? __die+0x10f/0x120 ? page_fault_oops+0x171/0x4e0 ? srso_return_thunk+0x5/0x5f ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? ttyport_receive_buf+0x3f/0xf0 flush_to_ldisc+0x9b/0x1c0 process_one_work+0x17b/0x340 worker_thread+0x301/0x490 ? __pfx_worker_thread+0x10/0x10 kthread+0xe8/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 A simplified version of crashing code is as follows: static inline size_t serdev_controller_receive_buf(struct serdev_controller *ctrl, const u8 *data, size_t count) { struct serdev_device *serdev = ctrl->serdev; if (!serdev || !serdev->ops->receive_buf) // CRASH! return 0; return serdev->ops->receive_buf(serdev, data, count); } static size_t ttyport_receive_buf(struct tty_port *port, const u8 *cp, const u8 *fp, size_t count) { struct serdev_controller *ctrl = port->client_data; [...] if (!test_bit(SERPORT_ACTIVE, &serport->flags)) return 0; ret = serdev_controller_receive_buf(ctrl, cp, count); [...] return ret; } It assumes that if SERPORT_ACTIVE is set and serdev exists, serdev->ops will also exist. This conflicts with the existing cros_ec_uart_probe() logic, as it first calls devm_serdev_device_open() (which sets SERPORT_ACTIVE), and only later sets serdev->ops via serdev_device_set_client_ops(). Commit 01f95d42b8f4 ("platform/chrome: cros_ec_uart: fix race condition") attempted to fix a similar race condition, but while doing so, made the window of error for this race condition to happen much wider. Attempt to fix the race condition again, making sure we fully setup before calling devm_serdev_device_open(). Fixes: 01f95d42b8f4 ("platform/chrome: cros_ec_uart: fix race condition") Cc: stable@vger.kernel.org Signed-off-by: Noah Loomans --- This is my first time contributing to Linux, I hope this is a good patch. Feedback on how to improve is welcome! drivers/platform/chrome/cros_ec_uart.c | 28 +++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/drivers/platform/chrome/cros_ec_uart.c b/drivers/platform/chrome/cros_ec_uart.c index 8ea867c2a01a..62bc24f6dcc7 100644 --- a/drivers/platform/chrome/cros_ec_uart.c +++ b/drivers/platform/chrome/cros_ec_uart.c @@ -263,12 +263,6 @@ static int cros_ec_uart_probe(struct serdev_device *serdev) if (!ec_dev) return -ENOMEM; - ret = devm_serdev_device_open(dev, serdev); - if (ret) { - dev_err(dev, "Unable to open UART device"); - return ret; - } - serdev_device_set_drvdata(serdev, ec_dev); init_waitqueue_head(&ec_uart->response.wait_queue); @@ -280,14 +274,6 @@ static int cros_ec_uart_probe(struct serdev_device *serdev) return ret; } - ret = serdev_device_set_baudrate(serdev, ec_uart->baudrate); - if (ret < 0) { - dev_err(dev, "Failed to set up host baud rate (%d)", ret); - return ret; - } - - serdev_device_set_flow_control(serdev, ec_uart->flowcontrol); - /* Initialize ec_dev for cros_ec */ ec_dev->phys_name = dev_name(dev); ec_dev->dev = dev; @@ -301,6 +287,20 @@ static int cros_ec_uart_probe(struct serdev_device *serdev) serdev_device_set_client_ops(serdev, &cros_ec_uart_client_ops); + ret = devm_serdev_device_open(dev, serdev); + if (ret) { + dev_err(dev, "Unable to open UART device"); + return ret; + } + + ret = serdev_device_set_baudrate(serdev, ec_uart->baudrate); + if (ret < 0) { + dev_err(dev, "Failed to set up host baud rate (%d)", ret); + return ret; + } + + serdev_device_set_flow_control(serdev, ec_uart->flowcontrol); + return cros_ec_register(ec_dev); } -- 2.44.0