Message ID | 1665889532-13634-1-git-send-email-quic_qianyu@quicinc.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp868033wrs; Sat, 15 Oct 2022 20:38:41 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5JqgOTMHzrEmcyx1V1K7auMyKpOAnp8zuJxu5BQXzYYOD+jwtU73XWx8iZ4lnhr7C3fWIn X-Received: by 2002:a17:902:f693:b0:17f:6974:cf90 with SMTP id l19-20020a170902f69300b0017f6974cf90mr5672190plg.62.1665891520731; Sat, 15 Oct 2022 20:38:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665891520; cv=none; d=google.com; s=arc-20160816; b=aFzWEYKrklcI9czUZMxZ6lFzz0YN6VYRqGCU6ry1/kmXVFUMFGdcmW7JQ/HY8cScmc OXfUhy8g0BBme7GofxRfXCl8fm9IVIZbvL/ZCX6DkNPGhPivnq8WS31+bqpdxTr1PEdQ kot5Z7LxOZrj68/hhZeVDlKiMuOuJtsvbW2mb5+BAnUuqa991OteIxEdBM430ldOk7/q T+yyxGeX253g3Q6Gvl5ct0wkBL0sNds6PeiSErRoq/uFpshAwWrE61dBVl5oIGSk5N+l ugAkJRwGenxDXlzjI3wGj+TzY+708gVvAHUgn1Jn1ttQ7SDHIGIKaZmD0TpeE+eTA6/g ZAOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=3BSxJk0NwemUAG1JhHZNbSuu/7KCDrRWST5yqjmYRSM=; b=ba29/fQUS2/fKfWTCnV8WS6WYdZphxtbLdvycMR/Gn8i08tvFSUMp559hPC5e0EecV 6xY+1c+7A81flpcSxAFP2Yih7wy8lAmgwYhdNAkyCuEN2eLUWqMaJchd0NV3l5auSnBU zsnM6W+FdVDAAu3T7cSbKnUIj/QLUoHgUiKncQRfNaV1ydJguy0mOacezx0rDJCTxnBt VN7F91q+1p/WAZoAfzwVujVDK2bKzGvotQJbkEh5cQcv+L1CbtG9B/hmH0uH506NEKtp emCxi0N1GUNZuSAjqJX2wrfSUwPHLWLVQY3ZSiVVp11nR7yg1ohs2BgO0fq9Pioe/Pf5 lZkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=PLHE66tA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s59-20020a17090a2f4100b0020d489b55desi12715740pjd.63.2022.10.15.20.38.09; Sat, 15 Oct 2022 20:38:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=PLHE66tA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229683AbiJPDFz (ORCPT <rfc822;ouuuleilei@gmail.com> + 99 others); Sat, 15 Oct 2022 23:05:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38288 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229624AbiJPDFw (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Sat, 15 Oct 2022 23:05:52 -0400 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10C6C39101; Sat, 15 Oct 2022 20:05:50 -0700 (PDT) Received: from pps.filterd (m0279872.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 29G2IKG4014678; Sun, 16 Oct 2022 03:05:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id; s=qcppdkim1; bh=3BSxJk0NwemUAG1JhHZNbSuu/7KCDrRWST5yqjmYRSM=; b=PLHE66tAne/9lYsviftdu3rsGE/2kx7+VMYdTlFlVWhazPojjg6NK8U4mJ7iUR1ZZVA0 ZANhv6BSVYTx222Un0a6CK9GmD6Po6fdSsgiZ/aizS8eGPvdIwIbJcIUkVIfFlq+TAjG BtJ4SSNOkTfiizukt/f7XyGJ0itp05e80qUoE2vcSgfCEoyW7MCMWKuL/7RvNrmSVYE7 2+CpDPvvZnkVn2E0sGNMujCbh+BM/YGHhaLUw2uDKLCQXeFkD4FkZ4rVy5yyxoodBFE0 YPO/Qmd92oZJilhVMa0QTB5k8kbSjwhCxKsgavTVVtykgF43ptWvEI+ksWiXZd1CvJrX Ig== Received: from aptaippmta02.qualcomm.com (tpe-colo-wan-fw-bordernet.qualcomm.com [103.229.16.4]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3k7n8dsftg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 16 Oct 2022 03:05:39 +0000 Received: from pps.filterd (APTAIPPMTA02.qualcomm.com [127.0.0.1]) by APTAIPPMTA02.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTP id 29G35aOp004010; Sun, 16 Oct 2022 03:05:36 GMT Received: from pps.reinject (localhost [127.0.0.1]) by APTAIPPMTA02.qualcomm.com (PPS) with ESMTP id 3k7nxntned-1; Sun, 16 Oct 2022 03:05:36 +0000 Received: from APTAIPPMTA02.qualcomm.com (APTAIPPMTA02.qualcomm.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 29G35Zr4004005; Sun, 16 Oct 2022 03:05:36 GMT Received: from cbsp-sh-gv.qualcomm.com (CBSP-SH-gv.ap.qualcomm.com [10.231.249.68]) by APTAIPPMTA02.qualcomm.com (PPS) with ESMTP id 29G35ZQG004003; Sun, 16 Oct 2022 03:05:35 +0000 Received: by cbsp-sh-gv.qualcomm.com (Postfix, from userid 4098150) id 27F72290C; Sun, 16 Oct 2022 11:05:34 +0800 (CST) From: Qiang Yu <quic_qianyu@quicinc.com> To: mani@kernel.org, loic.poulain@linaro.org Cc: mhi@lists.linux.dev, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, quic_cang@quicinc.com, mrana@quicinc.com, Qiang Yu <quic_qianyu@quicinc.com> Subject: [PATCH v2] bus: mhi: host: Fix race between channel preparation and M0 event Date: Sun, 16 Oct 2022 11:05:32 +0800 Message-Id: <1665889532-13634-1-git-send-email-quic_qianyu@quicinc.com> X-Mailer: git-send-email 2.7.4 X-QCInternal: smtphost X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: ogdGhOOy2Onxa2LjLraZNDAvLBnGDxIY X-Proofpoint-GUID: ogdGhOOy2Onxa2LjLraZNDAvLBnGDxIY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-15_17,2022-10-14_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1011 suspectscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 malwarescore=0 priorityscore=1501 impostorscore=0 mlxlogscore=974 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210160017 X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746813867316380186?= X-GMAIL-MSGID: =?utf-8?q?1746813867316380186?= |
Series |
[v2] bus: mhi: host: Fix race between channel preparation and M0 event
|
|
Commit Message
Qiang Yu
Oct. 16, 2022, 3:05 a.m. UTC
There is a race condition where mhi_prepare_channel() updates the
read and write pointers as the base address and in parallel, if
an M0 transition occurs, the tasklet goes ahead and rings
doorbells for all channels with a delta in TRE rings assuming
they are already enabled. This causes a null pointer access. Fix
it by adding a channel enabled check before ringing channel
doorbells.
Fixes: a6e2e3522f29 "bus: mhi: core: Add support for PM state transitions"
Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com>
---
v1->v2: add Fixes tags
drivers/bus/mhi/host/pm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
On Sun, Oct 16, 2022 at 11:05:32AM +0800, Qiang Yu wrote: > There is a race condition where mhi_prepare_channel() updates the > read and write pointers as the base address and in parallel, if > an M0 transition occurs, the tasklet goes ahead and rings > doorbells for all channels with a delta in TRE rings assuming > they are already enabled. This causes a null pointer access. Fix > it by adding a channel enabled check before ringing channel > doorbells. > > Fixes: a6e2e3522f29 "bus: mhi: core: Add support for PM state transitions" > Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com> Can you also CC stable list for backporting? Reviewed-by: Manivannan Sadhasivam <mani@kernel.org> Thanks, Mani > --- > v1->v2: add Fixes tags > > drivers/bus/mhi/host/pm.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c > index 4a42186..0834590 100644 > --- a/drivers/bus/mhi/host/pm.c > +++ b/drivers/bus/mhi/host/pm.c > @@ -301,7 +301,8 @@ int mhi_pm_m0_transition(struct mhi_controller *mhi_cntrl) > read_lock_irq(&mhi_chan->lock); > > /* Only ring DB if ring is not empty */ > - if (tre_ring->base && tre_ring->wp != tre_ring->rp) > + if (tre_ring->base && tre_ring->wp != tre_ring->rp && > + mhi_chan->ch_state == MHI_CH_STATE_ENABLED) > mhi_ring_chan_db(mhi_cntrl, mhi_chan); > read_unlock_irq(&mhi_chan->lock); > } > -- > 2.7.4 > >
On Fri, Oct 28, 2022 at 10:24:01PM +0530, Manivannan Sadhasivam wrote: > On Sun, Oct 16, 2022 at 11:05:32AM +0800, Qiang Yu wrote: > > There is a race condition where mhi_prepare_channel() updates the > > read and write pointers as the base address and in parallel, if > > an M0 transition occurs, the tasklet goes ahead and rings > > doorbells for all channels with a delta in TRE rings assuming > > they are already enabled. This causes a null pointer access. Fix > > it by adding a channel enabled check before ringing channel > > doorbells. > > > > Fixes: a6e2e3522f29 "bus: mhi: core: Add support for PM state transitions" > > Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com> > > Can you also CC stable list for backporting? > Nvm, I added stable list and applied the patch to mhi-next! Because of the addition of MHI EP support, this patch can be backported without modifications till 5.19 only. If you want to backport to older kernels, please send them to stable list once this got merged. Thanks, Mani > Reviewed-by: Manivannan Sadhasivam <mani@kernel.org> > > Thanks, > Mani > > > --- > > v1->v2: add Fixes tags > > > > drivers/bus/mhi/host/pm.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c > > index 4a42186..0834590 100644 > > --- a/drivers/bus/mhi/host/pm.c > > +++ b/drivers/bus/mhi/host/pm.c > > @@ -301,7 +301,8 @@ int mhi_pm_m0_transition(struct mhi_controller *mhi_cntrl) > > read_lock_irq(&mhi_chan->lock); > > > > /* Only ring DB if ring is not empty */ > > - if (tre_ring->base && tre_ring->wp != tre_ring->rp) > > + if (tre_ring->base && tre_ring->wp != tre_ring->rp && > > + mhi_chan->ch_state == MHI_CH_STATE_ENABLED) > > mhi_ring_chan_db(mhi_cntrl, mhi_chan); > > read_unlock_irq(&mhi_chan->lock); > > } > > -- > > 2.7.4 > > > > > > -- > மணிவண்ணன் சதாசிவம் >
diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c index 4a42186..0834590 100644 --- a/drivers/bus/mhi/host/pm.c +++ b/drivers/bus/mhi/host/pm.c @@ -301,7 +301,8 @@ int mhi_pm_m0_transition(struct mhi_controller *mhi_cntrl) read_lock_irq(&mhi_chan->lock); /* Only ring DB if ring is not empty */ - if (tre_ring->base && tre_ring->wp != tre_ring->rp) + if (tre_ring->base && tre_ring->wp != tre_ring->rp && + mhi_chan->ch_state == MHI_CH_STATE_ENABLED) mhi_ring_chan_db(mhi_cntrl, mhi_chan); read_unlock_irq(&mhi_chan->lock); }