From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 003F144BCBE; Tue, 16 Jun 2026 17:09:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781629742; cv=none; b=RQgTs2J6O3eVOgYo15AhjXZnPPSQoT5Yz+u+C7hA00QSkSDGyJjQk5BY8TNMCIPwgvMARZQ7Yt8ud8MTtRD7ilwqo658KZVdhCLS1MXdPDixhGhlIYW6MsB1pcxkLzDwpAntGNggpyXBpjOiBSuM+x4SXEZTDC3oJSKXnmQx/4A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781629742; c=relaxed/simple; bh=+WnRWjDDZbRrHgET2hwG8A6xqVwDeAZOzaQeRYa+XOo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=p4AWXRDNgaSuxJEqAv7d9DTMeJaKn3oTLIqeFVZ0cRIAmMPr2JvQb7yGhnPtrdCkaF3AM6pvyJfcsgFNZ1EBk86vq/oYRemL0zekgnQEoM+UaowtGC9xA4YR+KRswYpvGLqxrEipxUoER9NEXSREoSBvdaBHoTnJX0DaplrCgDo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=N43QIcct; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="N43QIcct" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C6EFB1F000E9; Tue, 16 Jun 2026 17:08:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1781629740; bh=TcgZMFpOaj+M1BBykg+oyGnFEjL1Tv+nV7uDXKD8uh0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=N43QIcctJmrhgSW76pil38OexyZEopgVzJk3VbFIZQZ2oFBoPc9BVeJGmco981KJS SUvKwa7vISWsiEa5Ggfc/pvqyzFYnGQomnl5qMAjc+mJ3p59nT4kP3k+f1LsgvLijI Ho5IK2D1/fOMT/HNuyT6ZyOPdF3ZYoxsQBYb0R0M= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mukesh Ojha , Bjorn Andersson , Srinivas Kandagatla Subject: [PATCH 6.6 336/452] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Date: Tue, 16 Jun 2026 20:29:23 +0530 Message-ID: <20260616145134.983152591@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260616145117.796205997@linuxfoundation.org> References: <20260616145117.796205997@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mukesh Ojha commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 upstream. A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window. Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") Cc: stable@vger.kernel.org Signed-off-by: Mukesh Ojha Reviewed-by: Bjorn Andersson Signed-off-by: Srinivas Kandagatla Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/misc/fastrpc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -2392,7 +2392,6 @@ static int fastrpc_rpmsg_probe(struct rp kref_init(&data->refcount); - dev_set_drvdata(&rpdev->dev, data); rdev->dma_mask = &data->dma_mask; dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32)); INIT_LIST_HEAD(&data->users); @@ -2401,6 +2400,7 @@ static int fastrpc_rpmsg_probe(struct rp idr_init(&data->ctx_idr); data->domain_id = domain_id; data->rpdev = rpdev; + dev_set_drvdata(&rpdev->dev, data); err = of_platform_populate(rdev->of_node, NULL, NULL, rdev); if (err) @@ -2474,6 +2474,9 @@ static int fastrpc_rpmsg_callback(struct if (len < sizeof(*rsp)) return -EINVAL; + if (!cctx) + return -ENODEV; + ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4); spin_lock_irqsave(&cctx->lock, flags);