From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40EA544BCB8; Tue, 16 Jun 2026 16:05:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781625931; cv=none; b=gHqr3AzbRxt/0hxohnxE9OwHU3zg5mvsGqQpDsMbnSA4nkPdX3vpHTLm/kxdoLrVPOHy9KwbdUw/D3i9d6tgJ2RqwSllWmy0AI1s4tbXSKdGswNmXrkDXu2emPK9jyPErqpKVWebGA1jjg+3Q5f8vKkyq/9pqnKkODPj9ZwM1e4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781625931; c=relaxed/simple; bh=8LOqgTjnLFDPuzODS+M1rAniK1v+yhZswMX3pkU6eSM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hGAOXl/sFYltbm6Ceq0Yvf7IkCJFtDe+fv1Sk8zsBSrcts/r3Bj5s8xDZMit2C938K1vdY45wpVgT9chkxST7YZneEJDgbbCsT8KCL/eYuYanLkcRwWOzjhaGT8G03ahFuYIAtw+dxM3ptQGCIRxQKw52oKPvBiYL5I+wPHbwQA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Kdqq0wCj; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Kdqq0wCj" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 31DAA1F000E9; Tue, 16 Jun 2026 16:05:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1781625930; bh=Q2NJ0L9OUdU67uzRbYmHrm+xgAER5ImXCnQpfXeH92E=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Kdqq0wCjnGhnCW6mbZW+iGe5lyb1jyEegwTLrua9Eqw0BQhBDuedmjiA8VmKF9R9a acuY5+lw6Gwt3hX/b7WkW+5RmtUrP08TX1pyPZWKMV4OJ2YhEDWq2pcj6Suf5qf7ml JN7O79P7IK+BINextti6eUnNG3JXLD34qbZnlpjE= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mukesh Ojha , Bjorn Andersson , Srinivas Kandagatla Subject: [PATCH 6.18 234/325] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Date: Tue, 16 Jun 2026 20:30:30 +0530 Message-ID: <20260616145110.073388783@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260616145057.827196531@linuxfoundation.org> References: <20260616145057.827196531@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mukesh Ojha commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 upstream. A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window. Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") Cc: stable@vger.kernel.org Signed-off-by: Mukesh Ojha Reviewed-by: Bjorn Andersson Signed-off-by: Srinivas Kandagatla Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/misc/fastrpc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -2404,7 +2404,6 @@ static int fastrpc_rpmsg_probe(struct rp kref_init(&data->refcount); - dev_set_drvdata(&rpdev->dev, data); rdev->dma_mask = &data->dma_mask; dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32)); INIT_LIST_HEAD(&data->users); @@ -2413,6 +2412,7 @@ static int fastrpc_rpmsg_probe(struct rp idr_init(&data->ctx_idr); data->domain_id = domain_id; data->rpdev = rpdev; + dev_set_drvdata(&rpdev->dev, data); err = of_platform_populate(rdev->of_node, NULL, NULL, rdev); if (err) @@ -2486,6 +2486,9 @@ static int fastrpc_rpmsg_callback(struct if (len < sizeof(*rsp)) return -EINVAL; + if (!cctx) + return -ENODEV; + ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4); spin_lock_irqsave(&cctx->lock, flags);