From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20FF644CF2C; Tue, 16 Jun 2026 15:36:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781624167; cv=none; b=VFsvV9nYA9XR6jokoYHC3syF0JhK6ZS4mEIq5wpgzMTizbhk8jbIjeJuX0FnoyikSu/bU2m29YORXrXCuJXxeOmYzlCw3tpFHg5Jgvh+q6Yy6N0zfBUKHBgS4Mb8Bu4Jqx+Y+dotud8/EqnmSK3xieJ6rwP3WQRoffdPs9AUwyM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781624167; c=relaxed/simple; bh=xI9BLdQ6fsClbuPngs8BLtRStnCYp23NDigsCZDSoyo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GabXXfiy7TcKq2QyV1CBTwshvmZ7EQnyt818icY+ldexcVcDh3f9e1H+3ABsxYSIuxiHpGg041ZnsV2V3mNNZaGYwXPeF9oozYR1Q+in2NVyjWscBZ/D/pMlk/wqxpR5Hw1irpJPVfaXBmybRg4EjT3WGtwplt94zIKV5z8JYvA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=tddgi4/y; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="tddgi4/y" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E1A301F00A3A; Tue, 16 Jun 2026 15:36:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1781624165; bh=1IW5GmocuVl1xLArrQqktzZ81V5eUoW/OL7Ql3/aGso=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=tddgi4/yx9c25jjPeQC5HTizXj3CMb389wbOT932CipcpJUkD4hApD6jJKnOQsEE0 qWbg9W6/zal3+YDEjwCK4SnYLyT66lzx10U7jfZV2pWmqVtWHnm423XTbcxpFF49E+ JTjwBAOKRoPG7hH8Lg3vIgdTsTOXcegLtE+6TNCA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mukesh Ojha , Bjorn Andersson , Srinivas Kandagatla Subject: [PATCH 7.0 285/378] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Date: Tue, 16 Jun 2026 20:28:36 +0530 Message-ID: <20260616145125.098123559@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260616145109.744539446@linuxfoundation.org> References: <20260616145109.744539446@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mukesh Ojha commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 upstream. A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window. Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") Cc: stable@vger.kernel.org Signed-off-by: Mukesh Ojha Reviewed-by: Bjorn Andersson Signed-off-by: Srinivas Kandagatla Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/misc/fastrpc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -2457,7 +2457,6 @@ static int fastrpc_rpmsg_probe(struct rp kref_init(&data->refcount); - dev_set_drvdata(&rpdev->dev, data); rdev->dma_mask = &data->dma_mask; dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32)); INIT_LIST_HEAD(&data->users); @@ -2466,6 +2465,7 @@ static int fastrpc_rpmsg_probe(struct rp idr_init(&data->ctx_idr); data->domain_id = domain_id; data->rpdev = rpdev; + dev_set_drvdata(&rpdev->dev, data); err = of_platform_populate(rdev->of_node, NULL, NULL, rdev); if (err) @@ -2539,6 +2539,9 @@ static int fastrpc_rpmsg_callback(struct if (len < sizeof(*rsp)) return -EINVAL; + if (!cctx) + return -ENODEV; + ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4); spin_lock_irqsave(&cctx->lock, flags);