public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 1/2] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
@ 2026-05-04 17:17 Mukesh Ojha
  2026-05-04 17:17 ` [PATCH v2 2/2] misc: fastrpc: Move prints outside spinlock in fastrpc_cb_probe Mukesh Ojha
  2026-05-04 18:53 ` [PATCH v2 1/2] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Bjorn Andersson
  0 siblings, 2 replies; 4+ messages in thread
From: Mukesh Ojha @ 2026-05-04 17:17 UTC (permalink / raw)
  To: Srinivas Kandagatla, Amol Maheshwari, Arnd Bergmann,
	Greg Kroah-Hartman, Thierry Escande
  Cc: linux-arm-msm, dri-devel, linux-kernel, Mukesh Ojha, stable

A NULL pointer dereference was observed on Hawi at boot when the DSP
sends a glink message before fastrpc_rpmsg_probe() has completed
initialization:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
  pc : _raw_spin_lock_irqsave+0x34/0x8c
  lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
  ...
  Call trace:
   _raw_spin_lock_irqsave+0x34/0x8c (P)
   fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
   qcom_glink_native_rx+0x538/0x6a4
   qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]

The faulting address 0x178 corresponds to the lock variable inside
struct fastrpc_channel_ctx, confirming that cctx is NULL when
fastrpc_rpmsg_callback() attempts to take the spinlock.

There are two issues here. First, dev_set_drvdata() is called before
spin_lock_init() and idr_init(), leaving a window where the callback
can retrieve a valid cctx pointer but operate on an uninitialized
spinlock. Second, the rpmsg channel becomes live as soon as the driver
is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
is called at all, resulting in dev_get_drvdata() returning NULL.

Fix both issues by moving all cctx initialization ahead of
dev_set_drvdata() so the structure is fully initialized before it
becomes visible to the callback, and add a NULL check in
fastrpc_rpmsg_callback() as a guard against any remaining window.

Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
Cc: stable@vger.kernel.org
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
Changes in v2: https://lore.kernel.org/lkml/20260417200146.184425-1-mukesh.ojha@oss.qualcomm.com/
 - Added stable mailing list and fixes tag.

 drivers/misc/fastrpc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index 1080f9acf70a..a1a54453bb7e 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -2431,7 +2431,6 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *rpdev)
 
 	kref_init(&data->refcount);
 
-	dev_set_drvdata(&rpdev->dev, data);
 	rdev->dma_mask = &data->dma_mask;
 	dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32));
 	INIT_LIST_HEAD(&data->users);
@@ -2440,6 +2439,7 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *rpdev)
 	idr_init(&data->ctx_idr);
 	data->domain_id = domain_id;
 	data->rpdev = rpdev;
+	dev_set_drvdata(&rpdev->dev, data);
 
 	err = of_platform_populate(rdev->of_node, NULL, NULL, rdev);
 	if (err)
@@ -2513,6 +2513,9 @@ static int fastrpc_rpmsg_callback(struct rpmsg_device *rpdev, void *data,
 	if (len < sizeof(*rsp))
 		return -EINVAL;
 
+	if (!cctx)
+		return -ENODEV;
+
 	ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4);
 
 	spin_lock_irqsave(&cctx->lock, flags);
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH v2 2/2] misc: fastrpc: Move prints outside spinlock in fastrpc_cb_probe
  2026-05-04 17:17 [PATCH v2 1/2] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Mukesh Ojha
@ 2026-05-04 17:17 ` Mukesh Ojha
  2026-05-04 18:54   ` Bjorn Andersson
  2026-05-04 18:53 ` [PATCH v2 1/2] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Bjorn Andersson
  1 sibling, 1 reply; 4+ messages in thread
From: Mukesh Ojha @ 2026-05-04 17:17 UTC (permalink / raw)
  To: Srinivas Kandagatla, Amol Maheshwari, Arnd Bergmann,
	Greg Kroah-Hartman, Thierry Escande
  Cc: linux-arm-msm, dri-devel, linux-kernel, Mukesh Ojha

dev_err() and dev_info() were called while holding a spinlock with
IRQs disabled, which is incorrect as printk can be slow and should
not be called in atomic context.

Move the dev_err() for the FASTRPC_MAX_SESSIONS check to after the
spinlock is released, and save the return value of of_property_read_u32()
to print dev_info() after the lock is dropped. Minor variable style
correction in probe function.

Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
Changes in v2:
 - New change.

 drivers/misc/fastrpc.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
index a1a54453bb7e..d169dea961f0 100644
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -2197,19 +2197,22 @@ static int fastrpc_cb_probe(struct platform_device *pdev)
 	struct device *dev = &pdev->dev;
 	int i, sessions = 0;
 	unsigned long flags;
-	int rc;
 	u32 dma_bits;
+	u32 sid = 0;
+	int rc;
 
 	cctx = dev_get_drvdata(dev->parent);
 	if (!cctx)
 		return -EINVAL;
 
 	of_property_read_u32(dev->of_node, "qcom,nsessions", &sessions);
+	if (of_property_read_u32(dev->of_node, "reg", &sid))
+		dev_info(dev, "FastRPC Session ID not specified in DT\n");
 
 	spin_lock_irqsave(&cctx->lock, flags);
 	if (cctx->sesscount >= FASTRPC_MAX_SESSIONS) {
-		dev_err(&pdev->dev, "too many sessions\n");
 		spin_unlock_irqrestore(&cctx->lock, flags);
+		dev_err(&pdev->dev, "too many sessions\n");
 		return -ENOSPC;
 	}
 	dma_bits = cctx->soc_data->dma_addr_bits_default;
@@ -2218,13 +2221,11 @@ static int fastrpc_cb_probe(struct platform_device *pdev)
 	sess->valid = true;
 	sess->dev = dev;
 	dev_set_drvdata(dev, sess);
+	sess->sid = sid;
 
 	if (cctx->domain_id == CDSP_DOMAIN_ID)
 		dma_bits = cctx->soc_data->dma_addr_bits_cdsp;
 
-	if (of_property_read_u32(dev->of_node, "reg", &sess->sid))
-		dev_info(dev, "FastRPC Session ID not specified in DT\n");
-
 	if (sessions > 0) {
 		struct fastrpc_session_ctx *dup_sess;
 
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/2] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
  2026-05-04 17:17 [PATCH v2 1/2] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Mukesh Ojha
  2026-05-04 17:17 ` [PATCH v2 2/2] misc: fastrpc: Move prints outside spinlock in fastrpc_cb_probe Mukesh Ojha
@ 2026-05-04 18:53 ` Bjorn Andersson
  1 sibling, 0 replies; 4+ messages in thread
From: Bjorn Andersson @ 2026-05-04 18:53 UTC (permalink / raw)
  To: Mukesh Ojha
  Cc: Srinivas Kandagatla, Amol Maheshwari, Arnd Bergmann,
	Greg Kroah-Hartman, Thierry Escande, linux-arm-msm, dri-devel,
	linux-kernel, stable

On Mon, May 04, 2026 at 10:47:00PM +0530, Mukesh Ojha wrote:
> A NULL pointer dereference was observed on Hawi at boot when the DSP
> sends a glink message before fastrpc_rpmsg_probe() has completed
> initialization:
> 
>   Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178
>   pc : _raw_spin_lock_irqsave+0x34/0x8c
>   lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
>   ...
>   Call trace:
>    _raw_spin_lock_irqsave+0x34/0x8c (P)
>    fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc]
>    qcom_glink_native_rx+0x538/0x6a4
>    qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]
> 
> The faulting address 0x178 corresponds to the lock variable inside
> struct fastrpc_channel_ctx, confirming that cctx is NULL when
> fastrpc_rpmsg_callback() attempts to take the spinlock.
> 
> There are two issues here. First, dev_set_drvdata() is called before
> spin_lock_init() and idr_init(), leaving a window where the callback
> can retrieve a valid cctx pointer but operate on an uninitialized
> spinlock. Second, the rpmsg channel becomes live as soon as the driver
> is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata()
> is called at all, resulting in dev_get_drvdata() returning NULL.
> 
> Fix both issues by moving all cctx initialization ahead of
> dev_set_drvdata() so the structure is fully initialized before it
> becomes visible to the callback, and add a NULL check in
> fastrpc_rpmsg_callback() as a guard against any remaining window.
> 
> Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
> Cc: stable@vger.kernel.org
> Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>

The fix looks good to me.

Reviewed-by: Bjorn Andersson <andersson@kernel.org>


But I can't help wonder, what's in that message? Should we make sure to
handle it, longer term?

Regards,
Bjorn

> ---
> Changes in v2: https://lore.kernel.org/lkml/20260417200146.184425-1-mukesh.ojha@oss.qualcomm.com/
>  - Added stable mailing list and fixes tag.
> 
>  drivers/misc/fastrpc.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> index 1080f9acf70a..a1a54453bb7e 100644
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c
> @@ -2431,7 +2431,6 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *rpdev)
>  
>  	kref_init(&data->refcount);
>  
> -	dev_set_drvdata(&rpdev->dev, data);
>  	rdev->dma_mask = &data->dma_mask;
>  	dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32));
>  	INIT_LIST_HEAD(&data->users);
> @@ -2440,6 +2439,7 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *rpdev)
>  	idr_init(&data->ctx_idr);
>  	data->domain_id = domain_id;
>  	data->rpdev = rpdev;
> +	dev_set_drvdata(&rpdev->dev, data);
>  
>  	err = of_platform_populate(rdev->of_node, NULL, NULL, rdev);
>  	if (err)
> @@ -2513,6 +2513,9 @@ static int fastrpc_rpmsg_callback(struct rpmsg_device *rpdev, void *data,
>  	if (len < sizeof(*rsp))
>  		return -EINVAL;
>  
> +	if (!cctx)
> +		return -ENODEV;
> +
>  	ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4);
>  
>  	spin_lock_irqsave(&cctx->lock, flags);
> -- 
> 2.53.0
> 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 2/2] misc: fastrpc: Move prints outside spinlock in fastrpc_cb_probe
  2026-05-04 17:17 ` [PATCH v2 2/2] misc: fastrpc: Move prints outside spinlock in fastrpc_cb_probe Mukesh Ojha
@ 2026-05-04 18:54   ` Bjorn Andersson
  0 siblings, 0 replies; 4+ messages in thread
From: Bjorn Andersson @ 2026-05-04 18:54 UTC (permalink / raw)
  To: Mukesh Ojha
  Cc: Srinivas Kandagatla, Amol Maheshwari, Arnd Bergmann,
	Greg Kroah-Hartman, Thierry Escande, linux-arm-msm, dri-devel,
	linux-kernel

On Mon, May 04, 2026 at 10:47:01PM +0530, Mukesh Ojha wrote:
> dev_err() and dev_info() were called while holding a spinlock with
> IRQs disabled, which is incorrect as printk can be slow and should
> not be called in atomic context.
> 
> Move the dev_err() for the FASTRPC_MAX_SESSIONS check to after the
> spinlock is released, and save the return value of of_property_read_u32()
> to print dev_info() after the lock is dropped. Minor variable style
> correction in probe function.
> 

Reviewed-by: Bjorn Andersson <andersson@kernel.org>

Regards,
Bjorn

> Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
> ---
> Changes in v2:
>  - New change.
> 
>  drivers/misc/fastrpc.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c
> index a1a54453bb7e..d169dea961f0 100644
> --- a/drivers/misc/fastrpc.c
> +++ b/drivers/misc/fastrpc.c
> @@ -2197,19 +2197,22 @@ static int fastrpc_cb_probe(struct platform_device *pdev)
>  	struct device *dev = &pdev->dev;
>  	int i, sessions = 0;
>  	unsigned long flags;
> -	int rc;
>  	u32 dma_bits;
> +	u32 sid = 0;
> +	int rc;
>  
>  	cctx = dev_get_drvdata(dev->parent);
>  	if (!cctx)
>  		return -EINVAL;
>  
>  	of_property_read_u32(dev->of_node, "qcom,nsessions", &sessions);
> +	if (of_property_read_u32(dev->of_node, "reg", &sid))
> +		dev_info(dev, "FastRPC Session ID not specified in DT\n");
>  
>  	spin_lock_irqsave(&cctx->lock, flags);
>  	if (cctx->sesscount >= FASTRPC_MAX_SESSIONS) {
> -		dev_err(&pdev->dev, "too many sessions\n");
>  		spin_unlock_irqrestore(&cctx->lock, flags);
> +		dev_err(&pdev->dev, "too many sessions\n");
>  		return -ENOSPC;
>  	}
>  	dma_bits = cctx->soc_data->dma_addr_bits_default;
> @@ -2218,13 +2221,11 @@ static int fastrpc_cb_probe(struct platform_device *pdev)
>  	sess->valid = true;
>  	sess->dev = dev;
>  	dev_set_drvdata(dev, sess);
> +	sess->sid = sid;
>  
>  	if (cctx->domain_id == CDSP_DOMAIN_ID)
>  		dma_bits = cctx->soc_data->dma_addr_bits_cdsp;
>  
> -	if (of_property_read_u32(dev->of_node, "reg", &sess->sid))
> -		dev_info(dev, "FastRPC Session ID not specified in DT\n");
> -
>  	if (sessions > 0) {
>  		struct fastrpc_session_ctx *dup_sess;
>  
> -- 
> 2.53.0
> 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-04 18:54 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04 17:17 [PATCH v2 1/2] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Mukesh Ojha
2026-05-04 17:17 ` [PATCH v2 2/2] misc: fastrpc: Move prints outside spinlock in fastrpc_cb_probe Mukesh Ojha
2026-05-04 18:54   ` Bjorn Andersson
2026-05-04 18:53 ` [PATCH v2 1/2] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Bjorn Andersson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox