mbox series

[0/2] clk: Fix a core error path and missing qcom camcc-x1e80100 enum

Message ID 20240302-linux-next-24-03-01-simple-clock-fixes-v1-0-25f348a5982b@linaro.org (mailing list archive)
Headers show
Series clk: Fix a core error path and missing qcom camcc-x1e80100 enum | expand

Message

Bryan O'Donoghue March 2, 2024, 12:52 a.m. UTC
Using x1e80100-camcc on a recent kernel I discovered the following NULL
pointer dereference.

[    1.347567] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[    1.347569] Mem abort info:
[    1.347569]   ESR = 0x0000000096000004
[    1.347570]   EC = 0x25: DABT (current EL), IL = 32 bits
[    1.347572]   SET = 0, FnV = 0
[    1.347572]   EA = 0, S1PTW = 0
[    1.347573]   FSC = 0x04: level 0 translation fault
[    1.347574] Data abort info:
[    1.347575]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[    1.347576]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[    1.347576]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    1.347577] [0000000000000000] user address but active_mm is swapper
[    1.347579] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[    1.347580] Modules linked in:
[    1.347583] CPU: 1 PID: 80 Comm: kworker/u49:1 Not tainted 6.8.0-rc6-next-20240228-00163-gbe6ae77b72b2 #26
[    1.347586] Hardware name: Qualcomm CRD, BIOS 6.0.230809.BOOT.MXF.2.4-00174-HAMOA-1 08/ 9/2023
[    1.347587] Workqueue: events_unbound deferred_probe_work_func
[    1.347595] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[    1.347597] pc : clk_core_get+0xe0/0x110
[    1.347601] lr : clk_core_get+0x108/0x110
[    1.347603] sp : ffff800080353940
[    1.347604] x29: ffff8000803539a0 x28: 0000000000000000 x27: ffffb0aa57c4e2e0
[    1.347607] x26: ffffb0aa57c4e240 x25: ffff4cbd0511e4c8 x24: 0000000000000000
[    1.347609] x23: ffffb0aa583c3440 x22: 0000000000000000 x21: ffff4cc07e1d2ab8
[    1.347612] x20: 0000000000000000 x19: ffff4cbd00e28ac0 x18: 0000000000000001
[    1.347614] x17: 0000000000000018 x16: 0000000000000034 x15: 0000000000000002
[    1.347616] x14: ffffb0aa58fc6498 x13: ffffb0aa58293000 x12: 696669746f6e5f6b
[    1.347619] x11: 0000000ad6d076a3 x10: ffffb0aa58c600fb x9 : 0000000000000008
[    1.347621] x8 : 0101010101010101 x7 : 00000000736c6c65 x6 : 0080f0e8e16e646c
[    1.347624] x5 : ffff800080353958 x4 : 0000000000000000 x3 : ffff4cbd00d09100
[    1.347626] x2 : 0000000000000000 x1 : ffff4cbd00d09100 x0 : 0000000000000000
[    1.347628] Call trace:
[    1.347630]  clk_core_get+0xe0/0x110
[    1.347631]  clk_core_get_parent_by_index+0xc8/0xe0
[    1.347634]  __clk_register+0x1f0/0x864
[    1.347636]  devm_clk_hw_register+0x5c/0xd4
[    1.347639]  devm_clk_register_regmap+0x44/0x84
[    1.347642]  qcom_cc_really_probe+0x1b4/0x25c
[    1.347644]  cam_cc_x1e80100_probe+0x14c/0x1c8
[    1.347646]  platform_probe+0x68/0xc8
[    1.347649]  really_probe+0x148/0x2b0
[    1.347651]  __driver_probe_device+0x78/0x12c
[    1.347654]  driver_probe_device+0x40/0x118
[    1.347656]  __device_attach_driver+0xb8/0x134
[    1.347658]  bus_for_each_drv+0x88/0xe8
[    1.347661]  __device_attach+0xa0/0x190
[    1.347664]  device_initial_probe+0x14/0x20
[    1.347666]  bus_probe_device+0xac/0xb0
[    1.347668]  deferred_probe_work_func+0x88/0xc0
[    1.347670]  process_one_work+0x148/0x29c
[    1.347675]  worker_thread+0x2fc/0x40c
[    1.347678]  kthread+0x110/0x114
[    1.347681]  ret_from_fork+0x10/0x20
[    1.347684] Code: aa1303e0 97fff96f b140041f 54fffd08 (f9400000) 
[    1.347686] ---[ end trace 0000000000000000 ]---

The first patch fixes the NULL dereference by checking hw before returning
hw->core.

The second patch addresses the cause of the NULL pointer, which is the DT
implied indexing is not fully captured in camcc-x1e80100.c.

Obviously the above NULL deref wouldn't occur with the second patch applied
however reading the description of clk_core_get() it appears to want to
return NULL but currently cannot do so, so check for hw and return a NULL
if hw is NULL instead of dereferencing hw.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
---
Bryan O'Donoghue (2):
      clk: Fix clk_core_get NULL dereference
      clk: qcom: camcc-x1e80100: Fix missing DT_IFACE enum in x1e80100 camcc

 drivers/clk/clk.c                 | 3 +++
 drivers/clk/qcom/camcc-x1e80100.c | 1 +
 2 files changed, 4 insertions(+)
---
base-commit: 1870cdc0e8dee32e3c221704a2977898ba4c10e8
change-id: 20240301-linux-next-24-03-01-simple-clock-fixes-dc7542e23d90

Best regards,

Comments

Bjorn Andersson March 3, 2024, 7:50 p.m. UTC | #1
On Sat, 02 Mar 2024 00:52:13 +0000, Bryan O'Donoghue wrote:
> Using x1e80100-camcc on a recent kernel I discovered the following NULL
> pointer dereference.
> 
> [    1.347567] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> [    1.347569] Mem abort info:
> [    1.347569]   ESR = 0x0000000096000004
> [    1.347570]   EC = 0x25: DABT (current EL), IL = 32 bits
> [    1.347572]   SET = 0, FnV = 0
> [    1.347572]   EA = 0, S1PTW = 0
> [    1.347573]   FSC = 0x04: level 0 translation fault
> [    1.347574] Data abort info:
> [    1.347575]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> [    1.347576]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> [    1.347576]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [    1.347577] [0000000000000000] user address but active_mm is swapper
> [    1.347579] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
> [    1.347580] Modules linked in:
> [    1.347583] CPU: 1 PID: 80 Comm: kworker/u49:1 Not tainted 6.8.0-rc6-next-20240228-00163-gbe6ae77b72b2 #26
> [    1.347586] Hardware name: Qualcomm CRD, BIOS 6.0.230809.BOOT.MXF.2.4-00174-HAMOA-1 08/ 9/2023
> [    1.347587] Workqueue: events_unbound deferred_probe_work_func
> [    1.347595] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
> [    1.347597] pc : clk_core_get+0xe0/0x110
> [    1.347601] lr : clk_core_get+0x108/0x110
> [    1.347603] sp : ffff800080353940
> [    1.347604] x29: ffff8000803539a0 x28: 0000000000000000 x27: ffffb0aa57c4e2e0
> [    1.347607] x26: ffffb0aa57c4e240 x25: ffff4cbd0511e4c8 x24: 0000000000000000
> [    1.347609] x23: ffffb0aa583c3440 x22: 0000000000000000 x21: ffff4cc07e1d2ab8
> [    1.347612] x20: 0000000000000000 x19: ffff4cbd00e28ac0 x18: 0000000000000001
> [    1.347614] x17: 0000000000000018 x16: 0000000000000034 x15: 0000000000000002
> [    1.347616] x14: ffffb0aa58fc6498 x13: ffffb0aa58293000 x12: 696669746f6e5f6b
> [    1.347619] x11: 0000000ad6d076a3 x10: ffffb0aa58c600fb x9 : 0000000000000008
> [    1.347621] x8 : 0101010101010101 x7 : 00000000736c6c65 x6 : 0080f0e8e16e646c
> [    1.347624] x5 : ffff800080353958 x4 : 0000000000000000 x3 : ffff4cbd00d09100
> [    1.347626] x2 : 0000000000000000 x1 : ffff4cbd00d09100 x0 : 0000000000000000
> [    1.347628] Call trace:
> [    1.347630]  clk_core_get+0xe0/0x110
> [    1.347631]  clk_core_get_parent_by_index+0xc8/0xe0
> [    1.347634]  __clk_register+0x1f0/0x864
> [    1.347636]  devm_clk_hw_register+0x5c/0xd4
> [    1.347639]  devm_clk_register_regmap+0x44/0x84
> [    1.347642]  qcom_cc_really_probe+0x1b4/0x25c
> [    1.347644]  cam_cc_x1e80100_probe+0x14c/0x1c8
> [    1.347646]  platform_probe+0x68/0xc8
> [    1.347649]  really_probe+0x148/0x2b0
> [    1.347651]  __driver_probe_device+0x78/0x12c
> [    1.347654]  driver_probe_device+0x40/0x118
> [    1.347656]  __device_attach_driver+0xb8/0x134
> [    1.347658]  bus_for_each_drv+0x88/0xe8
> [    1.347661]  __device_attach+0xa0/0x190
> [    1.347664]  device_initial_probe+0x14/0x20
> [    1.347666]  bus_probe_device+0xac/0xb0
> [    1.347668]  deferred_probe_work_func+0x88/0xc0
> [    1.347670]  process_one_work+0x148/0x29c
> [    1.347675]  worker_thread+0x2fc/0x40c
> [    1.347678]  kthread+0x110/0x114
> [    1.347681]  ret_from_fork+0x10/0x20
> [    1.347684] Code: aa1303e0 97fff96f b140041f 54fffd08 (f9400000)
> [    1.347686] ---[ end trace 0000000000000000 ]---
> 
> [...]

Applied, thanks!

[2/2] clk: qcom: camcc-x1e80100: Fix missing DT_IFACE enum in x1e80100 camcc
      commit: 9dd7b0d351f0c6af9b69d969919a2a8b04bbfd6e

Best regards,