soc: qcom: pd-mapper: Fix singleton refcount

quic-bjorande · andersson · commit c158ceb82606 · 2024-08-21T09:50:48.000-05:00
The Qualcomm pd-mapper is a refcounted singleton, but the refcount is never incremented, which means the as soon as any remoteproc instance stops the count will hit 0. At this point the pd-mapper QMI service is stopped, leaving firmware without access to the PD information. Stopping any other remoteproc instances will result in a use-after-free, which best case manifest itself as a refcount underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 354 at lib/refcount.c:87 refcount_dec_and_mutex_lock+0xc4/0x148 ... Call trace: refcount_dec_and_mutex_lock+0xc4/0x148 qcom_pdm_remove+0x40/0x118 [qcom_pd_mapper] ... Fix this by incrementing the refcount, so that the pd-mapper is only torn down when the last remoteproc stops, as intended. Fixes: 1ebcde0 ("soc: qcom: add pd-mapper implementation") Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Link: https://lore.kernel.org/r/20240820-pd-mapper-refcount-fix-v1-1-03ea65c0309b@quicinc.com Signed-off-by: Bjorn Andersson <andersson@kernel.org>
diff --git a/drivers/soc/qcom/qcom_pd_mapper.c b/drivers/soc/qcom/qcom_pd_mapper.c
@@ -635,6 +635,8 @@ static int qcom_pdm_probe(struct auxiliary_device *auxdev,
 			ret = PTR_ERR(data);
 		else
 			__qcom_pdm_data = data;
+	} else {
+		refcount_inc(&__qcom_pdm_data->refcnt);
 	}
 
 	auxiliary_set_drvdata(auxdev, __qcom_pdm_data);

Original file line number	Diff line number	Diff line change
`@@ -635,6 +635,8 @@ static int qcom_pdm_probe(struct auxiliary_device *auxdev,`
`635`	`635`	`ret = PTR_ERR(data);`
`636`	`636`	`else`
`637`	`637`	`__qcom_pdm_data = data;`
	`638`	`+ } else {`
	`639`	`+ refcount_inc(&__qcom_pdm_data->refcnt);`
`638`	`640`	`}`
`639`	`641`
`640`	`642`	`auxiliary_set_drvdata(auxdev, __qcom_pdm_data);`