power: supply: bq25890: Fix race causing oops at boot
authorHans de Goede <hdegoede@redhat.com>
Sat, 30 Oct 2021 18:28:03 +0000 (20:28 +0200)
committerSebastian Reichel <sebastian.reichel@collabora.com>
Tue, 2 Nov 2021 15:48:47 +0000 (16:48 +0100)
Before this commit the driver was registering its interrupt handler before
it registered the power_supply, causing bq->charger to potentially be NULL
when the interrupt handler runs, triggering a NULL pointer exception in
the interrupt handler:

[   21.213531] BUG: kernel NULL pointer dereference, address: 0000000000000680
...
[   21.213573] Hardware name: Xiaomi Inc Mipad2/Mipad, BIOS MIPad-P4.X64.0043.R03.1603071414 03/07/2016
[   21.213576] RIP: 0010:__lock_acquire+0x5c5/0x1de0
...
[   21.213629] Call Trace:
[   21.213636]  ? disable_irq_nosync+0x10/0x10
[   21.213644]  ? __mutex_unlock_slowpath+0x35/0x260
[   21.213655]  lock_acquire+0xb5/0x2b0
[   21.213661]  ? power_supply_changed+0x23/0x90
[   21.213670]  ? disable_irq_nosync+0x10/0x10
[   21.213676]  _raw_spin_lock_irqsave+0x48/0x60
[   21.213682]  ? power_supply_changed+0x23/0x90
[   21.213687]  power_supply_changed+0x23/0x90
[   21.213697]  __bq25890_handle_irq+0x5e/0xe0 [bq25890_charger]
[   21.213709]  bq25890_irq_handler_thread+0x26/0x40 [bq25890_charger]
[   21.213718]  irq_thread_fn+0x20/0x60
...

Fix this by moving the power_supply_register() call to above the
request_threaded_irq() call.

Note this fix includes making the following 2 (necessary) changes:

1. Switch to the devm version of power_supply_register() to avoid the
need to make the error-handling in probe() more complicated.

2. Rename the "irq_fail" label to "err_unregister_usb_notifier" since
the old name no longer makes sense after this fix.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
drivers/power/supply/bq25890_charger.c

index 56815e6d5a9d03bb1160152e8429f314403e1ad9..42d82bee9727968d6f8245e3688e3d77cebcf162 100644 (file)
@@ -734,8 +734,9 @@ static int bq25890_power_supply_init(struct bq25890_device *bq)
        psy_cfg.supplied_to = bq25890_charger_supplied_to;
        psy_cfg.num_supplicants = ARRAY_SIZE(bq25890_charger_supplied_to);
 
-       bq->charger = power_supply_register(bq->dev, &bq25890_power_supply_desc,
-                                           &psy_cfg);
+       bq->charger = devm_power_supply_register(bq->dev,
+                                                &bq25890_power_supply_desc,
+                                                &psy_cfg);
 
        return PTR_ERR_OR_ZERO(bq->charger);
 }
@@ -983,22 +984,22 @@ static int bq25890_probe(struct i2c_client *client,
                usb_register_notifier(bq->usb_phy, &bq->usb_nb);
        }
 
+       ret = bq25890_power_supply_init(bq);
+       if (ret < 0) {
+               dev_err(dev, "Failed to register power supply\n");
+               goto err_unregister_usb_notifier;
+       }
+
        ret = devm_request_threaded_irq(dev, client->irq, NULL,
                                        bq25890_irq_handler_thread,
                                        IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
                                        BQ25890_IRQ_PIN, bq);
        if (ret)
-               goto irq_fail;
-
-       ret = bq25890_power_supply_init(bq);
-       if (ret < 0) {
-               dev_err_probe(dev, ret, "Failed to register power supply.\n");
-               goto irq_fail;
-       }
+               goto err_unregister_usb_notifier;
 
        return 0;
 
-irq_fail:
+err_unregister_usb_notifier:
        if (!IS_ERR_OR_NULL(bq->usb_phy))
                usb_unregister_notifier(bq->usb_phy, &bq->usb_nb);
 
@@ -1009,8 +1010,6 @@ static int bq25890_remove(struct i2c_client *client)
 {
        struct bq25890_device *bq = i2c_get_clientdata(client);
 
-       power_supply_unregister(bq->charger);
-
        if (!IS_ERR_OR_NULL(bq->usb_phy))
                usb_unregister_notifier(bq->usb_phy, &bq->usb_nb);