Commit aa62351a authored by Sudeep Holla's avatar Sudeep Holla Committed by Kleber Sacilotto de Souza

power: vexpress: fix corruption in notifier registration

BugLink: https://bugs.launchpad.net/bugs/1798770

[ Upstream commit 09bebb1a ]

Vexpress platforms provide two different restart handlers: SYS_REBOOT
that restart the entire system, while DB_RESET only restarts the
daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT
if it exists.

notifier_chain_register used in register_restart_handler by design
relies on notifiers to be registered once only, however vexpress restart
notifier can get registered twice. When this happen it corrupts list
of notifiers, as result some notifiers can be not called on proper
event, traverse on list can be cycled forever, and second unregister
can access already freed memory.

So far, since this was the only restart handler in the system, no issue
was observed even if the same notifier was registered twice. However
commit 6c5c0d48 ("watchdog: sp805: add restart handler") added
support for SP805 restart handlers and since the system under test
contains two vexpress restart and two SP805 watchdog instances, it was
observed that during the boot traversing the restart handler list looped
forever as there's a cycle in that list resulting in boot hang.

This patch fixes the issues by ensuring that the notifier is installed
only once.

Cc: Sebastian Reichel <sre@kernel.org>
Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
Fixes: 46c99ac6 ("power/reset: vexpress: Register with kernel restart handler")
Signed-off-by: default avatarSebastian Reichel <sebastian.reichel@collabora.co.uk>
Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 5588d6a6
...@@ -35,6 +35,7 @@ static void vexpress_reset_do(struct device *dev, const char *what) ...@@ -35,6 +35,7 @@ static void vexpress_reset_do(struct device *dev, const char *what)
} }
static struct device *vexpress_power_off_device; static struct device *vexpress_power_off_device;
static atomic_t vexpress_restart_nb_refcnt = ATOMIC_INIT(0);
static void vexpress_power_off(void) static void vexpress_power_off(void)
{ {
...@@ -99,11 +100,14 @@ static int _vexpress_register_restart_handler(struct device *dev) ...@@ -99,11 +100,14 @@ static int _vexpress_register_restart_handler(struct device *dev)
int err; int err;
vexpress_restart_device = dev; vexpress_restart_device = dev;
if (atomic_inc_return(&vexpress_restart_nb_refcnt) == 1) {
err = register_restart_handler(&vexpress_restart_nb); err = register_restart_handler(&vexpress_restart_nb);
if (err) { if (err) {
dev_err(dev, "cannot register restart handler (err=%d)\n", err); dev_err(dev, "cannot register restart handler (err=%d)\n", err);
atomic_dec(&vexpress_restart_nb_refcnt);
return err; return err;
} }
}
device_create_file(dev, &dev_attr_active); device_create_file(dev, &dev_attr_active);
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment