On 01.07.2022 13:28, Christian Marangi wrote: > On Fri, Jul 01, 2022 at 10:01:52AM +0200, Marek Szyprowski wrote: >> On 20.06.2022 00:03, Christian Marangi wrote: >>> On a devfreq PROBE_DEFER, the freq_table in the driver profile struct, >>> is never reset and may be leaved in an undefined state. >>> >>> This comes from the fact that we store the freq_table in the driver >>> profile struct that is commonly defined as static and not reset on >>> PROBE_DEFER. >>> We currently skip the reinit of the freq_table if we found >>> it's already defined since a driver may declare his own freq_table. >>> >>> This logic is flawed in the case devfreq core generate a freq_table, set >>> it in the profile struct and then PROBE_DEFER, freeing the freq_table. >>> In this case devfreq will found a NOT NULL freq_table that has been >>> freed, skip the freq_table generation and probe the driver based on the >>> wrong table. >>> >>> To fix this and correctly handle PROBE_DEFER, use a local freq_table and >>> max_state in the devfreq struct and never modify the freq_table present >>> in the profile struct if it does provide it. >>> >>> Fixes: 0ec09ac2cebe ("PM / devfreq: Set the freq_table of devfreq device") >>> Cc: stable@xxxxxxxxxxxxxxx >>> Signed-off-by: Christian Marangi <ansuelsmth@xxxxxxxxx> >>> --- >> This patch landed in linux next-20220630 as commit b5d281f6c16d ("PM / >> devfreq: Rework freq_table to be local to devfreq struct"). >> Unfortunately it causes the following regression on my Exynos based test >> systems: >> >> 8<--- cut here --- >> Unable to handle kernel NULL pointer dereference at virtual address 00000000 >> [00000000] *pgd=00000000 >> Internal error: Oops: 5 [#1] PREEMPT SMP ARM >> Modules linked in: >> CPU: 3 PID: 49 Comm: kworker/u8:3 Not tainted 5.19.0-rc4-next-20220630 #5312 >> Hardware name: Samsung Exynos (Flattened Device Tree) >> Workqueue: events_unbound deferred_probe_work_func >> PC is at exynos_bus_probe+0x604/0x684 >> LR is at device_add+0x14c/0x908 >> pc : [<c090aef4>] lr : [<c06cf77c>] psr: 80000053 >> ... >> Process kworker/u8:3 (pid: 49, stack limit = 0x(ptrval)) >> Stack: (0xf0a15d30 to 0xf0a16000) >> ... >> exynos_bus_probe from platform_probe+0x5c/0xb8 >> platform_probe from really_probe+0xe0/0x414 >> really_probe from __driver_probe_device+0xa0/0x208 >> __driver_probe_device from driver_probe_device+0x30/0xc0 >> driver_probe_device from __device_attach_driver+0xa4/0x11c >> __device_attach_driver from bus_for_each_drv+0x7c/0xc0 >> bus_for_each_drv from __device_attach+0xac/0x20c >> __device_attach from bus_probe_device+0x88/0x90 >> bus_probe_device from deferred_probe_work_func+0x98/0xe0 >> deferred_probe_work_func from process_one_work+0x288/0x774 >> process_one_work from worker_thread+0x44/0x504 >> worker_thread from kthread+0xf4/0x128 >> kthread from ret_from_fork+0x14/0x2c >> Exception stack(0xf0a15fb0 to 0xf0a15ff8) >> ... >> ---[ end trace 0000000000000000 ]--- >> >> This issue is caused by bus->devfreq->profile->freq_table being NULL here: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/drivers/devfreq/exynos-bus.c?h=next-20220630#n451 >> >> > I just checked this and the bug is caused by a simple pr_info... > > Can you test the following patch just to make sure? Yes, this fixes the issue. Thanks! Feel free to add: Reported-by: Marek Szyprowski <m.szyprowski@xxxxxxxxxxx> Tested-by: Marek Szyprowski <m.szyprowski@xxxxxxxxxxx> > diff --git a/drivers/devfreq/exynos-bus.c b/drivers/devfreq/exynos-bus.c > index b5615e667e31..79725bbb4bb0 100644 > --- a/drivers/devfreq/exynos-bus.c > +++ b/drivers/devfreq/exynos-bus.c > @@ -447,9 +447,9 @@ static int exynos_bus_probe(struct platform_device *pdev) > } > } > > - max_state = bus->devfreq->profile->max_state; > - min_freq = (bus->devfreq->profile->freq_table[0] / 1000); > - max_freq = (bus->devfreq->profile->freq_table[max_state - 1] / 1000); > + max_state = bus->devfreq->max_state; > + min_freq = (bus->devfreq->freq_table[0] / 1000); > + max_freq = (bus->devfreq->freq_table[max_state - 1] / 1000); > pr_info("exynos-bus: new bus device registered: %s (%6ld KHz ~ %6ld KHz)\n", > dev_name(dev), min_freq, max_freq); > > >>> drivers/devfreq/devfreq.c | 71 ++++++++++++++---------------- >>> drivers/devfreq/governor_passive.c | 14 +++--- >>> include/linux/devfreq.h | 5 +++ >>> 3 files changed, 46 insertions(+), 44 deletions(-) >>> >>> diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c >>> index 01474daf4548..2e2b3b414d67 100644 >>> --- a/drivers/devfreq/devfreq.c >>> +++ b/drivers/devfreq/devfreq.c >>> @@ -123,7 +123,7 @@ void devfreq_get_freq_range(struct devfreq *devfreq, >>> unsigned long *min_freq, >>> unsigned long *max_freq) >>> { >>> - unsigned long *freq_table = devfreq->profile->freq_table; >>> + unsigned long *freq_table = devfreq->freq_table; >>> s32 qos_min_freq, qos_max_freq; >>> >>> lockdep_assert_held(&devfreq->lock); >>> @@ -133,11 +133,11 @@ void devfreq_get_freq_range(struct devfreq *devfreq, >>> * The devfreq drivers can initialize this in either ascending or >>> * descending order and devfreq core supports both. >>> */ >>> - if (freq_table[0] < freq_table[devfreq->profile->max_state - 1]) { >>> + if (freq_table[0] < freq_table[devfreq->max_state - 1]) { >>> *min_freq = freq_table[0]; >>> - *max_freq = freq_table[devfreq->profile->max_state - 1]; >>> + *max_freq = freq_table[devfreq->max_state - 1]; >>> } else { >>> - *min_freq = freq_table[devfreq->profile->max_state - 1]; >>> + *min_freq = freq_table[devfreq->max_state - 1]; >>> *max_freq = freq_table[0]; >>> } >>> >>> @@ -169,8 +169,8 @@ static int devfreq_get_freq_level(struct devfreq *devfreq, unsigned long freq) >>> { >>> int lev; >>> >>> - for (lev = 0; lev < devfreq->profile->max_state; lev++) >>> - if (freq == devfreq->profile->freq_table[lev]) >>> + for (lev = 0; lev < devfreq->max_state; lev++) >>> + if (freq == devfreq->freq_table[lev]) >>> return lev; >>> >>> return -EINVAL; >>> @@ -178,7 +178,6 @@ static int devfreq_get_freq_level(struct devfreq *devfreq, unsigned long freq) >>> >>> static int set_freq_table(struct devfreq *devfreq) >>> { >>> - struct devfreq_dev_profile *profile = devfreq->profile; >>> struct dev_pm_opp *opp; >>> unsigned long freq; >>> int i, count; >>> @@ -188,25 +187,22 @@ static int set_freq_table(struct devfreq *devfreq) >>> if (count <= 0) >>> return -EINVAL; >>> >>> - profile->max_state = count; >>> - profile->freq_table = devm_kcalloc(devfreq->dev.parent, >>> - profile->max_state, >>> - sizeof(*profile->freq_table), >>> - GFP_KERNEL); >>> - if (!profile->freq_table) { >>> - profile->max_state = 0; >>> + devfreq->max_state = count; >>> + devfreq->freq_table = devm_kcalloc(devfreq->dev.parent, >>> + devfreq->max_state, >>> + sizeof(*devfreq->freq_table), >>> + GFP_KERNEL); >>> + if (!devfreq->freq_table) >>> return -ENOMEM; >>> - } >>> >>> - for (i = 0, freq = 0; i < profile->max_state; i++, freq++) { >>> + for (i = 0, freq = 0; i < devfreq->max_state; i++, freq++) { >>> opp = dev_pm_opp_find_freq_ceil(devfreq->dev.parent, &freq); >>> if (IS_ERR(opp)) { >>> - devm_kfree(devfreq->dev.parent, profile->freq_table); >>> - profile->max_state = 0; >>> + devm_kfree(devfreq->dev.parent, devfreq->freq_table); >>> return PTR_ERR(opp); >>> } >>> dev_pm_opp_put(opp); >>> - profile->freq_table[i] = freq; >>> + devfreq->freq_table[i] = freq; >>> } >>> >>> return 0; >>> @@ -246,7 +242,7 @@ int devfreq_update_status(struct devfreq *devfreq, unsigned long freq) >>> >>> if (lev != prev_lev) { >>> devfreq->stats.trans_table[ >>> - (prev_lev * devfreq->profile->max_state) + lev]++; >>> + (prev_lev * devfreq->max_state) + lev]++; >>> devfreq->stats.total_trans++; >>> } >>> >>> @@ -835,6 +831,9 @@ struct devfreq *devfreq_add_device(struct device *dev, >>> if (err < 0) >>> goto err_dev; >>> mutex_lock(&devfreq->lock); >>> + } else { >>> + devfreq->freq_table = devfreq->profile->freq_table; >>> + devfreq->max_state = devfreq->profile->max_state; >>> } >>> >>> devfreq->scaling_min_freq = find_available_min_freq(devfreq); >>> @@ -870,8 +869,8 @@ struct devfreq *devfreq_add_device(struct device *dev, >>> >>> devfreq->stats.trans_table = devm_kzalloc(&devfreq->dev, >>> array3_size(sizeof(unsigned int), >>> - devfreq->profile->max_state, >>> - devfreq->profile->max_state), >>> + devfreq->max_state, >>> + devfreq->max_state), >>> GFP_KERNEL); >>> if (!devfreq->stats.trans_table) { >>> mutex_unlock(&devfreq->lock); >>> @@ -880,7 +879,7 @@ struct devfreq *devfreq_add_device(struct device *dev, >>> } >>> >>> devfreq->stats.time_in_state = devm_kcalloc(&devfreq->dev, >>> - devfreq->profile->max_state, >>> + devfreq->max_state, >>> sizeof(*devfreq->stats.time_in_state), >>> GFP_KERNEL); >>> if (!devfreq->stats.time_in_state) { >>> @@ -1665,9 +1664,9 @@ static ssize_t available_frequencies_show(struct device *d, >>> >>> mutex_lock(&df->lock); >>> >>> - for (i = 0; i < df->profile->max_state; i++) >>> + for (i = 0; i < df->max_state; i++) >>> count += scnprintf(&buf[count], (PAGE_SIZE - count - 2), >>> - "%lu ", df->profile->freq_table[i]); >>> + "%lu ", df->freq_table[i]); >>> >>> mutex_unlock(&df->lock); >>> /* Truncate the trailing space */ >>> @@ -1690,7 +1689,7 @@ static ssize_t trans_stat_show(struct device *dev, >>> >>> if (!df->profile) >>> return -EINVAL; >>> - max_state = df->profile->max_state; >>> + max_state = df->max_state; >>> >>> if (max_state == 0) >>> return sprintf(buf, "Not Supported.\n"); >>> @@ -1707,19 +1706,17 @@ static ssize_t trans_stat_show(struct device *dev, >>> len += sprintf(buf + len, " :"); >>> for (i = 0; i < max_state; i++) >>> len += sprintf(buf + len, "%10lu", >>> - df->profile->freq_table[i]); >>> + df->freq_table[i]); >>> >>> len += sprintf(buf + len, " time(ms)\n"); >>> >>> for (i = 0; i < max_state; i++) { >>> - if (df->profile->freq_table[i] >>> - == df->previous_freq) { >>> + if (df->freq_table[i] == df->previous_freq) >>> len += sprintf(buf + len, "*"); >>> - } else { >>> + else >>> len += sprintf(buf + len, " "); >>> - } >>> - len += sprintf(buf + len, "%10lu:", >>> - df->profile->freq_table[i]); >>> + >>> + len += sprintf(buf + len, "%10lu:", df->freq_table[i]); >>> for (j = 0; j < max_state; j++) >>> len += sprintf(buf + len, "%10u", >>> df->stats.trans_table[(i * max_state) + j]); >>> @@ -1743,7 +1740,7 @@ static ssize_t trans_stat_store(struct device *dev, >>> if (!df->profile) >>> return -EINVAL; >>> >>> - if (df->profile->max_state == 0) >>> + if (df->max_state == 0) >>> return count; >>> >>> err = kstrtoint(buf, 10, &value); >>> @@ -1751,11 +1748,11 @@ static ssize_t trans_stat_store(struct device *dev, >>> return -EINVAL; >>> >>> mutex_lock(&df->lock); >>> - memset(df->stats.time_in_state, 0, (df->profile->max_state * >>> + memset(df->stats.time_in_state, 0, (df->max_state * >>> sizeof(*df->stats.time_in_state))); >>> memset(df->stats.trans_table, 0, array3_size(sizeof(unsigned int), >>> - df->profile->max_state, >>> - df->profile->max_state)); >>> + df->max_state, >>> + df->max_state)); >>> df->stats.total_trans = 0; >>> df->stats.last_update = get_jiffies_64(); >>> mutex_unlock(&df->lock); >>> diff --git a/drivers/devfreq/governor_passive.c b/drivers/devfreq/governor_passive.c >>> index 72c67979ebe1..ce24a262aa16 100644 >>> --- a/drivers/devfreq/governor_passive.c >>> +++ b/drivers/devfreq/governor_passive.c >>> @@ -131,18 +131,18 @@ static int get_target_freq_with_devfreq(struct devfreq *devfreq, >>> goto out; >>> >>> /* Use interpolation if required opps is not available */ >>> - for (i = 0; i < parent_devfreq->profile->max_state; i++) >>> - if (parent_devfreq->profile->freq_table[i] == *freq) >>> + for (i = 0; i < parent_devfreq->max_state; i++) >>> + if (parent_devfreq->freq_table[i] == *freq) >>> break; >>> >>> - if (i == parent_devfreq->profile->max_state) >>> + if (i == parent_devfreq->max_state) >>> return -EINVAL; >>> >>> - if (i < devfreq->profile->max_state) { >>> - child_freq = devfreq->profile->freq_table[i]; >>> + if (i < devfreq->max_state) { >>> + child_freq = devfreq->freq_table[i]; >>> } else { >>> - count = devfreq->profile->max_state; >>> - child_freq = devfreq->profile->freq_table[count - 1]; >>> + count = devfreq->max_state; >>> + child_freq = devfreq->freq_table[count - 1]; >>> } >>> >>> out: >>> diff --git a/include/linux/devfreq.h b/include/linux/devfreq.h >>> index dc10bee75a72..34aab4dd336c 100644 >>> --- a/include/linux/devfreq.h >>> +++ b/include/linux/devfreq.h >>> @@ -148,6 +148,8 @@ struct devfreq_stats { >>> * reevaluate operable frequencies. Devfreq users may use >>> * devfreq.nb to the corresponding register notifier call chain. >>> * @work: delayed work for load monitoring. >>> + * @freq_table: current frequency table used by the devfreq driver. >>> + * @max_state: count of entry present in the frequency table. >>> * @previous_freq: previously configured frequency value. >>> * @last_status: devfreq user device info, performance statistics >>> * @data: Private data of the governor. The devfreq framework does not >>> @@ -185,6 +187,9 @@ struct devfreq { >>> struct notifier_block nb; >>> struct delayed_work work; >>> >>> + unsigned long *freq_table; >>> + unsigned int max_state; >>> + >>> unsigned long previous_freq; >>> struct devfreq_dev_status last_status; >>> >> Best regards >> -- >> Marek Szyprowski, PhD >> Samsung R&D Institute Poland >> Best regards -- Marek Szyprowski, PhD Samsung R&D Institute Poland