From nobody Tue Jun 16 10:11:28 2026 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBD062DB79F for ; Fri, 17 Apr 2026 20:02:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776456126; cv=none; b=iDMm7dcBNcz0nOq4RkFIspXFMZJp5IFcTVx63Df2sEGIaZ4PjRtatFZzHlhJjMTk+jIs1AZfulvnDdwiwbWrwqUZFNPDBRl2t7/GJz1FsbmWjPb5JDv+RLwzTVZnxesZelqAqomnIfoWX5RgoTwPk3WYkRSnN0Ko/PgvZqMb3oI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776456126; c=relaxed/simple; bh=JB8wuchRBt9J1x0+dBXYSHtIZwYSy35QkurVZa5Twfs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=i3mpfo53IWZqcbUSfkaZiura6zv93Vy+DwAC1O3iJH4+k2K/iX3tTlQ9DGcehrSh89/sfl3Yx+l/7R+tGLfSvq/gykETREd8NIWUknkh7CDIaoBZvkQreiFKLproDxKk4EgiGvX6XaSGPi02caKh+v+z1DDyMLAKMFmNjIyqQYQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=oY6yALLu; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=kM8MzQed; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="oY6yALLu"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="kM8MzQed" Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 63HIRgqx2433695 for ; Fri, 17 Apr 2026 20:02:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=ViS/wJuo28OBwDkXiCvAvSC5Eff3JISAuPv NKYCjY2M=; b=oY6yALLuOkd80Bfm00nUxAPQz/Arhfus7PEHCCESMgIxTYM9oo1 h0lLLdN7JN3Pe+Jgb9G6XWAuVzfSN9tIupOxOl8PBBgdDnf0OFOuomRFg8AVYM0t tG5stVobHbsw8uS8CEZZRPpar//BYlggxqbHPWowJXX1snHzQ2Au7VTkOwed8ic7 XlCbLEicybarFxujyIzrXIeCocEw4s1syZmuY/KbrZfBoMtZ7V5KB/nnLUyJyHu0 jdHLGNh8yPpTomodsViDQ3GKytusqGOkuvyo2kjVCznu+o067rG85JhIohGSJWYG iHoQQWcvFg3wraTAvw13bNIiydwvl+Cm3Nw== Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4dkt5mr7tn-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Fri, 17 Apr 2026 20:02:03 +0000 (GMT) Received: by mail-pl1-f199.google.com with SMTP id d9443c01a7336-2aad5fec175so14840285ad.2 for ; Fri, 17 Apr 2026 13:02:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1776456122; x=1777060922; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ViS/wJuo28OBwDkXiCvAvSC5Eff3JISAuPvNKYCjY2M=; b=kM8MzQedWacl50B/Fmuy10AoKNPiBfWpkaeLgsK7tih3OmFX9FlO0pA6Kke8Uzj/94 lqQyXzzDqJCgU4SNq3Km/lOc0OdjOYnBCLZz6VeyJUwfFGa+FMwGGk2tOYjwVBU08g/U B1sT9ooJGOCIj4mT3crxOMVcCxa1G0ZLa+fv9bVPcAVRmBQCcXRWGKKx11kADkDIHe/N i4kIgZsGiTAWg3Y5PlQGpxX7uWboPMlP/cOFKgZvcGXwWF/ycBHKcJSw1Tr4R68wF0ya GsSxPqCgA66iQdS5taSR+hXJr2EU0UvF7ingkNK2nvCvRzsoaGuamIpKadenOCjvfuBH gNkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776456122; x=1777060922; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ViS/wJuo28OBwDkXiCvAvSC5Eff3JISAuPvNKYCjY2M=; b=lvovUAy/KAow3Djv0tPwUMeF601+nFtedgpvQJk4jKyLtVyaHI64EqR83gMl3A0y5b 4nackCkSgJ0AuE138x/yogIXmNbnGK5zntJQoJWddPKOnpnr5idHVYLbbtBO1PvLwgL+ f+Cmy28+krfwhqBrSs67dW+ew6vGTuz+PWlemqL7Xi20BaJ08wsv5HomAqi+2I8sRlZi Hl+1kg7GHhgvIEBGuBYjD3+COAE32YTpzKnhAI0sJlSRzY1l7pyaaj1s/udtkf2VX/hq x45hINBYj1bgMtWr/NEKueQDKnkVDq9RVoTzUbVXgZXvTmdeDLHCuvn+CMO3YnYbis/t P/2Q== X-Forwarded-Encrypted: i=1; AFNElJ+J85jnTQUQY+9QLcKNAsoLUBepMG8htTd4IL00Jn+Oq53A7eMTQ/tVLTZYoY5t72NCEd57Jnv5oroxhlk=@vger.kernel.org X-Gm-Message-State: AOJu0YzI3PvRlb5Dj3VdHUetqgHomTng7YZkXnlmeBtODnELd1V7OvEM GFqI6juuk5RMSeZUMNM/1TNTJGxu1btrp0sCbV/k46tXXDtL4k1YH3+XHVXEppZ/LJRsS5e4PBa RyUM1kg2lPg7XMgMb937p2tmEjI8qOGu4Q/907So5Wap3R/D/NaWkipwRzLS+dU2Maxg= X-Gm-Gg: AeBDieuAf/GxJmEd5XLW1irAJFVxHF89IH4L43/oFfjGJENtomRZnK8rLvWweFtKMC0 dJAlz+6wSyQSM0SpTwShPsElmXxsJvK22QHXJgD+G2KlrAB2Xd4LAYNDVa/LIwAuVe8BiwhrSJW hktvoPSjYXoDGoNGcST6wgUiJajvzvztWs9+VU28lYiSo+U3C0sYDGB+R74MO+RYrLlboksiFTv iHmwGSrzY0fNynC0SwSB8rJ2z1Tg2/dPkB5mie+ligmkLGEMb4rZSJr65CaKCpHj9QHFTuxR3lJ Ajq7X+O8YTfbkY7mOSCgCgGZ8EFY4ihXLOwn7nB6re9t7/i8S+ZIKkEeN87gXzyFRq1LzcMkwzc Ic0jZ8fUsN+sPqAm6tqx/iwcjqr6JWVh55I8AZiMdW3PQf9tAaSkAc7vL0Po= X-Received: by 2002:a17:902:cece:b0:2b5:f105:52b2 with SMTP id d9443c01a7336-2b5f9eceba5mr46078095ad.9.1776456122205; Fri, 17 Apr 2026 13:02:02 -0700 (PDT) X-Received: by 2002:a17:902:cece:b0:2b5:f105:52b2 with SMTP id d9443c01a7336-2b5f9eceba5mr46077745ad.9.1776456121556; Fri, 17 Apr 2026 13:02:01 -0700 (PDT) Received: from hu-mojha-hyd.qualcomm.com ([202.46.23.25]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5fab3ad18sm28953315ad.71.2026.04.17.13.01.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Apr 2026 13:02:01 -0700 (PDT) From: Mukesh Ojha To: Srinivas Kandagatla , Amol Maheshwari , Arnd Bergmann , Greg Kroah-Hartman Cc: linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Mukesh Ojha Subject: [PATCH] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Date: Sat, 18 Apr 2026 01:31:46 +0530 Message-ID: <20260417200146.184425-1-mukesh.ojha@oss.qualcomm.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Authority-Analysis: v=2.4 cv=AOj9hFqm c=1 sm=1 tr=0 ts=69e291bb cx=c_pps a=JL+w9abYAAE89/QcEU+0QA==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17 a=A5OVakUREuEA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=yOCtJkima9RkubShWh1s:22 a=EUspDBNiAAAA:8 a=MnYYGAq_QTRuFDU830wA:9 a=324X-CrmTo6CU4MGRt3R:22 X-Proofpoint-GUID: 03RLWnE5ZlpZ9R7ZzCb6AyDeyLSf146e X-Proofpoint-ORIG-GUID: 03RLWnE5ZlpZ9R7ZzCb6AyDeyLSf146e X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDE3MDIwMSBTYWx0ZWRfX35/s7yHHSZxQ VQX5L6aHrq1FreX9DT8kRgfiALXM2WxuOV8gUZxvljpr1jiTusvkV2EQcCroNfJU+UVZPtxKlyG A03N8FPi8dLoEXPd9cspyXiZuHAZHn90Bj0j6mWqoZPqLMhi101EBAUlfG1C7WM6JMW0CeFppTE gwGw31cHfL6vCS5uqw6C26T9MTcgcaS4l96wI6M204KtfNinN9u25dTDWWNvonDUol2+gngFF+S 9R4JdcPRIFbKSeTegl6Vq2eX0zCYVk4h2VRJtNtSxPc4NAR3ifzoelqNPFbVRoR2Wurc5BIR3YP nyD/pVyRFO71qVuISkdJ+xggDw3qExQ1jsPfJth3hFcSEb7hOwNKVDzEZZndtqKRh0jGWg0eVYa lbnRE6Wve0YPjrN2Vd72zfm+pE856evwZ1Vfw/2s9oXv+R+du1XL2L/AyaPPFS173YK7PTx+A+U 2R4r/US1Uu8AJZKoIQw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-17_02,2026-04-17_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 priorityscore=1501 suspectscore=0 spamscore=0 malwarescore=0 phishscore=0 adultscore=0 lowpriorityscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604070000 definitions=main-2604170201 Content-Type: text/plain; charset="utf-8" A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 00000= 00000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window. Signed-off-by: Mukesh Ojha --- drivers/misc/fastrpc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 1080f9acf70a..a1a54453bb7e 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -2431,7 +2431,6 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *r= pdev) =20 kref_init(&data->refcount); =20 - dev_set_drvdata(&rpdev->dev, data); rdev->dma_mask =3D &data->dma_mask; dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32)); INIT_LIST_HEAD(&data->users); @@ -2440,6 +2439,7 @@ static int fastrpc_rpmsg_probe(struct rpmsg_device *r= pdev) idr_init(&data->ctx_idr); data->domain_id =3D domain_id; data->rpdev =3D rpdev; + dev_set_drvdata(&rpdev->dev, data); =20 err =3D of_platform_populate(rdev->of_node, NULL, NULL, rdev); if (err) @@ -2513,6 +2513,9 @@ static int fastrpc_rpmsg_callback(struct rpmsg_device= *rpdev, void *data, if (len < sizeof(*rsp)) return -EINVAL; =20 + if (!cctx) + return -ENODEV; + ctxid =3D ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4); =20 spin_lock_irqsave(&cctx->lock, flags); --=20 2.53.0