diff options
| author | Krzysztof Kozlowski <k.kozlowski@samsung.com> | 2015-03-12 03:44:11 -0400 |
|---|---|---|
| committer | Sebastian Reichel <sre@kernel.org> | 2015-03-13 18:15:51 -0400 |
| commit | 297d716f6260cc9421d971b124ca196b957ee458 (patch) | |
| tree | 32a666d3374d7f0653258c766252bd6a841f05ab /drivers/power/ds2760_battery.c | |
| parent | b70229bca127283c3d30e5f471d30b1acccd7096 (diff) | |
power_supply: Change ownership from driver to core
Change the ownership of power_supply structure from each driver
implementing the class to the power supply core.
The patch changes power_supply_register() function thus all drivers
implementing power supply class are adjusted.
Each driver provides the implementation of power supply. However it
should not be the owner of power supply class instance because it is
exposed by core to other subsystems with power_supply_get_by_name().
These other subsystems have no knowledge when the driver will unregister
the power supply. This leads to several issues when driver is unbound -
mostly because user of power supply accesses freed memory.
Instead let the core own the instance of struct 'power_supply'. Other
users of this power supply will still access valid memory because it
will be freed when device reference count reaches 0. Currently this
means "it will leak" but power_supply_put() call in next patches will
solve it.
This solves invalid memory references in following race condition
scenario:
Thread 1: charger manager
Thread 2: power supply driver, used by charger manager
THREAD 1 (charger manager) THREAD 2 (power supply driver)
========================== ==============================
psy = power_supply_get_by_name()
Driver unbind, .remove
power_supply_unregister()
Device fully removed
psy->get_property()
The 'get_property' call is executed in invalid context because the driver was
unbound and struct 'power_supply' memory was freed.
This could be observed easily with charger manager driver (here compiled
with max17040 fuel gauge):
$ cat /sys/devices/virtual/power_supply/cm-battery/capacity &
$ echo "1-0036" > /sys/bus/i2c/drivers/max17040/unbind
[ 55.725123] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 55.732584] pgd = d98d4000
[ 55.734060] [00000000] *pgd=5afa2831, *pte=00000000, *ppte=00000000
[ 55.740318] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
[ 55.746210] Modules linked in:
[ 55.749259] CPU: 1 PID: 2936 Comm: cat Tainted: G W 3.19.0-rc1-next-20141226-00048-gf79f475f3c44-dirty #1496
[ 55.760190] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[ 55.766270] task: d9b76f00 ti: daf54000 task.ti: daf54000
[ 55.771647] PC is at 0x0
[ 55.774182] LR is at charger_get_property+0x2f4/0x36c
[ 55.779201] pc : [<00000000>] lr : [<c034b0b4>] psr: 60000013
[ 55.779201] sp : daf55e90 ip : 00000003 fp : 00000000
[ 55.790657] r10: 00000000 r9 : c06e2878 r8 : d9b26c68
[ 55.795865] r7 : dad81610 r6 : daec7410 r5 : daf55ebc r4 : 00000000
[ 55.802367] r3 : 00000000 r2 : daf55ebc r1 : 0000002a r0 : d9b26c68
[ 55.808879] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 55.815994] Control: 10c5387d Table: 598d406a DAC: 00000015
[ 55.821723] Process cat (pid: 2936, stack limit = 0xdaf54210)
[ 55.827451] Stack: (0xdaf55e90 to 0xdaf56000)
[ 55.831795] 5e80: 60000013 c01459c4 0000002a c06f8ef8
[ 55.839956] 5ea0: db651000 c06f8ef8 daebac00 c04cb668 daebac08 c0346864 00000000 c01459c4
[ 55.848115] 5ec0: d99eaa80 c06f8ef8 00000fff 00001000 db651000 c027f25c c027f240 d99eaa80
[ 55.856274] 5ee0: d9a06c00 c0146218 daf55f18 00001000 d99eaa80 db4c18c0 00000001 00000001
[ 55.864468] 5f00: daf55f80 c0144c78 c0144c54 c0107f90 00015000 d99eaab0 00000000 00000000
[ 55.872603] 5f20: 000051c7 00000000 db4c18c0 c04a9370 00015000 00001000 daf55f80 00001000
[ 55.880763] 5f40: daf54000 00015000 00000000 c00e53dc db4c18c0 c00e548c 0000000d 00008124
[ 55.888937] 5f60: 00000001 00000000 00000000 db4c18c0 db4c18c0 00001000 00015000 c00e5550
[ 55.897099] 5f80: 00000000 00000000 00001000 00001000 00015000 00000003 00000003 c000f364
[ 55.905239] 5fa0: 00000000 c000f1a0 00001000 00015000 00000003 00015000 00001000 0001333c
[ 55.913399] 5fc0: 00001000 00015000 00000003 00000003 00000002 00000000 00000000 00000000
[ 55.921560] 5fe0: 7fffe000 be999850 0000a225 b6f3c19c 60000010 00000003 00000000 00000000
[ 55.929744] [<c034b0b4>] (charger_get_property) from [<c0346864>] (power_supply_show_property+0x48/0x20c)
[ 55.939286] [<c0346864>] (power_supply_show_property) from [<c027f25c>] (dev_attr_show+0x1c/0x48)
[ 55.948130] [<c027f25c>] (dev_attr_show) from [<c0146218>] (sysfs_kf_seq_show+0x84/0x104)
[ 55.956298] [<c0146218>] (sysfs_kf_seq_show) from [<c0144c78>] (kernfs_seq_show+0x24/0x28)
[ 55.964536] [<c0144c78>] (kernfs_seq_show) from [<c0107f90>] (seq_read+0x1b0/0x484)
[ 55.972172] [<c0107f90>] (seq_read) from [<c00e53dc>] (__vfs_read+0x18/0x4c)
[ 55.979188] [<c00e53dc>] (__vfs_read) from [<c00e548c>] (vfs_read+0x7c/0x100)
[ 55.986304] [<c00e548c>] (vfs_read) from [<c00e5550>] (SyS_read+0x40/0x8c)
[ 55.993164] [<c00e5550>] (SyS_read) from [<c000f1a0>] (ret_fast_syscall+0x0/0x48)
[ 56.000626] Code: bad PC value
[ 56.011652] ---[ end trace 7b64343fbdae8ef1 ]---
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reviewed-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
[for the nvec part]
Reviewed-by: Marc Dietrich <marvin24@gmx.de>
[for compal-laptop.c]
Acked-by: Darren Hart <dvhart@linux.intel.com>
[for the mfd part]
Acked-by: Lee Jones <lee.jones@linaro.org>
[for the hid part]
Acked-by: Jiri Kosina <jkosina@suse.cz>
[for the acpi part]
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Diffstat (limited to 'drivers/power/ds2760_battery.c')
| -rw-r--r-- | drivers/power/ds2760_battery.c | 56 |
1 files changed, 29 insertions, 27 deletions
diff --git a/drivers/power/ds2760_battery.c b/drivers/power/ds2760_battery.c index e82dff0bbb20..80f73ccb77ab 100644 --- a/drivers/power/ds2760_battery.c +++ b/drivers/power/ds2760_battery.c | |||
| @@ -53,7 +53,8 @@ struct ds2760_device_info { | |||
| 53 | int charge_status; /* POWER_SUPPLY_STATUS_* */ | 53 | int charge_status; /* POWER_SUPPLY_STATUS_* */ |
| 54 | 54 | ||
| 55 | int full_counter; | 55 | int full_counter; |
| 56 | struct power_supply bat; | 56 | struct power_supply *bat; |
| 57 | struct power_supply_desc bat_desc; | ||
| 57 | struct device *w1_dev; | 58 | struct device *w1_dev; |
| 58 | struct workqueue_struct *monitor_wqueue; | 59 | struct workqueue_struct *monitor_wqueue; |
| 59 | struct delayed_work monitor_work; | 60 | struct delayed_work monitor_work; |
| @@ -254,7 +255,7 @@ static void ds2760_battery_update_status(struct ds2760_device_info *di) | |||
| 254 | if (di->charge_status == POWER_SUPPLY_STATUS_UNKNOWN) | 255 | if (di->charge_status == POWER_SUPPLY_STATUS_UNKNOWN) |
| 255 | di->full_counter = 0; | 256 | di->full_counter = 0; |
| 256 | 257 | ||
| 257 | if (power_supply_am_i_supplied(&di->bat)) { | 258 | if (power_supply_am_i_supplied(di->bat)) { |
| 258 | if (di->current_uA > 10000) { | 259 | if (di->current_uA > 10000) { |
| 259 | di->charge_status = POWER_SUPPLY_STATUS_CHARGING; | 260 | di->charge_status = POWER_SUPPLY_STATUS_CHARGING; |
| 260 | di->full_counter = 0; | 261 | di->full_counter = 0; |
| @@ -287,7 +288,7 @@ static void ds2760_battery_update_status(struct ds2760_device_info *di) | |||
| 287 | } | 288 | } |
| 288 | 289 | ||
| 289 | if (di->charge_status != old_charge_status) | 290 | if (di->charge_status != old_charge_status) |
| 290 | power_supply_changed(&di->bat); | 291 | power_supply_changed(di->bat); |
| 291 | } | 292 | } |
| 292 | 293 | ||
| 293 | static void ds2760_battery_write_status(struct ds2760_device_info *di, | 294 | static void ds2760_battery_write_status(struct ds2760_device_info *di, |
| @@ -346,12 +347,9 @@ static void ds2760_battery_work(struct work_struct *work) | |||
| 346 | queue_delayed_work(di->monitor_wqueue, &di->monitor_work, interval); | 347 | queue_delayed_work(di->monitor_wqueue, &di->monitor_work, interval); |
| 347 | } | 348 | } |
| 348 | 349 | ||
| 349 | #define to_ds2760_device_info(x) container_of((x), struct ds2760_device_info, \ | ||
| 350 | bat); | ||
| 351 | |||
| 352 | static void ds2760_battery_external_power_changed(struct power_supply *psy) | 350 | static void ds2760_battery_external_power_changed(struct power_supply *psy) |
| 353 | { | 351 | { |
| 354 | struct ds2760_device_info *di = to_ds2760_device_info(psy); | 352 | struct ds2760_device_info *di = power_supply_get_drvdata(psy); |
| 355 | 353 | ||
| 356 | dev_dbg(di->dev, "%s\n", __func__); | 354 | dev_dbg(di->dev, "%s\n", __func__); |
| 357 | 355 | ||
| @@ -377,7 +375,7 @@ static void ds2760_battery_set_charged_work(struct work_struct *work) | |||
| 377 | * that error. | 375 | * that error. |
| 378 | */ | 376 | */ |
| 379 | 377 | ||
| 380 | if (!power_supply_am_i_supplied(&di->bat)) | 378 | if (!power_supply_am_i_supplied(di->bat)) |
| 381 | return; | 379 | return; |
| 382 | 380 | ||
| 383 | bias = (signed char) di->current_raw + | 381 | bias = (signed char) di->current_raw + |
| @@ -396,7 +394,7 @@ static void ds2760_battery_set_charged_work(struct work_struct *work) | |||
| 396 | 394 | ||
| 397 | static void ds2760_battery_set_charged(struct power_supply *psy) | 395 | static void ds2760_battery_set_charged(struct power_supply *psy) |
| 398 | { | 396 | { |
| 399 | struct ds2760_device_info *di = to_ds2760_device_info(psy); | 397 | struct ds2760_device_info *di = power_supply_get_drvdata(psy); |
| 400 | 398 | ||
| 401 | /* postpone the actual work by 20 secs. This is for debouncing GPIO | 399 | /* postpone the actual work by 20 secs. This is for debouncing GPIO |
| 402 | * signals and to let the current value settle. See AN4188. */ | 400 | * signals and to let the current value settle. See AN4188. */ |
| @@ -407,7 +405,7 @@ static int ds2760_battery_get_property(struct power_supply *psy, | |||
| 407 | enum power_supply_property psp, | 405 | enum power_supply_property psp, |
| 408 | union power_supply_propval *val) | 406 | union power_supply_propval *val) |
| 409 | { | 407 | { |
| 410 | struct ds2760_device_info *di = to_ds2760_device_info(psy); | 408 | struct ds2760_device_info *di = power_supply_get_drvdata(psy); |
| 411 | 409 | ||
| 412 | switch (psp) { | 410 | switch (psp) { |
| 413 | case POWER_SUPPLY_PROP_STATUS: | 411 | case POWER_SUPPLY_PROP_STATUS: |
| @@ -458,7 +456,7 @@ static int ds2760_battery_set_property(struct power_supply *psy, | |||
| 458 | enum power_supply_property psp, | 456 | enum power_supply_property psp, |
| 459 | const union power_supply_propval *val) | 457 | const union power_supply_propval *val) |
| 460 | { | 458 | { |
| 461 | struct ds2760_device_info *di = to_ds2760_device_info(psy); | 459 | struct ds2760_device_info *di = power_supply_get_drvdata(psy); |
| 462 | 460 | ||
| 463 | switch (psp) { | 461 | switch (psp) { |
| 464 | case POWER_SUPPLY_PROP_CHARGE_FULL: | 462 | case POWER_SUPPLY_PROP_CHARGE_FULL: |
| @@ -508,6 +506,7 @@ static enum power_supply_property ds2760_battery_props[] = { | |||
| 508 | 506 | ||
| 509 | static int ds2760_battery_probe(struct platform_device *pdev) | 507 | static int ds2760_battery_probe(struct platform_device *pdev) |
| 510 | { | 508 | { |
| 509 | struct power_supply_config psy_cfg = {}; | ||
| 511 | char status; | 510 | char status; |
| 512 | int retval = 0; | 511 | int retval = 0; |
| 513 | struct ds2760_device_info *di; | 512 | struct ds2760_device_info *di; |
| @@ -520,20 +519,22 @@ static int ds2760_battery_probe(struct platform_device *pdev) | |||
| 520 | 519 | ||
| 521 | platform_set_drvdata(pdev, di); | 520 | platform_set_drvdata(pdev, di); |
| 522 | 521 | ||
| 523 | di->dev = &pdev->dev; | 522 | di->dev = &pdev->dev; |
| 524 | di->w1_dev = pdev->dev.parent; | 523 | di->w1_dev = pdev->dev.parent; |
| 525 | di->bat.name = dev_name(&pdev->dev); | 524 | di->bat_desc.name = dev_name(&pdev->dev); |
| 526 | di->bat.type = POWER_SUPPLY_TYPE_BATTERY; | 525 | di->bat_desc.type = POWER_SUPPLY_TYPE_BATTERY; |
| 527 | di->bat.properties = ds2760_battery_props; | 526 | di->bat_desc.properties = ds2760_battery_props; |
| 528 | di->bat.num_properties = ARRAY_SIZE(ds2760_battery_props); | 527 | di->bat_desc.num_properties = ARRAY_SIZE(ds2760_battery_props); |
| 529 | di->bat.get_property = ds2760_battery_get_property; | 528 | di->bat_desc.get_property = ds2760_battery_get_property; |
| 530 | di->bat.set_property = ds2760_battery_set_property; | 529 | di->bat_desc.set_property = ds2760_battery_set_property; |
| 531 | di->bat.property_is_writeable = | 530 | di->bat_desc.property_is_writeable = |
| 532 | ds2760_battery_property_is_writeable; | 531 | ds2760_battery_property_is_writeable; |
| 533 | di->bat.set_charged = ds2760_battery_set_charged; | 532 | di->bat_desc.set_charged = ds2760_battery_set_charged; |
| 534 | di->bat.external_power_changed = | 533 | di->bat_desc.external_power_changed = |
| 535 | ds2760_battery_external_power_changed; | 534 | ds2760_battery_external_power_changed; |
| 536 | 535 | ||
| 536 | psy_cfg.drv_data = di; | ||
| 537 | |||
| 537 | di->charge_status = POWER_SUPPLY_STATUS_UNKNOWN; | 538 | di->charge_status = POWER_SUPPLY_STATUS_UNKNOWN; |
| 538 | 539 | ||
| 539 | /* enable sleep mode feature */ | 540 | /* enable sleep mode feature */ |
| @@ -555,9 +556,10 @@ static int ds2760_battery_probe(struct platform_device *pdev) | |||
| 555 | if (current_accum) | 556 | if (current_accum) |
| 556 | ds2760_battery_set_current_accum(di, current_accum); | 557 | ds2760_battery_set_current_accum(di, current_accum); |
| 557 | 558 | ||
| 558 | retval = power_supply_register(&pdev->dev, &di->bat, NULL); | 559 | di->bat = power_supply_register(&pdev->dev, &di->bat_desc, &psy_cfg); |
| 559 | if (retval) { | 560 | if (IS_ERR(di->bat)) { |
| 560 | dev_err(di->dev, "failed to register battery\n"); | 561 | dev_err(di->dev, "failed to register battery\n"); |
| 562 | retval = PTR_ERR(di->bat); | ||
| 561 | goto batt_failed; | 563 | goto batt_failed; |
| 562 | } | 564 | } |
| 563 | 565 | ||
| @@ -574,7 +576,7 @@ static int ds2760_battery_probe(struct platform_device *pdev) | |||
| 574 | goto success; | 576 | goto success; |
| 575 | 577 | ||
| 576 | workqueue_failed: | 578 | workqueue_failed: |
| 577 | power_supply_unregister(&di->bat); | 579 | power_supply_unregister(di->bat); |
| 578 | batt_failed: | 580 | batt_failed: |
| 579 | di_alloc_failed: | 581 | di_alloc_failed: |
| 580 | success: | 582 | success: |
| @@ -588,7 +590,7 @@ static int ds2760_battery_remove(struct platform_device *pdev) | |||
| 588 | cancel_delayed_work_sync(&di->monitor_work); | 590 | cancel_delayed_work_sync(&di->monitor_work); |
| 589 | cancel_delayed_work_sync(&di->set_charged_work); | 591 | cancel_delayed_work_sync(&di->set_charged_work); |
| 590 | destroy_workqueue(di->monitor_wqueue); | 592 | destroy_workqueue(di->monitor_wqueue); |
| 591 | power_supply_unregister(&di->bat); | 593 | power_supply_unregister(di->bat); |
| 592 | 594 | ||
| 593 | return 0; | 595 | return 0; |
| 594 | } | 596 | } |
| @@ -610,7 +612,7 @@ static int ds2760_battery_resume(struct platform_device *pdev) | |||
| 610 | struct ds2760_device_info *di = platform_get_drvdata(pdev); | 612 | struct ds2760_device_info *di = platform_get_drvdata(pdev); |
| 611 | 613 | ||
| 612 | di->charge_status = POWER_SUPPLY_STATUS_UNKNOWN; | 614 | di->charge_status = POWER_SUPPLY_STATUS_UNKNOWN; |
| 613 | power_supply_changed(&di->bat); | 615 | power_supply_changed(di->bat); |
| 614 | 616 | ||
| 615 | mod_delayed_work(di->monitor_wqueue, &di->monitor_work, HZ); | 617 | mod_delayed_work(di->monitor_wqueue, &di->monitor_work, HZ); |
| 616 | 618 | ||