diff options
| author | Krzysztof Kozlowski <k.kozlowski@samsung.com> | 2015-03-12 03:44:11 -0400 |
|---|---|---|
| committer | Sebastian Reichel <sre@kernel.org> | 2015-03-13 18:15:51 -0400 |
| commit | 297d716f6260cc9421d971b124ca196b957ee458 (patch) | |
| tree | 32a666d3374d7f0653258c766252bd6a841f05ab /drivers/power/s3c_adc_battery.c | |
| parent | b70229bca127283c3d30e5f471d30b1acccd7096 (diff) | |
power_supply: Change ownership from driver to core
Change the ownership of power_supply structure from each driver
implementing the class to the power supply core.
The patch changes power_supply_register() function thus all drivers
implementing power supply class are adjusted.
Each driver provides the implementation of power supply. However it
should not be the owner of power supply class instance because it is
exposed by core to other subsystems with power_supply_get_by_name().
These other subsystems have no knowledge when the driver will unregister
the power supply. This leads to several issues when driver is unbound -
mostly because user of power supply accesses freed memory.
Instead let the core own the instance of struct 'power_supply'. Other
users of this power supply will still access valid memory because it
will be freed when device reference count reaches 0. Currently this
means "it will leak" but power_supply_put() call in next patches will
solve it.
This solves invalid memory references in following race condition
scenario:
Thread 1: charger manager
Thread 2: power supply driver, used by charger manager
THREAD 1 (charger manager) THREAD 2 (power supply driver)
========================== ==============================
psy = power_supply_get_by_name()
Driver unbind, .remove
power_supply_unregister()
Device fully removed
psy->get_property()
The 'get_property' call is executed in invalid context because the driver was
unbound and struct 'power_supply' memory was freed.
This could be observed easily with charger manager driver (here compiled
with max17040 fuel gauge):
$ cat /sys/devices/virtual/power_supply/cm-battery/capacity &
$ echo "1-0036" > /sys/bus/i2c/drivers/max17040/unbind
[ 55.725123] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 55.732584] pgd = d98d4000
[ 55.734060] [00000000] *pgd=5afa2831, *pte=00000000, *ppte=00000000
[ 55.740318] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
[ 55.746210] Modules linked in:
[ 55.749259] CPU: 1 PID: 2936 Comm: cat Tainted: G W 3.19.0-rc1-next-20141226-00048-gf79f475f3c44-dirty #1496
[ 55.760190] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[ 55.766270] task: d9b76f00 ti: daf54000 task.ti: daf54000
[ 55.771647] PC is at 0x0
[ 55.774182] LR is at charger_get_property+0x2f4/0x36c
[ 55.779201] pc : [<00000000>] lr : [<c034b0b4>] psr: 60000013
[ 55.779201] sp : daf55e90 ip : 00000003 fp : 00000000
[ 55.790657] r10: 00000000 r9 : c06e2878 r8 : d9b26c68
[ 55.795865] r7 : dad81610 r6 : daec7410 r5 : daf55ebc r4 : 00000000
[ 55.802367] r3 : 00000000 r2 : daf55ebc r1 : 0000002a r0 : d9b26c68
[ 55.808879] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 55.815994] Control: 10c5387d Table: 598d406a DAC: 00000015
[ 55.821723] Process cat (pid: 2936, stack limit = 0xdaf54210)
[ 55.827451] Stack: (0xdaf55e90 to 0xdaf56000)
[ 55.831795] 5e80: 60000013 c01459c4 0000002a c06f8ef8
[ 55.839956] 5ea0: db651000 c06f8ef8 daebac00 c04cb668 daebac08 c0346864 00000000 c01459c4
[ 55.848115] 5ec0: d99eaa80 c06f8ef8 00000fff 00001000 db651000 c027f25c c027f240 d99eaa80
[ 55.856274] 5ee0: d9a06c00 c0146218 daf55f18 00001000 d99eaa80 db4c18c0 00000001 00000001
[ 55.864468] 5f00: daf55f80 c0144c78 c0144c54 c0107f90 00015000 d99eaab0 00000000 00000000
[ 55.872603] 5f20: 000051c7 00000000 db4c18c0 c04a9370 00015000 00001000 daf55f80 00001000
[ 55.880763] 5f40: daf54000 00015000 00000000 c00e53dc db4c18c0 c00e548c 0000000d 00008124
[ 55.888937] 5f60: 00000001 00000000 00000000 db4c18c0 db4c18c0 00001000 00015000 c00e5550
[ 55.897099] 5f80: 00000000 00000000 00001000 00001000 00015000 00000003 00000003 c000f364
[ 55.905239] 5fa0: 00000000 c000f1a0 00001000 00015000 00000003 00015000 00001000 0001333c
[ 55.913399] 5fc0: 00001000 00015000 00000003 00000003 00000002 00000000 00000000 00000000
[ 55.921560] 5fe0: 7fffe000 be999850 0000a225 b6f3c19c 60000010 00000003 00000000 00000000
[ 55.929744] [<c034b0b4>] (charger_get_property) from [<c0346864>] (power_supply_show_property+0x48/0x20c)
[ 55.939286] [<c0346864>] (power_supply_show_property) from [<c027f25c>] (dev_attr_show+0x1c/0x48)
[ 55.948130] [<c027f25c>] (dev_attr_show) from [<c0146218>] (sysfs_kf_seq_show+0x84/0x104)
[ 55.956298] [<c0146218>] (sysfs_kf_seq_show) from [<c0144c78>] (kernfs_seq_show+0x24/0x28)
[ 55.964536] [<c0144c78>] (kernfs_seq_show) from [<c0107f90>] (seq_read+0x1b0/0x484)
[ 55.972172] [<c0107f90>] (seq_read) from [<c00e53dc>] (__vfs_read+0x18/0x4c)
[ 55.979188] [<c00e53dc>] (__vfs_read) from [<c00e548c>] (vfs_read+0x7c/0x100)
[ 55.986304] [<c00e548c>] (vfs_read) from [<c00e5550>] (SyS_read+0x40/0x8c)
[ 55.993164] [<c00e5550>] (SyS_read) from [<c000f1a0>] (ret_fast_syscall+0x0/0x48)
[ 56.000626] Code: bad PC value
[ 56.011652] ---[ end trace 7b64343fbdae8ef1 ]---
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reviewed-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
[for the nvec part]
Reviewed-by: Marc Dietrich <marvin24@gmx.de>
[for compal-laptop.c]
Acked-by: Darren Hart <dvhart@linux.intel.com>
[for the mfd part]
Acked-by: Lee Jones <lee.jones@linaro.org>
[for the hid part]
Acked-by: Jiri Kosina <jkosina@suse.cz>
[for the acpi part]
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Diffstat (limited to 'drivers/power/s3c_adc_battery.c')
| -rw-r--r-- | drivers/power/s3c_adc_battery.c | 77 |
1 files changed, 43 insertions, 34 deletions
diff --git a/drivers/power/s3c_adc_battery.c b/drivers/power/s3c_adc_battery.c index b6ff213373dd..0ffe5cd3abf6 100644 --- a/drivers/power/s3c_adc_battery.c +++ b/drivers/power/s3c_adc_battery.c | |||
| @@ -28,7 +28,7 @@ | |||
| 28 | #define JITTER_DELAY 500 /* ms */ | 28 | #define JITTER_DELAY 500 /* ms */ |
| 29 | 29 | ||
| 30 | struct s3c_adc_bat { | 30 | struct s3c_adc_bat { |
| 31 | struct power_supply psy; | 31 | struct power_supply *psy; |
| 32 | struct s3c_adc_client *client; | 32 | struct s3c_adc_client *client; |
| 33 | struct s3c_adc_bat_pdata *pdata; | 33 | struct s3c_adc_bat_pdata *pdata; |
| 34 | int volt_value; | 34 | int volt_value; |
| @@ -73,10 +73,10 @@ static int s3c_adc_backup_bat_get_property(struct power_supply *psy, | |||
| 73 | enum power_supply_property psp, | 73 | enum power_supply_property psp, |
| 74 | union power_supply_propval *val) | 74 | union power_supply_propval *val) |
| 75 | { | 75 | { |
| 76 | struct s3c_adc_bat *bat = container_of(psy, struct s3c_adc_bat, psy); | 76 | struct s3c_adc_bat *bat = power_supply_get_drvdata(psy); |
| 77 | 77 | ||
| 78 | if (!bat) { | 78 | if (!bat) { |
| 79 | dev_err(psy->dev, "%s: no battery infos ?!\n", __func__); | 79 | dev_err(&psy->dev, "%s: no battery infos ?!\n", __func__); |
| 80 | return -EINVAL; | 80 | return -EINVAL; |
| 81 | } | 81 | } |
| 82 | 82 | ||
| @@ -105,17 +105,17 @@ static int s3c_adc_backup_bat_get_property(struct power_supply *psy, | |||
| 105 | } | 105 | } |
| 106 | } | 106 | } |
| 107 | 107 | ||
| 108 | static struct s3c_adc_bat backup_bat = { | 108 | static const struct power_supply_desc backup_bat_desc = { |
| 109 | .psy = { | 109 | .name = "backup-battery", |
| 110 | .name = "backup-battery", | 110 | .type = POWER_SUPPLY_TYPE_BATTERY, |
| 111 | .type = POWER_SUPPLY_TYPE_BATTERY, | 111 | .properties = s3c_adc_backup_bat_props, |
| 112 | .properties = s3c_adc_backup_bat_props, | 112 | .num_properties = ARRAY_SIZE(s3c_adc_backup_bat_props), |
| 113 | .num_properties = ARRAY_SIZE(s3c_adc_backup_bat_props), | 113 | .get_property = s3c_adc_backup_bat_get_property, |
| 114 | .get_property = s3c_adc_backup_bat_get_property, | 114 | .use_for_apm = 1, |
| 115 | .use_for_apm = 1, | ||
| 116 | }, | ||
| 117 | }; | 115 | }; |
| 118 | 116 | ||
| 117 | static struct s3c_adc_bat backup_bat; | ||
| 118 | |||
| 119 | static enum power_supply_property s3c_adc_main_bat_props[] = { | 119 | static enum power_supply_property s3c_adc_main_bat_props[] = { |
| 120 | POWER_SUPPLY_PROP_STATUS, | 120 | POWER_SUPPLY_PROP_STATUS, |
| 121 | POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN, | 121 | POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN, |
| @@ -141,7 +141,7 @@ static int s3c_adc_bat_get_property(struct power_supply *psy, | |||
| 141 | enum power_supply_property psp, | 141 | enum power_supply_property psp, |
| 142 | union power_supply_propval *val) | 142 | union power_supply_propval *val) |
| 143 | { | 143 | { |
| 144 | struct s3c_adc_bat *bat = container_of(psy, struct s3c_adc_bat, psy); | 144 | struct s3c_adc_bat *bat = power_supply_get_drvdata(psy); |
| 145 | 145 | ||
| 146 | int new_level; | 146 | int new_level; |
| 147 | int full_volt; | 147 | int full_volt; |
| @@ -149,7 +149,7 @@ static int s3c_adc_bat_get_property(struct power_supply *psy, | |||
| 149 | unsigned int lut_size; | 149 | unsigned int lut_size; |
| 150 | 150 | ||
| 151 | if (!bat) { | 151 | if (!bat) { |
| 152 | dev_err(psy->dev, "no battery infos ?!\n"); | 152 | dev_err(&psy->dev, "no battery infos ?!\n"); |
| 153 | return -EINVAL; | 153 | return -EINVAL; |
| 154 | } | 154 | } |
| 155 | 155 | ||
| @@ -232,18 +232,18 @@ static int s3c_adc_bat_get_property(struct power_supply *psy, | |||
| 232 | } | 232 | } |
| 233 | } | 233 | } |
| 234 | 234 | ||
| 235 | static struct s3c_adc_bat main_bat = { | 235 | static const struct power_supply_desc main_bat_desc = { |
| 236 | .psy = { | 236 | .name = "main-battery", |
| 237 | .name = "main-battery", | 237 | .type = POWER_SUPPLY_TYPE_BATTERY, |
| 238 | .type = POWER_SUPPLY_TYPE_BATTERY, | 238 | .properties = s3c_adc_main_bat_props, |
| 239 | .properties = s3c_adc_main_bat_props, | 239 | .num_properties = ARRAY_SIZE(s3c_adc_main_bat_props), |
| 240 | .num_properties = ARRAY_SIZE(s3c_adc_main_bat_props), | 240 | .get_property = s3c_adc_bat_get_property, |
| 241 | .get_property = s3c_adc_bat_get_property, | 241 | .external_power_changed = s3c_adc_bat_ext_power_changed, |
| 242 | .external_power_changed = s3c_adc_bat_ext_power_changed, | 242 | .use_for_apm = 1, |
| 243 | .use_for_apm = 1, | ||
| 244 | }, | ||
| 245 | }; | 243 | }; |
| 246 | 244 | ||
| 245 | static struct s3c_adc_bat main_bat; | ||
| 246 | |||
| 247 | static void s3c_adc_bat_work(struct work_struct *work) | 247 | static void s3c_adc_bat_work(struct work_struct *work) |
| 248 | { | 248 | { |
| 249 | struct s3c_adc_bat *bat = &main_bat; | 249 | struct s3c_adc_bat *bat = &main_bat; |
| @@ -251,7 +251,7 @@ static void s3c_adc_bat_work(struct work_struct *work) | |||
| 251 | int is_plugged; | 251 | int is_plugged; |
| 252 | static int was_plugged; | 252 | static int was_plugged; |
| 253 | 253 | ||
| 254 | is_plugged = power_supply_am_i_supplied(&bat->psy); | 254 | is_plugged = power_supply_am_i_supplied(bat->psy); |
| 255 | bat->cable_plugged = is_plugged; | 255 | bat->cable_plugged = is_plugged; |
| 256 | if (is_plugged != was_plugged) { | 256 | if (is_plugged != was_plugged) { |
| 257 | was_plugged = is_plugged; | 257 | was_plugged = is_plugged; |
| @@ -279,7 +279,7 @@ static void s3c_adc_bat_work(struct work_struct *work) | |||
| 279 | } | 279 | } |
| 280 | } | 280 | } |
| 281 | 281 | ||
| 282 | power_supply_changed(&bat->psy); | 282 | power_supply_changed(bat->psy); |
| 283 | } | 283 | } |
| 284 | 284 | ||
| 285 | static irqreturn_t s3c_adc_bat_charged(int irq, void *dev_id) | 285 | static irqreturn_t s3c_adc_bat_charged(int irq, void *dev_id) |
| @@ -310,16 +310,25 @@ static int s3c_adc_bat_probe(struct platform_device *pdev) | |||
| 310 | main_bat.cable_plugged = 0; | 310 | main_bat.cable_plugged = 0; |
| 311 | main_bat.status = POWER_SUPPLY_STATUS_DISCHARGING; | 311 | main_bat.status = POWER_SUPPLY_STATUS_DISCHARGING; |
| 312 | 312 | ||
| 313 | ret = power_supply_register(&pdev->dev, &main_bat.psy, NULL); | 313 | main_bat.psy = power_supply_register(&pdev->dev, &main_bat_desc, NULL); |
| 314 | if (ret) | 314 | if (IS_ERR(main_bat.psy)) { |
| 315 | ret = PTR_ERR(main_bat.psy); | ||
| 315 | goto err_reg_main; | 316 | goto err_reg_main; |
| 317 | } | ||
| 316 | if (pdata->backup_volt_mult) { | 318 | if (pdata->backup_volt_mult) { |
| 319 | const struct power_supply_config psy_cfg | ||
| 320 | = { .drv_data = &backup_bat, }; | ||
| 321 | |||
| 317 | backup_bat.client = client; | 322 | backup_bat.client = client; |
| 318 | backup_bat.pdata = pdev->dev.platform_data; | 323 | backup_bat.pdata = pdev->dev.platform_data; |
| 319 | backup_bat.volt_value = -1; | 324 | backup_bat.volt_value = -1; |
| 320 | ret = power_supply_register(&pdev->dev, &backup_bat.psy, NULL); | 325 | backup_bat.psy = power_supply_register(&pdev->dev, |
| 321 | if (ret) | 326 | &backup_bat_desc, |
| 327 | &psy_cfg); | ||
| 328 | if (IS_ERR(backup_bat.psy)) { | ||
| 329 | ret = PTR_ERR(backup_bat.psy); | ||
| 322 | goto err_reg_backup; | 330 | goto err_reg_backup; |
| 331 | } | ||
| 323 | } | 332 | } |
| 324 | 333 | ||
| 325 | INIT_DELAYED_WORK(&bat_work, s3c_adc_bat_work); | 334 | INIT_DELAYED_WORK(&bat_work, s3c_adc_bat_work); |
| @@ -360,9 +369,9 @@ err_irq: | |||
| 360 | gpio_free(pdata->gpio_charge_finished); | 369 | gpio_free(pdata->gpio_charge_finished); |
| 361 | err_gpio: | 370 | err_gpio: |
| 362 | if (pdata->backup_volt_mult) | 371 | if (pdata->backup_volt_mult) |
| 363 | power_supply_unregister(&backup_bat.psy); | 372 | power_supply_unregister(backup_bat.psy); |
| 364 | err_reg_backup: | 373 | err_reg_backup: |
| 365 | power_supply_unregister(&main_bat.psy); | 374 | power_supply_unregister(main_bat.psy); |
| 366 | err_reg_main: | 375 | err_reg_main: |
| 367 | return ret; | 376 | return ret; |
| 368 | } | 377 | } |
| @@ -372,9 +381,9 @@ static int s3c_adc_bat_remove(struct platform_device *pdev) | |||
| 372 | struct s3c_adc_client *client = platform_get_drvdata(pdev); | 381 | struct s3c_adc_client *client = platform_get_drvdata(pdev); |
| 373 | struct s3c_adc_bat_pdata *pdata = pdev->dev.platform_data; | 382 | struct s3c_adc_bat_pdata *pdata = pdev->dev.platform_data; |
| 374 | 383 | ||
| 375 | power_supply_unregister(&main_bat.psy); | 384 | power_supply_unregister(main_bat.psy); |
| 376 | if (pdata->backup_volt_mult) | 385 | if (pdata->backup_volt_mult) |
| 377 | power_supply_unregister(&backup_bat.psy); | 386 | power_supply_unregister(backup_bat.psy); |
| 378 | 387 | ||
| 379 | s3c_adc_release(client); | 388 | s3c_adc_release(client); |
| 380 | 389 | ||