Message ID | 20240416-qc-pmic-typec-hpd-split-v3-1-fd071e3191a1@linaro.org |
---|---|
State | Accepted |
Commit | 718b36a7b49acbba36546371db2d235271ceb06c |
Headers | show |
Series | [v3] usb: typec: qcom-pmic-typec: split HPD bridge alloc and registration | expand |
On Tue, Apr 16, 2024 at 05:18:56AM +0300, Dmitry Baryshkov wrote: > If a probe function returns -EPROBE_DEFER after creating another device > there is a change of ending up in a probe deferral loop, (see commit > fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER"). In case > of the qcom-pmic-typec driver the tcpm_register_port() function looks up > external resources (USB role switch and inherently via called > typec_register_port() USB-C muxes, switches and retimers). > > In order to prevent such probe-defer loops caused by qcom-pmic-typec > driver, use the API added by Johan Hovold and move HPD bridge > registration to the end of the probe function. > > The devm_drm_dp_hpd_bridge_add() is called at the end of the probe > function after all TCPM start functions. This is done as a way to > overcome a different problem, the DRM subsystem can not properly cope > with the DRM bridges being destroyed once the bridge is attached. Having > this function call at the end of the probe function prevents possible > DRM bridge device creation followed by destruction in case one of the > TCPM start functions returns an error. You're still not explaining why it is ok to move registration of the bridge to after starting the port and pdphy. Perhaps it's obvious to you but it should still go in the commit message as such a change is potentially something that could end up causing trouble (e.g. enabling interrupts before all resources have been setup and registered). As I've mentioned before, I'm also sceptical to papering over the DRM issue in each and every driver registering a bridge. These late error paths would normally not be taken, unlike the earlier ones which can be triggered by probe deferrals and which we have to fix also for the probe deferral loops. > @@ -92,7 +92,7 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) > if (!tcpm->tcpc.fwnode) > return -EINVAL; > > - bridge_dev = drm_dp_hpd_bridge_register(tcpm->dev, to_of_node(tcpm->tcpc.fwnode)); > + bridge_dev = devm_drm_dp_hpd_bridge_alloc(tcpm->dev, to_of_node(tcpm->tcpc.fwnode)); > if (IS_ERR(bridge_dev)) > return PTR_ERR(bridge_dev); > > @@ -110,6 +110,10 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) > if (ret) > goto fwnode_remove; > > + ret = devm_drm_dp_hpd_bridge_add(tcpm->dev, bridge_dev); > + if (ret) > + goto fwnode_remove; This is leaking resources and can lead to a use-after-free. When looking at the driver, I noticed that the existing error handling is already broken so I just sent a fix here: https://lore.kernel.org/lkml/20240418145730.4605-1-johan+linaro@kernel.org/ You should rebase on that series and not introduce further issues with the new bridge-add error path. > + > return 0; > > fwnode_remove: Johan
diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c index e48412cdcb0f..96b41efae318 100644 --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec.c @@ -41,7 +41,7 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) struct device_node *np = dev->of_node; const struct pmic_typec_resources *res; struct regmap *regmap; - struct device *bridge_dev; + struct auxiliary_device *bridge_dev; u32 base; int ret; @@ -92,7 +92,7 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) if (!tcpm->tcpc.fwnode) return -EINVAL; - bridge_dev = drm_dp_hpd_bridge_register(tcpm->dev, to_of_node(tcpm->tcpc.fwnode)); + bridge_dev = devm_drm_dp_hpd_bridge_alloc(tcpm->dev, to_of_node(tcpm->tcpc.fwnode)); if (IS_ERR(bridge_dev)) return PTR_ERR(bridge_dev); @@ -110,6 +110,10 @@ static int qcom_pmic_typec_probe(struct platform_device *pdev) if (ret) goto fwnode_remove; + ret = devm_drm_dp_hpd_bridge_add(tcpm->dev, bridge_dev); + if (ret) + goto fwnode_remove; + return 0; fwnode_remove: