[PATCH v2] sound/hda: Add NULL check to component match callback function

[PATCH v2] sound/hda: Add NULL check to component match callback function

[Won Chung]

Component match callback function needs to check if expected data is
passed to it. Without this check, it can cause a NULL pointer
dereference when another driver registers a component before i915
drivers have their component master fully bind.

Fixes: 7b882fe3e3e8b ("ALSA: hda - handle multiple i915 device instances")
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Won Chung <wonchung@google.com>
---
- Add "Fixes" tag
- Send to stable@vger.kernel.org

 sound/hda/hdac_i915.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/hda/hdac_i915.c b/sound/hda/hdac_i915.c
index efe810af28c5..958b0975fa40 100644
--- a/sound/hda/hdac_i915.c
+++ b/sound/hda/hdac_i915.c
@@ -102,13 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
 	struct pci_dev *hdac_pci, *i915_pci;
 	struct hdac_bus *bus = data;
 
-	if (!dev_is_pci(dev))
+	if (!dev_is_pci(dev) || !bus)
 		return 0;
 
 	hdac_pci = to_pci_dev(bus->dev);
 	i915_pci = to_pci_dev(dev);
 
-	if (!strcmp(dev->driver->name, "i915") &&
+	if (dev->driver && !strcmp(dev->driver->name, "i915") &&
 	    subcomponent == I915_COMPONENT_AUDIO &&
 	    connectivity_check(i915_pci, hdac_pci))
 		return 1;
-- 
2.35.1.1021.g381101b075-goog

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Takashi Iwai]

On Wed, 30 Mar 2022 23:19:13 +0200,
Won Chung wrote:
> 
> Component match callback function needs to check if expected data is
> passed to it. Without this check, it can cause a NULL pointer
> dereference when another driver registers a component before i915
> drivers have their component master fully bind.
> 
> Fixes: 7b882fe3e3e8b ("ALSA: hda - handle multiple i915 device instances")
> Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
> Signed-off-by: Won Chung <wonchung@google.com>
> ---
> - Add "Fixes" tag
> - Send to stable@vger.kernel.org

You rather need to add "Cc: stable@vger.kernel.org" line to the patch
itself (around sign-off block), not actually Cc'ing the mail.
I edited manually, but please do it so at the next time.

Although I applied the patch as-is now, I wonder...


> -	if (!strcmp(dev->driver->name, "i915") &&
> +	if (dev->driver && !strcmp(dev->driver->name, "i915") &&

Can NULL dev->driver be really seen?  I thought the components are
added by the drivers, hence they ought to have the driver field set.
But there can be corner cases I overlooked.


thanks,

Takashi

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Won Chung]

On Thu, Mar 31, 2022 at 12:27 AM Takashi Iwai <tiwai@suse.de> wrote:
>
> On Wed, 30 Mar 2022 23:19:13 +0200,
> Won Chung wrote:
> >
> > Component match callback function needs to check if expected data is
> > passed to it. Without this check, it can cause a NULL pointer
> > dereference when another driver registers a component before i915
> > drivers have their component master fully bind.
> >
> > Fixes: 7b882fe3e3e8b ("ALSA: hda - handle multiple i915 device instances")
> > Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> > Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
> > Signed-off-by: Won Chung <wonchung@google.com>
> > ---
> > - Add "Fixes" tag
> > - Send to stable@vger.kernel.org
>
> You rather need to add "Cc: stable@vger.kernel.org" line to the patch
> itself (around sign-off block), not actually Cc'ing the mail.
> I edited manually, but please do it so at the next time.
>
> Although I applied the patch as-is now, I wonder...
>
>
> > -     if (!strcmp(dev->driver->name, "i915") &&
> > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
>
> Can NULL dev->driver be really seen?  I thought the components are
> added by the drivers, hence they ought to have the driver field set.
> But there can be corner cases I overlooked.
>
>
> thanks,
>
> Takashi

Hi Takashi,

When I try using component_add in a different driver (usb4 in my
case), I think dev->driver here is NULL because the i915 drivers do
not have their component master fully bound when this new component is
registered. When I test it, it seems to be causing a crash.

Would it be okay for me to resend a new patch with the flags
corrected? I have mistakenly added Heikki and Mika as "Signed-off-by"
instead of "Suggested-by". I am sorry for that.

Thanks,
Won

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Takashi Iwai]

On Thu, 31 Mar 2022 10:38:34 +0200,
Won Chung wrote:
> 
> On Thu, Mar 31, 2022 at 12:27 AM Takashi Iwai <tiwai@suse.de> wrote:
> >
> > On Wed, 30 Mar 2022 23:19:13 +0200,
> > Won Chung wrote:
> > >
> > > Component match callback function needs to check if expected data is
> > > passed to it. Without this check, it can cause a NULL pointer
> > > dereference when another driver registers a component before i915
> > > drivers have their component master fully bind.
> > >
> > > Fixes: 7b882fe3e3e8b ("ALSA: hda - handle multiple i915 device instances")
> > > Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> > > Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
> > > Signed-off-by: Won Chung <wonchung@google.com>
> > > ---
> > > - Add "Fixes" tag
> > > - Send to stable@vger.kernel.org
> >
> > You rather need to add "Cc: stable@vger.kernel.org" line to the patch
> > itself (around sign-off block), not actually Cc'ing the mail.
> > I edited manually, but please do it so at the next time.
> >
> > Although I applied the patch as-is now, I wonder...
> >
> >
> > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> >
> > Can NULL dev->driver be really seen?  I thought the components are
> > added by the drivers, hence they ought to have the driver field set.
> > But there can be corner cases I overlooked.
> >
> >
> > thanks,
> >
> > Takashi
> 
> Hi Takashi,
> 
> When I try using component_add in a different driver (usb4 in my
> case), I think dev->driver here is NULL because the i915 drivers do
> not have their component master fully bound when this new component is
> registered. When I test it, it seems to be causing a crash.

Hm, from where component_add*() is called?  Basically dev->driver must
be already set before the corresponding driver gets bound at
__driver_probe_deviec().  So, if the device is added to component from
the corresponding driver's probe, dev->driver must be non-NULL.

> Would it be okay for me to resend a new patch with the flags
> corrected? I have mistakenly added Heikki and Mika as "Signed-off-by"
> instead of "Suggested-by". I am sorry for that.

Ah that's bad.  I'll reset the branch, then.  Please resubmit
properly.


thanks,

Takashi

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Heikki Krogerus]

On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > >
> > > Can NULL dev->driver be really seen?  I thought the components are
> > > added by the drivers, hence they ought to have the driver field set.
> > > But there can be corner cases I overlooked.
> > >
> > >
> > > thanks,
> > >
> > > Takashi
> > 
> > Hi Takashi,
> > 
> > When I try using component_add in a different driver (usb4 in my
> > case), I think dev->driver here is NULL because the i915 drivers do
> > not have their component master fully bound when this new component is
> > registered. When I test it, it seems to be causing a crash.
> 
> Hm, from where component_add*() is called?  Basically dev->driver must
> be already set before the corresponding driver gets bound at
> __driver_probe_deviec().  So, if the device is added to component from
> the corresponding driver's probe, dev->driver must be non-NULL.

The code that declares a device as component does not have to be the
driver of that device.

In our case the components are USB ports, and they are devices that
are actually never bind to any drivers: drivers/usb/core/port.c

thanks,

-- 
heikki

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Takashi Iwai]

On Thu, 31 Mar 2022 11:25:43 +0200,
Heikki Krogerus wrote:
> 
> On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > >
> > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > added by the drivers, hence they ought to have the driver field set.
> > > > But there can be corner cases I overlooked.
> > > >
> > > >
> > > > thanks,
> > > >
> > > > Takashi
> > > 
> > > Hi Takashi,
> > > 
> > > When I try using component_add in a different driver (usb4 in my
> > > case), I think dev->driver here is NULL because the i915 drivers do
> > > not have their component master fully bound when this new component is
> > > registered. When I test it, it seems to be causing a crash.
> > 
> > Hm, from where component_add*() is called?  Basically dev->driver must
> > be already set before the corresponding driver gets bound at
> > __driver_probe_deviec().  So, if the device is added to component from
> > the corresponding driver's probe, dev->driver must be non-NULL.
> 
> The code that declares a device as component does not have to be the
> driver of that device.
> 
> In our case the components are USB ports, and they are devices that
> are actually never bind to any drivers: drivers/usb/core/port.c

OK, that's what I wanted to know.  It'd be helpful if it's more
clearly mentioned in the commit log.


BTW, the same problem must be seen in MEI drivers, too.


Takashi

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Heikki Krogerus]

On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> On Thu, 31 Mar 2022 11:25:43 +0200,
> Heikki Krogerus wrote:
> > 
> > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > >
> > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > But there can be corner cases I overlooked.
> > > > >
> > > > >
> > > > > thanks,
> > > > >
> > > > > Takashi
> > > > 
> > > > Hi Takashi,
> > > > 
> > > > When I try using component_add in a different driver (usb4 in my
> > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > not have their component master fully bound when this new component is
> > > > registered. When I test it, it seems to be causing a crash.
> > > 
> > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > be already set before the corresponding driver gets bound at
> > > __driver_probe_deviec().  So, if the device is added to component from
> > > the corresponding driver's probe, dev->driver must be non-NULL.
> > 
> > The code that declares a device as component does not have to be the
> > driver of that device.
> > 
> > In our case the components are USB ports, and they are devices that
> > are actually never bind to any drivers: drivers/usb/core/port.c
> 
> OK, that's what I wanted to know.  It'd be helpful if it's more
> clearly mentioned in the commit log.

Agree.

> BTW, the same problem must be seen in MEI drivers, too.

Wasn't there a patch for those too? I lost track...

thanks,

-- 
heikki

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Takashi Iwai]

On Thu, 31 Mar 2022 11:34:38 +0200,
Heikki Krogerus wrote:
> 
> On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > On Thu, 31 Mar 2022 11:25:43 +0200,
> > Heikki Krogerus wrote:
> > > 
> > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > >
> > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > But there can be corner cases I overlooked.
> > > > > >
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > Takashi
> > > > > 
> > > > > Hi Takashi,
> > > > > 
> > > > > When I try using component_add in a different driver (usb4 in my
> > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > not have their component master fully bound when this new component is
> > > > > registered. When I test it, it seems to be causing a crash.
> > > > 
> > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > be already set before the corresponding driver gets bound at
> > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > 
> > > The code that declares a device as component does not have to be the
> > > driver of that device.
> > > 
> > > In our case the components are USB ports, and they are devices that
> > > are actually never bind to any drivers: drivers/usb/core/port.c
> > 
> > OK, that's what I wanted to know.  It'd be helpful if it's more
> > clearly mentioned in the commit log.
> 
> Agree.
> 
> > BTW, the same problem must be seen in MEI drivers, too.
> 
> Wasn't there a patch for those too? I lost track...

I don't know, I just checked the latest Linus tree.

And, looking at the HD-audio code, I still wonder how NULL dev->driver
can reach there.  Is there any PCI device that is added to component
without binding to a driver?  We have dev_is_pci() check at the
beginning, so non-PCI devices should bail out there...

I'm not against adding NULL checks, but just for better understanding
the situation.


Takashi

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Greg KH]

On Thu, Mar 31, 2022 at 12:25:43PM +0300, Heikki Krogerus wrote:
> On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > >
> > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > added by the drivers, hence they ought to have the driver field set.
> > > > But there can be corner cases I overlooked.
> > > >
> > > >
> > > > thanks,
> > > >
> > > > Takashi
> > > 
> > > Hi Takashi,
> > > 
> > > When I try using component_add in a different driver (usb4 in my
> > > case), I think dev->driver here is NULL because the i915 drivers do
> > > not have their component master fully bound when this new component is
> > > registered. When I test it, it seems to be causing a crash.
> > 
> > Hm, from where component_add*() is called?  Basically dev->driver must
> > be already set before the corresponding driver gets bound at
> > __driver_probe_deviec().  So, if the device is added to component from
> > the corresponding driver's probe, dev->driver must be non-NULL.
> 
> The code that declares a device as component does not have to be the
> driver of that device.
> 
> In our case the components are USB ports, and they are devices that
> are actually never bind to any drivers: drivers/usb/core/port.c

Why is a USB device being passed to this code that assumes it is looking
for a PCI device with a specific driver name?  As I mentioned on the
mei patch, triggering off of a name is really a bad idea, as is assuming
the device type without any assurance it is such a device (there's a
reason we didn't provide device type identification in the driver core,
don't abuse that please...)

thanks,

greg k-h

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Heikki Krogerus]

Hi Greg,

On Thu, Mar 31, 2022 at 01:39:51PM +0200, Greg KH wrote:
> On Thu, Mar 31, 2022 at 12:25:43PM +0300, Heikki Krogerus wrote:
> > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > >
> > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > But there can be corner cases I overlooked.
> > > > >
> > > > >
> > > > > thanks,
> > > > >
> > > > > Takashi
> > > > 
> > > > Hi Takashi,
> > > > 
> > > > When I try using component_add in a different driver (usb4 in my
> > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > not have their component master fully bound when this new component is
> > > > registered. When I test it, it seems to be causing a crash.
> > > 
> > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > be already set before the corresponding driver gets bound at
> > > __driver_probe_deviec().  So, if the device is added to component from
> > > the corresponding driver's probe, dev->driver must be non-NULL.
> > 
> > The code that declares a device as component does not have to be the
> > driver of that device.
> > 
> > In our case the components are USB ports, and they are devices that
> > are actually never bind to any drivers: drivers/usb/core/port.c
> 
> Why is a USB device being passed to this code that assumes it is looking
> for a PCI device with a specific driver name?  As I mentioned on the
> mei patch, triggering off of a name is really a bad idea, as is assuming
> the device type without any assurance it is such a device (there's a
> reason we didn't provide device type identification in the driver core,
> don't abuse that please...)

I totally agree. This driver is making a whole bunch of assumptions
when it should not make any assumptions. And yes, one of those
assumptions is that the driver of the device has a specific name, and
that is totally crazy. So why is it making those assumptions? I have
no idea, but is does, and they are now causing the first problem -
NULL pointer dereference.

This patch (and that other) is only proposing a simple way to solve
that NULL pointer dereference issue by adding some sanity checks. If
that's no OK, and the whole driver should be refactored instead, then
that is perfectly OK by me, but that has to be done by somebody who
understands what exactly is the driver and the device it's controlling
doing (and for).

thanks,

-- 
heikki

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Greg KH]

On Thu, Mar 31, 2022 at 03:52:14PM +0300, Heikki Krogerus wrote:
> Hi Greg,
> 
> On Thu, Mar 31, 2022 at 01:39:51PM +0200, Greg KH wrote:
> > On Thu, Mar 31, 2022 at 12:25:43PM +0300, Heikki Krogerus wrote:
> > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > >
> > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > But there can be corner cases I overlooked.
> > > > > >
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > Takashi
> > > > > 
> > > > > Hi Takashi,
> > > > > 
> > > > > When I try using component_add in a different driver (usb4 in my
> > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > not have their component master fully bound when this new component is
> > > > > registered. When I test it, it seems to be causing a crash.
> > > > 
> > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > be already set before the corresponding driver gets bound at
> > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > 
> > > The code that declares a device as component does not have to be the
> > > driver of that device.
> > > 
> > > In our case the components are USB ports, and they are devices that
> > > are actually never bind to any drivers: drivers/usb/core/port.c
> > 
> > Why is a USB device being passed to this code that assumes it is looking
> > for a PCI device with a specific driver name?  As I mentioned on the
> > mei patch, triggering off of a name is really a bad idea, as is assuming
> > the device type without any assurance it is such a device (there's a
> > reason we didn't provide device type identification in the driver core,
> > don't abuse that please...)
> 
> I totally agree. This driver is making a whole bunch of assumptions
> when it should not make any assumptions. And yes, one of those
> assumptions is that the driver of the device has a specific name, and
> that is totally crazy. So why is it making those assumptions? I have
> no idea, but is does, and they are now causing the first problem -
> NULL pointer dereference.
> 
> This patch (and that other) is only proposing a simple way to solve
> that NULL pointer dereference issue by adding some sanity checks. If
> that's no OK, and the whole driver should be refactored instead, then
> that is perfectly OK by me, but that has to be done by somebody who
> understands what exactly is the driver and the device it's controlling
> doing (and for).

This all needs to be refactored to not do this at all.

thanks,

greg k-h

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Takashi Iwai]

On Thu, 31 Mar 2022 14:52:14 +0200,
Heikki Krogerus wrote:
> 
> Hi Greg,
> 
> On Thu, Mar 31, 2022 at 01:39:51PM +0200, Greg KH wrote:
> > On Thu, Mar 31, 2022 at 12:25:43PM +0300, Heikki Krogerus wrote:
> > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > >
> > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > But there can be corner cases I overlooked.
> > > > > >
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > Takashi
> > > > > 
> > > > > Hi Takashi,
> > > > > 
> > > > > When I try using component_add in a different driver (usb4 in my
> > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > not have their component master fully bound when this new component is
> > > > > registered. When I test it, it seems to be causing a crash.
> > > > 
> > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > be already set before the corresponding driver gets bound at
> > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > 
> > > The code that declares a device as component does not have to be the
> > > driver of that device.
> > > 
> > > In our case the components are USB ports, and they are devices that
> > > are actually never bind to any drivers: drivers/usb/core/port.c
> > 
> > Why is a USB device being passed to this code that assumes it is looking
> > for a PCI device with a specific driver name?  As I mentioned on the
> > mei patch, triggering off of a name is really a bad idea, as is assuming
> > the device type without any assurance it is such a device (there's a
> > reason we didn't provide device type identification in the driver core,
> > don't abuse that please...)
> 
> I totally agree. This driver is making a whole bunch of assumptions
> when it should not make any assumptions. And yes, one of those
> assumptions is that the driver of the device has a specific name, and
> that is totally crazy. So why is it making those assumptions? I have
> no idea, but is does, and they are now causing the first problem -
> NULL pointer dereference.

Well, it's a sort of best-effort approach for the component framework.
Currently the framework passes a device pointer without knowing what
it is and every master component tries to match with it unless it's
already bound.  Because of that, the driver has to judge which one is
the right one by itself.  The device driver's string is a loose
matching target that practically worked, so far.

Maybe we should define unique subcomponent numbers and rather check
the passed number at matching.  (Though, only relying on the number is
dangerous, too.)


Takashi

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Takashi Iwai]

On Thu, 31 Mar 2022 11:45:47 +0200,
Takashi Iwai wrote:
> 
> On Thu, 31 Mar 2022 11:34:38 +0200,
> Heikki Krogerus wrote:
> > 
> > On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > > On Thu, 31 Mar 2022 11:25:43 +0200,
> > > Heikki Krogerus wrote:
> > > > 
> > > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > > >
> > > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > > But there can be corner cases I overlooked.
> > > > > > >
> > > > > > >
> > > > > > > thanks,
> > > > > > >
> > > > > > > Takashi
> > > > > > 
> > > > > > Hi Takashi,
> > > > > > 
> > > > > > When I try using component_add in a different driver (usb4 in my
> > > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > > not have their component master fully bound when this new component is
> > > > > > registered. When I test it, it seems to be causing a crash.
> > > > > 
> > > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > > be already set before the corresponding driver gets bound at
> > > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > > 
> > > > The code that declares a device as component does not have to be the
> > > > driver of that device.
> > > > 
> > > > In our case the components are USB ports, and they are devices that
> > > > are actually never bind to any drivers: drivers/usb/core/port.c
> > > 
> > > OK, that's what I wanted to know.  It'd be helpful if it's more
> > > clearly mentioned in the commit log.
> > 
> > Agree.
> > 
> > > BTW, the same problem must be seen in MEI drivers, too.
> > 
> > Wasn't there a patch for those too? I lost track...
> 
> I don't know, I just checked the latest Linus tree.
> 
> And, looking at the HD-audio code, I still wonder how NULL dev->driver
> can reach there.  Is there any PCI device that is added to component
> without binding to a driver?  We have dev_is_pci() check at the
> beginning, so non-PCI devices should bail out there...

Further reading on, I'm really confused.  How data=NULL can be passed
to this function?  The data argument is the value passed from the
component_match_add_typed() call in HD-audio driver, hence it must be
always the snd_hdac_bus object.

And, I guess the i915 string check can be omitted completely, at
least, for HD-audio driver.  It already have a check of the parent of
the device and that should be enough.


Takashi

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Takashi Iwai]

On Thu, 31 Mar 2022 15:29:10 +0200,
Takashi Iwai wrote:
> 
> On Thu, 31 Mar 2022 11:45:47 +0200,
> Takashi Iwai wrote:
> > 
> > On Thu, 31 Mar 2022 11:34:38 +0200,
> > Heikki Krogerus wrote:
> > > 
> > > On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > > > On Thu, 31 Mar 2022 11:25:43 +0200,
> > > > Heikki Krogerus wrote:
> > > > > 
> > > > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > > > >
> > > > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > > > But there can be corner cases I overlooked.
> > > > > > > >
> > > > > > > >
> > > > > > > > thanks,
> > > > > > > >
> > > > > > > > Takashi
> > > > > > > 
> > > > > > > Hi Takashi,
> > > > > > > 
> > > > > > > When I try using component_add in a different driver (usb4 in my
> > > > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > > > not have their component master fully bound when this new component is
> > > > > > > registered. When I test it, it seems to be causing a crash.
> > > > > > 
> > > > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > > > be already set before the corresponding driver gets bound at
> > > > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > > > 
> > > > > The code that declares a device as component does not have to be the
> > > > > driver of that device.
> > > > > 
> > > > > In our case the components are USB ports, and they are devices that
> > > > > are actually never bind to any drivers: drivers/usb/core/port.c
> > > > 
> > > > OK, that's what I wanted to know.  It'd be helpful if it's more
> > > > clearly mentioned in the commit log.
> > > 
> > > Agree.
> > > 
> > > > BTW, the same problem must be seen in MEI drivers, too.
> > > 
> > > Wasn't there a patch for those too? I lost track...
> > 
> > I don't know, I just checked the latest Linus tree.
> > 
> > And, looking at the HD-audio code, I still wonder how NULL dev->driver
> > can reach there.  Is there any PCI device that is added to component
> > without binding to a driver?  We have dev_is_pci() check at the
> > beginning, so non-PCI devices should bail out there...
> 
> Further reading on, I'm really confused.  How data=NULL can be passed
> to this function?  The data argument is the value passed from the
> component_match_add_typed() call in HD-audio driver, hence it must be
> always the snd_hdac_bus object.
> 
> And, I guess the i915 string check can be omitted completely, at
> least, for HD-audio driver.  It already have a check of the parent of
> the device and that should be enough.

That said, something like below (supposing data NULL check being
superfluous), instead.


Takashi

--- a/sound/hda/hdac_i915.c
+++ b/sound/hda/hdac_i915.c
@@ -102,18 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
 	struct pci_dev *hdac_pci, *i915_pci;
 	struct hdac_bus *bus = data;
 
-	if (!dev_is_pci(dev))
+	if (subcomponent != I915_COMPONENT_AUDIO || !dev_is_pci(dev))
 		return 0;
 
 	hdac_pci = to_pci_dev(bus->dev);
 	i915_pci = to_pci_dev(dev);
 
-	if (!strcmp(dev->driver->name, "i915") &&
-	    subcomponent == I915_COMPONENT_AUDIO &&
-	    connectivity_check(i915_pci, hdac_pci))
-		return 1;
-
-	return 0;
+	return connectivity_check(i915_pci, hdac_pci);
 }
 
 /* check whether intel graphics is present */

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Benson Leung]

[-- Attachment #1: Type: text/plain, Size: 4883 bytes --]

Hi Takashi,

On Thu, Mar 31, 2022 at 04:19:15PM +0200, Takashi Iwai wrote:
> On Thu, 31 Mar 2022 15:29:10 +0200,
> Takashi Iwai wrote:
> > 
> > On Thu, 31 Mar 2022 11:45:47 +0200,
> > Takashi Iwai wrote:
> > > 
> > > On Thu, 31 Mar 2022 11:34:38 +0200,
> > > Heikki Krogerus wrote:
> > > > 
> > > > On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > > > > On Thu, 31 Mar 2022 11:25:43 +0200,
> > > > > Heikki Krogerus wrote:
> > > > > > 
> > > > > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > > > > >
> > > > > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > > > > But there can be corner cases I overlooked.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > thanks,
> > > > > > > > >
> > > > > > > > > Takashi
> > > > > > > > 
> > > > > > > > Hi Takashi,
> > > > > > > > 
> > > > > > > > When I try using component_add in a different driver (usb4 in my
> > > > > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > > > > not have their component master fully bound when this new component is
> > > > > > > > registered. When I test it, it seems to be causing a crash.
> > > > > > > 
> > > > > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > > > > be already set before the corresponding driver gets bound at
> > > > > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > > > > 
> > > > > > The code that declares a device as component does not have to be the
> > > > > > driver of that device.
> > > > > > 
> > > > > > In our case the components are USB ports, and they are devices that
> > > > > > are actually never bind to any drivers: drivers/usb/core/port.c
> > > > > 
> > > > > OK, that's what I wanted to know.  It'd be helpful if it's more
> > > > > clearly mentioned in the commit log.
> > > > 
> > > > Agree.
> > > > 
> > > > > BTW, the same problem must be seen in MEI drivers, too.
> > > > 
> > > > Wasn't there a patch for those too? I lost track...
> > > 
> > > I don't know, I just checked the latest Linus tree.
> > > 
> > > And, looking at the HD-audio code, I still wonder how NULL dev->driver
> > > can reach there.  Is there any PCI device that is added to component
> > > without binding to a driver?  We have dev_is_pci() check at the
> > > beginning, so non-PCI devices should bail out there...
> > 
> > Further reading on, I'm really confused.  How data=NULL can be passed
> > to this function?  The data argument is the value passed from the
> > component_match_add_typed() call in HD-audio driver, hence it must be
> > always the snd_hdac_bus object.
> > 
> > And, I guess the i915 string check can be omitted completely, at
> > least, for HD-audio driver.  It already have a check of the parent of
> > the device and that should be enough.
> 
> That said, something like below (supposing data NULL check being
> superfluous), instead.
> 
> 
> Takashi
> 
> --- a/sound/hda/hdac_i915.c
> +++ b/sound/hda/hdac_i915.c
> @@ -102,18 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
>  	struct pci_dev *hdac_pci, *i915_pci;
>  	struct hdac_bus *bus = data;
>  
> -	if (!dev_is_pci(dev))
> +	if (subcomponent != I915_COMPONENT_AUDIO || !dev_is_pci(dev))
>  		return 0;
>  

If I recall this bug correctly, it's not the usb port perse that is falling
through this !dev_is_pci(dev) check, it's actually the usb4-port in a new
proposed patch by Heikki and Mika to extend the usb type-c component to
encompass the usb4 specific pieces too. Is it possible usb4 ports are considered
pci devices, and that's how we got into this situation?

Also, a little more background information: This crash happens because in
our kernel configs, we config'd the usb4 driver as =y (built in) instead of
=m module, which meant that the usb4 port's driver was adding a component
likely much earlier than hdac_i915.

Thanks,
Benson

>  	hdac_pci = to_pci_dev(bus->dev);
>  	i915_pci = to_pci_dev(dev);
>  
> -	if (!strcmp(dev->driver->name, "i915") &&
> -	    subcomponent == I915_COMPONENT_AUDIO &&
> -	    connectivity_check(i915_pci, hdac_pci))
> -		return 1;
> -
> -	return 0;
> +	return connectivity_check(i915_pci, hdac_pci);
>  }
>  
>  /* check whether intel graphics is present */
> 

-- 
Benson Leung
Staff Software Engineer
Chrome OS Kernel
Google Inc.
bleung@google.com
Chromium OS Project
bleung@chromium.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Takashi Iwai]

On Thu, 31 Mar 2022 17:33:03 +0200,
Benson Leung wrote:
> 
> Hi Takashi,
> 
> On Thu, Mar 31, 2022 at 04:19:15PM +0200, Takashi Iwai wrote:
> > On Thu, 31 Mar 2022 15:29:10 +0200,
> > Takashi Iwai wrote:
> > > 
> > > On Thu, 31 Mar 2022 11:45:47 +0200,
> > > Takashi Iwai wrote:
> > > > 
> > > > On Thu, 31 Mar 2022 11:34:38 +0200,
> > > > Heikki Krogerus wrote:
> > > > > 
> > > > > On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > > > > > On Thu, 31 Mar 2022 11:25:43 +0200,
> > > > > > Heikki Krogerus wrote:
> > > > > > > 
> > > > > > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > > > > > >
> > > > > > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > > > > > But there can be corner cases I overlooked.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > thanks,
> > > > > > > > > >
> > > > > > > > > > Takashi
> > > > > > > > > 
> > > > > > > > > Hi Takashi,
> > > > > > > > > 
> > > > > > > > > When I try using component_add in a different driver (usb4 in my
> > > > > > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > > > > > not have their component master fully bound when this new component is
> > > > > > > > > registered. When I test it, it seems to be causing a crash.
> > > > > > > > 
> > > > > > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > > > > > be already set before the corresponding driver gets bound at
> > > > > > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > > > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > > > > > 
> > > > > > > The code that declares a device as component does not have to be the
> > > > > > > driver of that device.
> > > > > > > 
> > > > > > > In our case the components are USB ports, and they are devices that
> > > > > > > are actually never bind to any drivers: drivers/usb/core/port.c
> > > > > > 
> > > > > > OK, that's what I wanted to know.  It'd be helpful if it's more
> > > > > > clearly mentioned in the commit log.
> > > > > 
> > > > > Agree.
> > > > > 
> > > > > > BTW, the same problem must be seen in MEI drivers, too.
> > > > > 
> > > > > Wasn't there a patch for those too? I lost track...
> > > > 
> > > > I don't know, I just checked the latest Linus tree.
> > > > 
> > > > And, looking at the HD-audio code, I still wonder how NULL dev->driver
> > > > can reach there.  Is there any PCI device that is added to component
> > > > without binding to a driver?  We have dev_is_pci() check at the
> > > > beginning, so non-PCI devices should bail out there...
> > > 
> > > Further reading on, I'm really confused.  How data=NULL can be passed
> > > to this function?  The data argument is the value passed from the
> > > component_match_add_typed() call in HD-audio driver, hence it must be
> > > always the snd_hdac_bus object.
> > > 
> > > And, I guess the i915 string check can be omitted completely, at
> > > least, for HD-audio driver.  It already have a check of the parent of
> > > the device and that should be enough.
> > 
> > That said, something like below (supposing data NULL check being
> > superfluous), instead.
> > 
> > 
> > Takashi
> > 
> > --- a/sound/hda/hdac_i915.c
> > +++ b/sound/hda/hdac_i915.c
> > @@ -102,18 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
> >  	struct pci_dev *hdac_pci, *i915_pci;
> >  	struct hdac_bus *bus = data;
> >  
> > -	if (!dev_is_pci(dev))
> > +	if (subcomponent != I915_COMPONENT_AUDIO || !dev_is_pci(dev))
> >  		return 0;
> >  
> 
> If I recall this bug correctly, it's not the usb port perse that is falling
> through this !dev_is_pci(dev) check, it's actually the usb4-port in a new
> proposed patch by Heikki and Mika to extend the usb type-c component to
> encompass the usb4 specific pieces too. Is it possible usb4 ports are considered
> pci devices, and that's how we got into this situation?

Yes, that explains for one of two changes in the original patch.
But why data==NULL check is needed is still unclear.

> Also, a little more background information: This crash happens because in
> our kernel configs, we config'd the usb4 driver as =y (built in) instead of
> =m module, which meant that the usb4 port's driver was adding a component
> likely much earlier than hdac_i915.

Thanks, it's what I supposed, too.


Takashi

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Mika Westerberg]

Hi,

On Thu, Mar 31, 2022 at 08:33:03AM -0700, Benson Leung wrote:
> > --- a/sound/hda/hdac_i915.c
> > +++ b/sound/hda/hdac_i915.c
> > @@ -102,18 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
> >  	struct pci_dev *hdac_pci, *i915_pci;
> >  	struct hdac_bus *bus = data;
> >  
> > -	if (!dev_is_pci(dev))
> > +	if (subcomponent != I915_COMPONENT_AUDIO || !dev_is_pci(dev))
> >  		return 0;
> >  
> 
> If I recall this bug correctly, it's not the usb port perse that is falling
> through this !dev_is_pci(dev) check, it's actually the usb4-port in a new
> proposed patch by Heikki and Mika to extend the usb type-c component to
> encompass the usb4 specific pieces too. Is it possible usb4 ports are considered
> pci devices, and that's how we got into this situation?

For usb4_port the dev_ic_pci(dev) returns false:

  #define dev_is_pci(d) ((d)->bus == &pci_bus_type)

We don't attach them to PCI bus (well they are not PCI devices).

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Greg KH]

On Thu, Mar 31, 2022 at 08:33:03AM -0700, Benson Leung wrote:
> Hi Takashi,
> 
> On Thu, Mar 31, 2022 at 04:19:15PM +0200, Takashi Iwai wrote:
> > On Thu, 31 Mar 2022 15:29:10 +0200,
> > Takashi Iwai wrote:
> > > 
> > > On Thu, 31 Mar 2022 11:45:47 +0200,
> > > Takashi Iwai wrote:
> > > > 
> > > > On Thu, 31 Mar 2022 11:34:38 +0200,
> > > > Heikki Krogerus wrote:
> > > > > 
> > > > > On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > > > > > On Thu, 31 Mar 2022 11:25:43 +0200,
> > > > > > Heikki Krogerus wrote:
> > > > > > > 
> > > > > > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > > > > > >
> > > > > > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > > > > > But there can be corner cases I overlooked.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > thanks,
> > > > > > > > > >
> > > > > > > > > > Takashi
> > > > > > > > > 
> > > > > > > > > Hi Takashi,
> > > > > > > > > 
> > > > > > > > > When I try using component_add in a different driver (usb4 in my
> > > > > > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > > > > > not have their component master fully bound when this new component is
> > > > > > > > > registered. When I test it, it seems to be causing a crash.
> > > > > > > > 
> > > > > > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > > > > > be already set before the corresponding driver gets bound at
> > > > > > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > > > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > > > > > 
> > > > > > > The code that declares a device as component does not have to be the
> > > > > > > driver of that device.
> > > > > > > 
> > > > > > > In our case the components are USB ports, and they are devices that
> > > > > > > are actually never bind to any drivers: drivers/usb/core/port.c
> > > > > > 
> > > > > > OK, that's what I wanted to know.  It'd be helpful if it's more
> > > > > > clearly mentioned in the commit log.
> > > > > 
> > > > > Agree.
> > > > > 
> > > > > > BTW, the same problem must be seen in MEI drivers, too.
> > > > > 
> > > > > Wasn't there a patch for those too? I lost track...
> > > > 
> > > > I don't know, I just checked the latest Linus tree.
> > > > 
> > > > And, looking at the HD-audio code, I still wonder how NULL dev->driver
> > > > can reach there.  Is there any PCI device that is added to component
> > > > without binding to a driver?  We have dev_is_pci() check at the
> > > > beginning, so non-PCI devices should bail out there...
> > > 
> > > Further reading on, I'm really confused.  How data=NULL can be passed
> > > to this function?  The data argument is the value passed from the
> > > component_match_add_typed() call in HD-audio driver, hence it must be
> > > always the snd_hdac_bus object.
> > > 
> > > And, I guess the i915 string check can be omitted completely, at
> > > least, for HD-audio driver.  It already have a check of the parent of
> > > the device and that should be enough.
> > 
> > That said, something like below (supposing data NULL check being
> > superfluous), instead.
> > 
> > 
> > Takashi
> > 
> > --- a/sound/hda/hdac_i915.c
> > +++ b/sound/hda/hdac_i915.c
> > @@ -102,18 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
> >  	struct pci_dev *hdac_pci, *i915_pci;
> >  	struct hdac_bus *bus = data;
> >  
> > -	if (!dev_is_pci(dev))
> > +	if (subcomponent != I915_COMPONENT_AUDIO || !dev_is_pci(dev))
> >  		return 0;
> >  
> 
> If I recall this bug correctly, it's not the usb port perse that is falling
> through this !dev_is_pci(dev) check, it's actually the usb4-port in a new
> proposed patch by Heikki and Mika to extend the usb type-c component to
> encompass the usb4 specific pieces too. Is it possible usb4 ports are considered
> pci devices, and that's how we got into this situation?
> 
> Also, a little more background information: This crash happens because in
> our kernel configs, we config'd the usb4 driver as =y (built in) instead of
> =m module, which meant that the usb4 port's driver was adding a component
> likely much earlier than hdac_i915.

So is this actually triggering on 5.17 right now?  Or is it due to some
other not-applied changes you are testing at the moment?

confused,

greg k-h

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Won Chung]

On Thu, Mar 31, 2022 at 9:38 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Thu, Mar 31, 2022 at 08:33:03AM -0700, Benson Leung wrote:
> > Hi Takashi,
> >
> > On Thu, Mar 31, 2022 at 04:19:15PM +0200, Takashi Iwai wrote:
> > > On Thu, 31 Mar 2022 15:29:10 +0200,
> > > Takashi Iwai wrote:
> > > >
> > > > On Thu, 31 Mar 2022 11:45:47 +0200,
> > > > Takashi Iwai wrote:
> > > > >
> > > > > On Thu, 31 Mar 2022 11:34:38 +0200,
> > > > > Heikki Krogerus wrote:
> > > > > >
> > > > > > On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > > > > > > On Thu, 31 Mar 2022 11:25:43 +0200,
> > > > > > > Heikki Krogerus wrote:
> > > > > > > >
> > > > > > > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > > > > > > >
> > > > > > > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > > > > > > But there can be corner cases I overlooked.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > thanks,
> > > > > > > > > > >
> > > > > > > > > > > Takashi
> > > > > > > > > >
> > > > > > > > > > Hi Takashi,
> > > > > > > > > >
> > > > > > > > > > When I try using component_add in a different driver (usb4 in my
> > > > > > > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > > > > > > not have their component master fully bound when this new component is
> > > > > > > > > > registered. When I test it, it seems to be causing a crash.
> > > > > > > > >
> > > > > > > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > > > > > > be already set before the corresponding driver gets bound at
> > > > > > > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > > > > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > > > > > >
> > > > > > > > The code that declares a device as component does not have to be the
> > > > > > > > driver of that device.
> > > > > > > >
> > > > > > > > In our case the components are USB ports, and they are devices that
> > > > > > > > are actually never bind to any drivers: drivers/usb/core/port.c
> > > > > > >
> > > > > > > OK, that's what I wanted to know.  It'd be helpful if it's more
> > > > > > > clearly mentioned in the commit log.
> > > > > >
> > > > > > Agree.
> > > > > >
> > > > > > > BTW, the same problem must be seen in MEI drivers, too.
> > > > > >
> > > > > > Wasn't there a patch for those too? I lost track...
> > > > >
> > > > > I don't know, I just checked the latest Linus tree.
> > > > >
> > > > > And, looking at the HD-audio code, I still wonder how NULL dev->driver
> > > > > can reach there.  Is there any PCI device that is added to component
> > > > > without binding to a driver?  We have dev_is_pci() check at the
> > > > > beginning, so non-PCI devices should bail out there...
> > > >
> > > > Further reading on, I'm really confused.  How data=NULL can be passed
> > > > to this function?  The data argument is the value passed from the
> > > > component_match_add_typed() call in HD-audio driver, hence it must be
> > > > always the snd_hdac_bus object.
> > > >
> > > > And, I guess the i915 string check can be omitted completely, at
> > > > least, for HD-audio driver.  It already have a check of the parent of
> > > > the device and that should be enough.
> > >
> > > That said, something like below (supposing data NULL check being
> > > superfluous), instead.
> > >
> > >
> > > Takashi
> > >
> > > --- a/sound/hda/hdac_i915.c
> > > +++ b/sound/hda/hdac_i915.c
> > > @@ -102,18 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
> > >     struct pci_dev *hdac_pci, *i915_pci;
> > >     struct hdac_bus *bus = data;
> > >
> > > -   if (!dev_is_pci(dev))
> > > +   if (subcomponent != I915_COMPONENT_AUDIO || !dev_is_pci(dev))
> > >             return 0;
> > >
> >
> > If I recall this bug correctly, it's not the usb port perse that is falling
> > through this !dev_is_pci(dev) check, it's actually the usb4-port in a new
> > proposed patch by Heikki and Mika to extend the usb type-c component to
> > encompass the usb4 specific pieces too. Is it possible usb4 ports are considered
> > pci devices, and that's how we got into this situation?
> >
> > Also, a little more background information: This crash happens because in
> > our kernel configs, we config'd the usb4 driver as =y (built in) instead of
> > =m module, which meant that the usb4 port's driver was adding a component
> > likely much earlier than hdac_i915.
>
> So is this actually triggering on 5.17 right now?  Or is it due to some
> other not-applied changes you are testing at the moment?
>
> confused,
>
> greg k-h

Hi Greg,

I believe it is not causing an issue in 5.17 at the moment. It is
triggered when we try to apply new changes and test it locally.
(registering a component for usb4_port)

Thanks,
Won

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Greg KH]

On Thu, Mar 31, 2022 at 09:58:43AM -0700, Won Chung wrote:
> On Thu, Mar 31, 2022 at 9:38 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Thu, Mar 31, 2022 at 08:33:03AM -0700, Benson Leung wrote:
> > > Hi Takashi,
> > >
> > > On Thu, Mar 31, 2022 at 04:19:15PM +0200, Takashi Iwai wrote:
> > > > On Thu, 31 Mar 2022 15:29:10 +0200,
> > > > Takashi Iwai wrote:
> > > > >
> > > > > On Thu, 31 Mar 2022 11:45:47 +0200,
> > > > > Takashi Iwai wrote:
> > > > > >
> > > > > > On Thu, 31 Mar 2022 11:34:38 +0200,
> > > > > > Heikki Krogerus wrote:
> > > > > > >
> > > > > > > On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > > > > > > > On Thu, 31 Mar 2022 11:25:43 +0200,
> > > > > > > > Heikki Krogerus wrote:
> > > > > > > > >
> > > > > > > > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > > > > > > > >
> > > > > > > > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > > > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > > > > > > > But there can be corner cases I overlooked.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > thanks,
> > > > > > > > > > > >
> > > > > > > > > > > > Takashi
> > > > > > > > > > >
> > > > > > > > > > > Hi Takashi,
> > > > > > > > > > >
> > > > > > > > > > > When I try using component_add in a different driver (usb4 in my
> > > > > > > > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > > > > > > > not have their component master fully bound when this new component is
> > > > > > > > > > > registered. When I test it, it seems to be causing a crash.
> > > > > > > > > >
> > > > > > > > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > > > > > > > be already set before the corresponding driver gets bound at
> > > > > > > > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > > > > > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > > > > > > >
> > > > > > > > > The code that declares a device as component does not have to be the
> > > > > > > > > driver of that device.
> > > > > > > > >
> > > > > > > > > In our case the components are USB ports, and they are devices that
> > > > > > > > > are actually never bind to any drivers: drivers/usb/core/port.c
> > > > > > > >
> > > > > > > > OK, that's what I wanted to know.  It'd be helpful if it's more
> > > > > > > > clearly mentioned in the commit log.
> > > > > > >
> > > > > > > Agree.
> > > > > > >
> > > > > > > > BTW, the same problem must be seen in MEI drivers, too.
> > > > > > >
> > > > > > > Wasn't there a patch for those too? I lost track...
> > > > > >
> > > > > > I don't know, I just checked the latest Linus tree.
> > > > > >
> > > > > > And, looking at the HD-audio code, I still wonder how NULL dev->driver
> > > > > > can reach there.  Is there any PCI device that is added to component
> > > > > > without binding to a driver?  We have dev_is_pci() check at the
> > > > > > beginning, so non-PCI devices should bail out there...
> > > > >
> > > > > Further reading on, I'm really confused.  How data=NULL can be passed
> > > > > to this function?  The data argument is the value passed from the
> > > > > component_match_add_typed() call in HD-audio driver, hence it must be
> > > > > always the snd_hdac_bus object.
> > > > >
> > > > > And, I guess the i915 string check can be omitted completely, at
> > > > > least, for HD-audio driver.  It already have a check of the parent of
> > > > > the device and that should be enough.
> > > >
> > > > That said, something like below (supposing data NULL check being
> > > > superfluous), instead.
> > > >
> > > >
> > > > Takashi
> > > >
> > > > --- a/sound/hda/hdac_i915.c
> > > > +++ b/sound/hda/hdac_i915.c
> > > > @@ -102,18 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
> > > >     struct pci_dev *hdac_pci, *i915_pci;
> > > >     struct hdac_bus *bus = data;
> > > >
> > > > -   if (!dev_is_pci(dev))
> > > > +   if (subcomponent != I915_COMPONENT_AUDIO || !dev_is_pci(dev))
> > > >             return 0;
> > > >
> > >
> > > If I recall this bug correctly, it's not the usb port perse that is falling
> > > through this !dev_is_pci(dev) check, it's actually the usb4-port in a new
> > > proposed patch by Heikki and Mika to extend the usb type-c component to
> > > encompass the usb4 specific pieces too. Is it possible usb4 ports are considered
> > > pci devices, and that's how we got into this situation?
> > >
> > > Also, a little more background information: This crash happens because in
> > > our kernel configs, we config'd the usb4 driver as =y (built in) instead of
> > > =m module, which meant that the usb4 port's driver was adding a component
> > > likely much earlier than hdac_i915.
> >
> > So is this actually triggering on 5.17 right now?  Or is it due to some
> > other not-applied changes you are testing at the moment?
> >
> > confused,
> >
> > greg k-h
> 
> Hi Greg,
> 
> I believe it is not causing an issue in 5.17 at the moment. It is
> triggered when we try to apply new changes and test it locally.
> (registering a component for usb4_port)

Then why would it ever be needed to be backported to a stable kernel?

Please be more careful.

greg k-h

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Benson Leung]

[-- Attachment #1: Type: text/plain, Size: 946 bytes --]

Hi Greg,

On Thu, Mar 31, 2022 at 07:18:00PM +0200, Greg KH wrote:
> On Thu, Mar 31, 2022 at 09:58:43AM -0700, Won Chung wrote:
> > > So is this actually triggering on 5.17 right now?  Or is it due to some
> > > other not-applied changes you are testing at the moment?
> > >
> > > confused,
> > >
> > > greg k-h
> > 
> > Hi Greg,
> > 
> > I believe it is not causing an issue in 5.17 at the moment. It is
> > triggered when we try to apply new changes and test it locally.
> > (registering a component for usb4_port)
> 
> Then why would it ever be needed to be backported to a stable kernel?
> 
> Please be more careful.
> 
> greg k-h

Sorry about that. I gave Won bad advice to cc stable. You're right, it will
only be relevant when a future patch lands in usb4.

Thanks,
Benson

-- 
Benson Leung
Staff Software Engineer
Chrome OS Kernel
Google Inc.
bleung@google.com
Chromium OS Project
bleung@chromium.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Greg KH]

On Thu, Mar 31, 2022 at 10:33:57AM -0700, Benson Leung wrote:
> Hi Greg,
> 
> On Thu, Mar 31, 2022 at 07:18:00PM +0200, Greg KH wrote:
> > On Thu, Mar 31, 2022 at 09:58:43AM -0700, Won Chung wrote:
> > > > So is this actually triggering on 5.17 right now?  Or is it due to some
> > > > other not-applied changes you are testing at the moment?
> > > >
> > > > confused,
> > > >
> > > > greg k-h
> > > 
> > > Hi Greg,
> > > 
> > > I believe it is not causing an issue in 5.17 at the moment. It is
> > > triggered when we try to apply new changes and test it locally.
> > > (registering a component for usb4_port)
> > 
> > Then why would it ever be needed to be backported to a stable kernel?
> > 
> > Please be more careful.
> > 
> > greg k-h
> 
> Sorry about that. I gave Won bad advice to cc stable. You're right, it will
> only be relevant when a future patch lands in usb4.

It isn't even relevant now, please only worry about this when you have
your patches ready for submission that causes this breakage.

thanks,

greg k-h

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Heikki Krogerus]

Hi Takashi,

On Thu, Mar 31, 2022 at 04:19:15PM +0200, Takashi Iwai wrote:
> On Thu, 31 Mar 2022 15:29:10 +0200,
> Takashi Iwai wrote:
> > 
> > On Thu, 31 Mar 2022 11:45:47 +0200,
> > Takashi Iwai wrote:
> > > 
> > > On Thu, 31 Mar 2022 11:34:38 +0200,
> > > Heikki Krogerus wrote:
> > > > 
> > > > On Thu, Mar 31, 2022 at 11:28:20AM +0200, Takashi Iwai wrote:
> > > > > On Thu, 31 Mar 2022 11:25:43 +0200,
> > > > > Heikki Krogerus wrote:
> > > > > > 
> > > > > > On Thu, Mar 31, 2022 at 11:12:55AM +0200, Takashi Iwai wrote:
> > > > > > > > > > -     if (!strcmp(dev->driver->name, "i915") &&
> > > > > > > > > > +     if (dev->driver && !strcmp(dev->driver->name, "i915") &&
> > > > > > > > >
> > > > > > > > > Can NULL dev->driver be really seen?  I thought the components are
> > > > > > > > > added by the drivers, hence they ought to have the driver field set.
> > > > > > > > > But there can be corner cases I overlooked.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > thanks,
> > > > > > > > >
> > > > > > > > > Takashi
> > > > > > > > 
> > > > > > > > Hi Takashi,
> > > > > > > > 
> > > > > > > > When I try using component_add in a different driver (usb4 in my
> > > > > > > > case), I think dev->driver here is NULL because the i915 drivers do
> > > > > > > > not have their component master fully bound when this new component is
> > > > > > > > registered. When I test it, it seems to be causing a crash.
> > > > > > > 
> > > > > > > Hm, from where component_add*() is called?  Basically dev->driver must
> > > > > > > be already set before the corresponding driver gets bound at
> > > > > > > __driver_probe_deviec().  So, if the device is added to component from
> > > > > > > the corresponding driver's probe, dev->driver must be non-NULL.
> > > > > > 
> > > > > > The code that declares a device as component does not have to be the
> > > > > > driver of that device.
> > > > > > 
> > > > > > In our case the components are USB ports, and they are devices that
> > > > > > are actually never bind to any drivers: drivers/usb/core/port.c
> > > > > 
> > > > > OK, that's what I wanted to know.  It'd be helpful if it's more
> > > > > clearly mentioned in the commit log.
> > > > 
> > > > Agree.
> > > > 
> > > > > BTW, the same problem must be seen in MEI drivers, too.
> > > > 
> > > > Wasn't there a patch for those too? I lost track...
> > > 
> > > I don't know, I just checked the latest Linus tree.
> > > 
> > > And, looking at the HD-audio code, I still wonder how NULL dev->driver
> > > can reach there.  Is there any PCI device that is added to component
> > > without binding to a driver?  We have dev_is_pci() check at the
> > > beginning, so non-PCI devices should bail out there...
> > 
> > Further reading on, I'm really confused.  How data=NULL can be passed
> > to this function?  The data argument is the value passed from the
> > component_match_add_typed() call in HD-audio driver, hence it must be
> > always the snd_hdac_bus object.
> > 
> > And, I guess the i915 string check can be omitted completely, at
> > least, for HD-audio driver.  It already have a check of the parent of
> > the device and that should be enough.
> 
> That said, something like below (supposing data NULL check being
> superfluous), instead.

I don't think data can be NULL. There is no need for that check like
you said.

> --- a/sound/hda/hdac_i915.c
> +++ b/sound/hda/hdac_i915.c
> @@ -102,18 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
>  	struct pci_dev *hdac_pci, *i915_pci;
>  	struct hdac_bus *bus = data;
>  
> -	if (!dev_is_pci(dev))
> +	if (subcomponent != I915_COMPONENT_AUDIO || !dev_is_pci(dev))
>  		return 0;
>  
>  	hdac_pci = to_pci_dev(bus->dev);
>  	i915_pci = to_pci_dev(dev);
>  
> -	if (!strcmp(dev->driver->name, "i915") &&
> -	    subcomponent == I915_COMPONENT_AUDIO &&
> -	    connectivity_check(i915_pci, hdac_pci))
> -		return 1;
> -
> -	return 0;
> +	return connectivity_check(i915_pci, hdac_pci);
>  }
>  
>  /* check whether intel graphics is present */

That looks really nice to me!

thanks,

-- 
heikki

Re: [PATCH v2] sound/hda: Add NULL check to component match callback function

[Won Chung]

On Wed, Mar 30, 2022 at 1:55 PM Won Chung <wonchung@google.com> wrote:
>
> Component match callback function needs to check if expected data is
> passed to it. Without this check, it can cause a NULL pointer
> dereference when another driver registers a component before i915
> drivers have their component master fully bind.
>
> Fixes: 7b882fe3e3e8b ("ALSA: hda - handle multiple i915 device instances")
> Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
> Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
> Signed-off-by: Won Chung <wonchung@google.com>
> ---
> - Add "Fixes" tag
> - Send to stable@vger.kernel.org
>
>  sound/hda/hdac_i915.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sound/hda/hdac_i915.c b/sound/hda/hdac_i915.c
> index efe810af28c5..958b0975fa40 100644
> --- a/sound/hda/hdac_i915.c
> +++ b/sound/hda/hdac_i915.c
> @@ -102,13 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
>         struct pci_dev *hdac_pci, *i915_pci;
>         struct hdac_bus *bus = data;
>
> -       if (!dev_is_pci(dev))
> +       if (!dev_is_pci(dev) || !bus)
>                 return 0;
>
>         hdac_pci = to_pci_dev(bus->dev);
>         i915_pci = to_pci_dev(dev);
>
> -       if (!strcmp(dev->driver->name, "i915") &&
> +       if (dev->driver && !strcmp(dev->driver->name, "i915") &&
>             subcomponent == I915_COMPONENT_AUDIO &&
>             connectivity_check(i915_pci, hdac_pci))
>                 return 1;
> --
> 2.35.1.1021.g381101b075-goog
>

Hi,

I am resending this patch to correct email accounts.
Sorry for confusion.

Thanks,
Won

[PATCH v2] sound/hda: Add NULL check to component match callback function

[Won Chung]

Component match callback function needs to check if expected data is
passed to it. Without this check, it can cause a NULL pointer
dereference when another driver registers a component before i915
drivers have their component master fully bind.

Fixes: 7b882fe3e3e8b ("ALSA: hda - handle multiple i915 device instances")
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Won Chung <wonchung@google.com>
---
- Add "Fixes" tag
- Send to stable@vger.kernel.org

 sound/hda/hdac_i915.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/hda/hdac_i915.c b/sound/hda/hdac_i915.c
index efe810af28c5..958b0975fa40 100644
--- a/sound/hda/hdac_i915.c
+++ b/sound/hda/hdac_i915.c
@@ -102,13 +102,13 @@ static int i915_component_master_match(struct device *dev, int subcomponent,
 	struct pci_dev *hdac_pci, *i915_pci;
 	struct hdac_bus *bus = data;
 
-	if (!dev_is_pci(dev))
+	if (!dev_is_pci(dev) || !bus)
 		return 0;
 
 	hdac_pci = to_pci_dev(bus->dev);
 	i915_pci = to_pci_dev(dev);
 
-	if (!strcmp(dev->driver->name, "i915") &&
+	if (dev->driver && !strcmp(dev->driver->name, "i915") &&
 	    subcomponent == I915_COMPONENT_AUDIO &&
 	    connectivity_check(i915_pci, hdac_pci))
 		return 1;
-- 
2.35.1.1021.g381101b075-goog