From: Alice Chao alice.chao@mediatek.com
[ Upstream commit 5863638598f5e4f64d2f85b03f376383ca1f2ab7 ]
Add a NULL check before accessing the 'vccqx' pointer to prevent invalid memory access. This ensures that the function safely handles cases where 'vccq' and 'vccq2' are not initialized, improving the robustness of the power management code.
Signed-off-by: Alice Chao alice.chao@mediatek.com Reviewed-by: Peter Wang peter.wang@mediatek.com Signed-off-by: Peter Wang peter.wang@mediatek.com Link: https://lore.kernel.org/r/20250811131423.3444014-11-peter.wang@mediatek.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
YES
Rationale - The patch adds a defensive NULL guard in `ufs_mtk_vccqx_set_lpm()` so it immediately returns if both `vccq` and `vccq2` are absent. This prevents a NULL dereference on `vccqx->reg` when neither rail is defined in DT or has been released earlier. - Specifically, the change adds: `if (!hba->vreg_info.vccq && !hba->vreg_info.vccq2) return;` before dereferencing `vccqx` in `drivers/ufs/host/ufs-mediatek.c:1506`. - Without this guard, the function selects `vccqx` from `hba->vreg_info.vccq` or `...vccq2` and unconditionally does `regulator_set_mode(vccqx->reg, ...)` (drivers/ufs/host/ufs- mediatek.c:1515), which is unsafe if both are NULL. - The UFS core explicitly allows these supplies to be optional, meaning NULL is a valid state when a supply is not provided in DT: parsing populates `vccq`/`vccq2` optionally (drivers/ufs/host/ufshcd- pltfrm.c:168). - The Mediatek driver also clears the pointer to NULL when it deliberately disables a VCCQx rail (e.g., after freeing the vreg in `ufs_mtk_vreg_fix_vccqx()`, drivers/ufs/host/ufs-mediatek.c:1072). That makes the calleeās NULL-robustness important.
Why this matters despite caller checks - Today, `ufs_mtk_dev_vreg_set_lpm()` computes `skip_vccqx` and only calls `ufs_mtk_vccqx_set_lpm()` when appropriate (drivers/ufs/host/ufs-mediatek.c:1537, 1555, 1560). However, this is a single call site and relies on all future call paths being equally careful. - The new guard makes `ufs_mtk_vccqx_set_lpm()` itself robust, eliminating a class of NULL deref crashes if it is ever called without prior checks, or if future refactors change the call sites.
Stable backport criteria - Bug fix that prevents kernel NULL deref (user-visible reliability issue). - Change is minimal, localized, and has no architectural impact. - No functional side effects when supplies exist; when both are absent, early return is the correct behavior (nothing to configure). - Touches a specific host driver (MediaTek UFS), keeping risk of regression low and scope confined.
Conclusion - This is a safe, targeted fix to avoid invalid memory access in a power management path. It improves robustness with negligible risk and should be backported to stable.
drivers/ufs/host/ufs-mediatek.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/ufs/host/ufs-mediatek.c b/drivers/ufs/host/ufs-mediatek.c index 82160da8ec71b..bb0be6bed1bca 100644 --- a/drivers/ufs/host/ufs-mediatek.c +++ b/drivers/ufs/host/ufs-mediatek.c @@ -1589,6 +1589,9 @@ static void ufs_mtk_vccqx_set_lpm(struct ufs_hba *hba, bool lpm) { struct ufs_vreg *vccqx = NULL;
+ if (!hba->vreg_info.vccq && !hba->vreg_info.vccq2) + return; + if (hba->vreg_info.vccq) vccqx = hba->vreg_info.vccq; else