[PATCH] opp: Invalidate current opp when draining the opp list

[Beata Michalska]

The current_opp when set, grabs additional reference on the opp,
which is then supposed to be dropped upon releasing the opp table.
Still both dev_pm_opp_remove_table and dev_pm_opp_remove_all_dynamic
will completely drain the OPPs list, including dropping the additional
reference on current_opp. This may lead to an attempt to access
memory that has already been released. Make sure that while draining
the list (in both dynamic and static cases) the current_opp gets
actually invalidated.

Fixes: 81c4d8a3c414 ("opp: Keep track of currently programmed OPP")

Signed-off-by: Beata Michalska <beata.michalska@xxxxxxx>
---
 drivers/opp/core.c | 49 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 32 insertions(+), 17 deletions(-)

diff --git a/drivers/opp/core.c b/drivers/opp/core.c
index c268938..10e65c4 100644
--- a/drivers/opp/core.c
+++ b/drivers/opp/core.c
@@ -1502,10 +1502,39 @@ static struct dev_pm_opp *_opp_get_next(struct opp_table *opp_table,
 	return opp;
 }
 
-bool _opp_remove_all_static(struct opp_table *opp_table)
+static int __opp_drain_list(struct opp_table *opp_table, bool dynamic)
 {
 	struct dev_pm_opp *opp;
+	int count = 0;
+
+	/*
+	 * Can't remove the OPP from under the lock, debugfs removal needs to
+	 * happen lock less to avoid circular dependency issues.
+	 */
+	while ((opp = _opp_get_next(opp_table, dynamic))) {
+		/*
+		 * The current_opp has extra hold on the ref count,
+		 * still the draining here will result in all of them
+		 * being dropped completely, so make
+		 * sure no one will try to access the current_opp
+		 * afterwords
+		 */
+		if (opp_table->current_opp == opp &&
+		    !(kref_read(&opp->kref) - 1))
+			opp_table->current_opp = NULL;
+
+		dev_pm_opp_put(opp);
+		/*
+		 * Note: the count here will reflect number of references
+		 * dropped, not the number of opps in the list
+		 */
+		++count;
+	}
+	return count;
+}
 
+bool _opp_remove_all_static(struct opp_table *opp_table)
+{
 	mutex_lock(&opp_table->lock);
 
 	if (!opp_table->parsed_static_opps) {
@@ -1520,13 +1549,7 @@ bool _opp_remove_all_static(struct opp_table *opp_table)
 
 	mutex_unlock(&opp_table->lock);
 
-	/*
-	 * Can't remove the OPP from under the lock, debugfs removal needs to
-	 * happen lock less to avoid circular dependency issues.
-	 */
-	while ((opp = _opp_get_next(opp_table, false)))
-		dev_pm_opp_put(opp);
-
+	__opp_drain_list(opp_table, false);
 	return true;
 }
 
@@ -1539,21 +1562,13 @@ bool _opp_remove_all_static(struct opp_table *opp_table)
 void dev_pm_opp_remove_all_dynamic(struct device *dev)
 {
 	struct opp_table *opp_table;
-	struct dev_pm_opp *opp;
 	int count = 0;
 
 	opp_table = _find_opp_table(dev);
 	if (IS_ERR(opp_table))
 		return;
 
-	/*
-	 * Can't remove the OPP from under the lock, debugfs removal needs to
-	 * happen lock less to avoid circular dependency issues.
-	 */
-	while ((opp = _opp_get_next(opp_table, true))) {
-		dev_pm_opp_put(opp);
-		count++;
-	}
+	count = __opp_drain_list(opp_table, true);
 
 	/* Drop the references taken by dev_pm_opp_add() */
 	while (count--)
-- 
2.7.4