[PATCH 2/4] phy: qcom: qmp-usbc: Fix possible NULL-deref on early runtime suspend

[Konrad Dybcio]

On 1/8/26 4:49 PM, Loic Poulain wrote:
> There is a small window where the runtime suspend callback may run
> after pm_runtime_enable() and before pm_runtime_forbid(). In this
> case, a crash occurs because runtime suspend/resume dereferences
> qmp->phy pointer, which is not yet initialized:
>     `if (!qmp->phy->init_count) {`
> 
> Use qmp->usb_init_count instead of qmp->phy->init_count to avoid
> depending on the possibly uninitialized phy pointer.
> 
> Also reorder pm_runtime_enable() and pm_runtime_forbid() to prevent
> the window where an unnecessary runtime suspend can occur.
> 
> Fixes: 19281571a4d5 ("phy: qcom: qmp-usb: split USB-C PHY driver")
> Signed-off-by: Loic Poulain <loic.poulain at oss.qualcomm.com>
> ---
>  drivers/phy/qualcomm/phy-qcom-qmp-usbc.c | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usbc.c b/drivers/phy/qualcomm/phy-qcom-qmp-usbc.c
> index 5e7fcb26744a..05717ca85c5b 100644
> --- a/drivers/phy/qualcomm/phy-qcom-qmp-usbc.c
> +++ b/drivers/phy/qualcomm/phy-qcom-qmp-usbc.c
> @@ -690,7 +690,7 @@ static int __maybe_unused qmp_usbc_runtime_suspend(struct device *dev)
>  
>  	dev_vdbg(dev, "Suspending QMP phy, mode:%d\n", qmp->mode);
>  
> -	if (!qmp->phy->init_count) {
> +	if (!qmp->usb_init_count) {
>  		dev_vdbg(dev, "PHY not initialized, bailing out\n");

FWIW this effectively says "if in DP mode, the PHY can't runtime suspend"
which I'm not sure is what should happen.

In USB3 mode, there's definitely a register in PCS_USB to put it into
"autonomous mode", where I believe all the hw does it listen for link
sleep (U3 in USB3 spec) exit requests

In DP, I suppose we can't just yank the power until the controller
decides to suspend the link, at which point we just power off the PHY..
would that be right, Dmitry?

Konrad