| Message ID | 20230815075602.10473-4-biju.das.jz@bp.renesas.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix NULL pointer dereference in RZ/{G2L,V2M,A2} pinctrl driver | expand |
Hi Biju, On Tue, Aug 15, 2023 at 9:56 AM Biju Das <biju.das.jz@bp.renesas.com> wrote: > The pinctrl group and function creation/remove calls expect > caller to take care of locking. Add lock around these functions. > > Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller") > Cc: stable@kernel.org > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > --- > v1->v2: > * No change. Thanks for your patch! > --- a/drivers/pinctrl/renesas/pinctrl-rza2.c > +++ b/drivers/pinctrl/renesas/pinctrl-rza2.c > @@ -359,10 +361,13 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev, > psel_val[i] = MUX_FUNC(value); > } > > + mutex_lock(&priv->mutex); > /* Register a single pin group listing all the pins we read from DT */ > gsel = pinctrl_generic_add_group(pctldev, np->name, pins, npins, NULL); > - if (gsel < 0) > + if (gsel < 0) { > + mutex_unlock(&priv->mutex); > return gsel; Please do not mix "cleanup + return" and "goto cleanup" style in the same function. I.e. goto new label below. > + } > > /* > * Register a single group function where the 'data' is an array PSEL > @@ -398,6 +404,7 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev, > > remove_group: > pinctrl_generic_remove_group(pctldev, gsel); ^^ new label here. > + mutex_unlock(&priv->mutex); > > dev_err(priv->dev, "Unable to parse DT node %s\n", np->name); > The rest LGTM (unless I'm missing something critical in the real root cause of the issue?). Gr{oetje,eeting}s, Geert
Hi Geert, Thanks for the feedback. > Subject: Re: [PATCH v2 3/3] pinctrl: renesas: rza2: Add lock around > pinctrl_generic{{add,remove}_group,{add,remove}_function} > > Hi Biju, > > On Tue, Aug 15, 2023 at 9:56 AM Biju Das <biju.das.jz@bp.renesas.com> > wrote: > > The pinctrl group and function creation/remove calls expect caller to > > take care of locking. Add lock around these functions. > > > > Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller") > > Cc: stable@kernel.org > > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > > --- > > v1->v2: > > * No change. > > Thanks for your patch! > > > --- a/drivers/pinctrl/renesas/pinctrl-rza2.c > > +++ b/drivers/pinctrl/renesas/pinctrl-rza2.c > > > @@ -359,10 +361,13 @@ static int rza2_dt_node_to_map(struct pinctrl_dev > *pctldev, > > psel_val[i] = MUX_FUNC(value); > > } > > > > + mutex_lock(&priv->mutex); > > /* Register a single pin group listing all the pins we read from > DT */ > > gsel = pinctrl_generic_add_group(pctldev, np->name, pins, npins, > NULL); > > - if (gsel < 0) > > + if (gsel < 0) { > > + mutex_unlock(&priv->mutex); > > return gsel; > > Please do not mix "cleanup + return" and "goto cleanup" style in the same > function. I.e. goto new label below. OK. > > > + } > > > > /* > > * Register a single group function where the 'data' is an > > array PSEL > > > @@ -398,6 +404,7 @@ static int rza2_dt_node_to_map(struct pinctrl_dev > > *pctldev, > > > > remove_group: > > pinctrl_generic_remove_group(pctldev, gsel); > > ^^ new label here. OK. > > > + mutex_unlock(&priv->mutex); > > > > dev_err(priv->dev, "Unable to parse DT node %s\n", np->name); > > > > The rest LGTM (unless I'm missing something critical in the real root > cause of the issue?). The root cause is race condition here in pctldev->num_groups and radix_tree_insert adds with wrong group and selector entry. https://elixir.bootlin.com/linux/latest/source/drivers/pinctrl/core.c#L656 function 0: usb0, groups = [ usb0 ] .... ..... function 9: spi1, groups = [ spi1 ] function (null): COULD NOT GET GROUPS Cheers, Biju
diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c index 0b454a31c4bd..afb595a6eb9e 100644 --- a/drivers/pinctrl/renesas/pinctrl-rza2.c +++ b/drivers/pinctrl/renesas/pinctrl-rza2.c @@ -14,6 +14,7 @@ #include <linux/gpio/driver.h> #include <linux/io.h> #include <linux/module.h> +#include <linux/mutex.h> #include <linux/of.h> #include <linux/pinctrl/pinmux.h> #include <linux/platform_device.h> @@ -47,6 +48,7 @@ struct rza2_pinctrl_priv { struct pinctrl_dev *pctl; struct pinctrl_gpio_range gpio_range; int npins; + struct mutex mutex; /* serialize adding groups and functions */ }; #define RZA2_PDR(port) (0x0000 + (port) * 2) /* Direction 16-bit */ @@ -359,10 +361,13 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev, psel_val[i] = MUX_FUNC(value); } + mutex_lock(&priv->mutex); /* Register a single pin group listing all the pins we read from DT */ gsel = pinctrl_generic_add_group(pctldev, np->name, pins, npins, NULL); - if (gsel < 0) + if (gsel < 0) { + mutex_unlock(&priv->mutex); return gsel; + } /* * Register a single group function where the 'data' is an array PSEL @@ -390,6 +395,7 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev, (*map)->data.mux.group = np->name; (*map)->data.mux.function = np->name; *num_maps = 1; + mutex_unlock(&priv->mutex); return 0; @@ -398,6 +404,7 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev, remove_group: pinctrl_generic_remove_group(pctldev, gsel); + mutex_unlock(&priv->mutex); dev_err(priv->dev, "Unable to parse DT node %s\n", np->name); @@ -474,6 +481,8 @@ static int rza2_pinctrl_probe(struct platform_device *pdev) if (IS_ERR(priv->base)) return PTR_ERR(priv->base); + mutex_init(&priv->mutex); + platform_set_drvdata(pdev, priv); priv->npins = (int)(uintptr_t)of_device_get_match_data(&pdev->dev) *
The pinctrl group and function creation/remove calls expect caller to take care of locking. Add lock around these functions. Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller") Cc: stable@kernel.org Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> --- v1->v2: * No change. --- drivers/pinctrl/renesas/pinctrl-rza2.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)