diff mbox series

[v2,3/3] pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function}

Message ID 20230815075602.10473-4-biju.das.jz@bp.renesas.com
State New
Headers show
Series Fix NULL pointer dereference in RZ/{G2L,V2M,A2} pinctrl driver | expand

Commit Message

Biju Das Aug. 15, 2023, 7:56 a.m. UTC
The pinctrl group and function creation/remove calls expect
caller to take care of locking. Add lock around these functions.

Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller")
Cc: stable@kernel.org
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
v1->v2:
 * No change.
---
 drivers/pinctrl/renesas/pinctrl-rza2.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

Comments

Geert Uytterhoeven Aug. 15, 2023, 8:17 a.m. UTC | #1
Hi Biju,

On Tue, Aug 15, 2023 at 9:56 AM Biju Das <biju.das.jz@bp.renesas.com> wrote:
> The pinctrl group and function creation/remove calls expect
> caller to take care of locking. Add lock around these functions.
>
> Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller")
> Cc: stable@kernel.org
> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> ---
> v1->v2:
>  * No change.

Thanks for your patch!

> --- a/drivers/pinctrl/renesas/pinctrl-rza2.c
> +++ b/drivers/pinctrl/renesas/pinctrl-rza2.c

> @@ -359,10 +361,13 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev,
>                 psel_val[i] = MUX_FUNC(value);
>         }
>
> +       mutex_lock(&priv->mutex);
>         /* Register a single pin group listing all the pins we read from DT */
>         gsel = pinctrl_generic_add_group(pctldev, np->name, pins, npins, NULL);
> -       if (gsel < 0)
> +       if (gsel < 0) {
> +               mutex_unlock(&priv->mutex);
>                 return gsel;

Please do not mix "cleanup + return" and "goto cleanup" style in the same
function.  I.e. goto new label below.

> +       }
>
>         /*
>          * Register a single group function where the 'data' is an array PSEL

> @@ -398,6 +404,7 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev,
>
>  remove_group:
>         pinctrl_generic_remove_group(pctldev, gsel);

^^ new label here.

> +       mutex_unlock(&priv->mutex);
>
>         dev_err(priv->dev, "Unable to parse DT node %s\n", np->name);
>

The rest LGTM (unless I'm missing something critical in the real root
cause of the issue?).

Gr{oetje,eeting}s,

                        Geert
Biju Das Aug. 15, 2023, 8:31 a.m. UTC | #2
Hi Geert,

Thanks for the feedback.

> Subject: Re: [PATCH v2 3/3] pinctrl: renesas: rza2: Add lock around
> pinctrl_generic{{add,remove}_group,{add,remove}_function}
> 
> Hi Biju,
> 
> On Tue, Aug 15, 2023 at 9:56 AM Biju Das <biju.das.jz@bp.renesas.com>
> wrote:
> > The pinctrl group and function creation/remove calls expect caller to
> > take care of locking. Add lock around these functions.
> >
> > Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller")
> > Cc: stable@kernel.org
> > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> > ---
> > v1->v2:
> >  * No change.
> 
> Thanks for your patch!
> 
> > --- a/drivers/pinctrl/renesas/pinctrl-rza2.c
> > +++ b/drivers/pinctrl/renesas/pinctrl-rza2.c
> 
> > @@ -359,10 +361,13 @@ static int rza2_dt_node_to_map(struct pinctrl_dev
> *pctldev,
> >                 psel_val[i] = MUX_FUNC(value);
> >         }
> >
> > +       mutex_lock(&priv->mutex);
> >         /* Register a single pin group listing all the pins we read from
> DT */
> >         gsel = pinctrl_generic_add_group(pctldev, np->name, pins, npins,
> NULL);
> > -       if (gsel < 0)
> > +       if (gsel < 0) {
> > +               mutex_unlock(&priv->mutex);
> >                 return gsel;
> 
> Please do not mix "cleanup + return" and "goto cleanup" style in the same
> function.  I.e. goto new label below.

OK.

> 
> > +       }
> >
> >         /*
> >          * Register a single group function where the 'data' is an
> > array PSEL
> 
> > @@ -398,6 +404,7 @@ static int rza2_dt_node_to_map(struct pinctrl_dev
> > *pctldev,
> >
> >  remove_group:
> >         pinctrl_generic_remove_group(pctldev, gsel);
> 
> ^^ new label here.
OK.

> 
> > +       mutex_unlock(&priv->mutex);
> >
> >         dev_err(priv->dev, "Unable to parse DT node %s\n", np->name);
> >
> 
> The rest LGTM (unless I'm missing something critical in the real root
> cause of the issue?).

The root cause is race condition here in pctldev->num_groups and
radix_tree_insert adds with wrong group and selector entry.

https://elixir.bootlin.com/linux/latest/source/drivers/pinctrl/core.c#L656

function 0: usb0, groups = [ usb0 ]
....
.....
function 9: spi1, groups = [ spi1 ]
function (null): COULD NOT GET GROUPS

Cheers,
Biju
diff mbox series

Patch

diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c
index 0b454a31c4bd..afb595a6eb9e 100644
--- a/drivers/pinctrl/renesas/pinctrl-rza2.c
+++ b/drivers/pinctrl/renesas/pinctrl-rza2.c
@@ -14,6 +14,7 @@ 
 #include <linux/gpio/driver.h>
 #include <linux/io.h>
 #include <linux/module.h>
+#include <linux/mutex.h>
 #include <linux/of.h>
 #include <linux/pinctrl/pinmux.h>
 #include <linux/platform_device.h>
@@ -47,6 +48,7 @@  struct rza2_pinctrl_priv {
 	struct pinctrl_dev *pctl;
 	struct pinctrl_gpio_range gpio_range;
 	int npins;
+	struct mutex mutex; /* serialize adding groups and functions */
 };
 
 #define RZA2_PDR(port)		(0x0000 + (port) * 2)	/* Direction 16-bit */
@@ -359,10 +361,13 @@  static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev,
 		psel_val[i] = MUX_FUNC(value);
 	}
 
+	mutex_lock(&priv->mutex);
 	/* Register a single pin group listing all the pins we read from DT */
 	gsel = pinctrl_generic_add_group(pctldev, np->name, pins, npins, NULL);
-	if (gsel < 0)
+	if (gsel < 0) {
+		mutex_unlock(&priv->mutex);
 		return gsel;
+	}
 
 	/*
 	 * Register a single group function where the 'data' is an array PSEL
@@ -390,6 +395,7 @@  static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev,
 	(*map)->data.mux.group = np->name;
 	(*map)->data.mux.function = np->name;
 	*num_maps = 1;
+	mutex_unlock(&priv->mutex);
 
 	return 0;
 
@@ -398,6 +404,7 @@  static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev,
 
 remove_group:
 	pinctrl_generic_remove_group(pctldev, gsel);
+	mutex_unlock(&priv->mutex);
 
 	dev_err(priv->dev, "Unable to parse DT node %s\n", np->name);
 
@@ -474,6 +481,8 @@  static int rza2_pinctrl_probe(struct platform_device *pdev)
 	if (IS_ERR(priv->base))
 		return PTR_ERR(priv->base);
 
+	mutex_init(&priv->mutex);
+
 	platform_set_drvdata(pdev, priv);
 
 	priv->npins = (int)(uintptr_t)of_device_get_match_data(&pdev->dev) *