Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3926838imm;
        Mon, 8 Oct 2018 11:49:00 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62ux3w7d/uN/ZLSbSo4u+Ppk+4ncz326SWPjRbiRZU/pPI6xxlH3FMQrSd05iA+VcQeVZ5/
X-Received: by 2002:a17:902:9b84:: with SMTP id y4-v6mr25472518plp.332.1539024540160;
        Mon, 08 Oct 2018 11:49:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539024540; cv=none;
        d=google.com; s=arc-20160816;
        b=QmjuaOVfWQpn5/1m2zRin3EITBd2exlnWAPcpNBl8LUjjSFdAYXQzaoRSrX+8UAnRf
         8/2uh+9rha1iyYKXyn5FbyWMwl6MvL0AEs8/5SI9WUXv/u3cuMGutTwu0GOv/28F5LVP
         wz2vIbDbx6tM2rLsHlnW/Wn2JYtVj8f2lmsedKT2JDGgig6U3I4Q2TWOeS0r5BtIdjJ6
         YUSe4f5d4VUJkZ+BH87Sz2Cf0EJHs2oetFffq7x9smgkkkaRqQgyBzu8G76q6eXofIbm
         w22MTE8uFBD5lJ/h8Y2Klza8ga3RmKty8/EIbvZUp9cwr8PTw4oQJZJNQ75mwSoTIRnT
         LrVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ZTrQyWnHuBzyy2ceIc3XCTlYZwyl0LqQQZPHKjdaBBc=;
        b=OD6rEES1WYsdJgSehPIUbvKp/7xswVF9aeeU/ceKvUbAaU5RjlQuKFkGNdQHj5p2WY
         QrrgYcCRWvnxrEIgGgHjn6sjhEyJXrYqr6Bv77XMsAUlTw5CjX2x+UWuQThftnUDytZ3
         2Fxze4UwQIzh0jF8ZVSmFSVNneTTYdzQ/Dh33nL8KoiROpQymWJgaPjkbQmiCiBoL2Zu
         qmY42JXWhXZGsmrROJeQv+4jMQnZiFrqRXQ6MMoWrLRBwVUzjxhv4XeZ3Wh4YIMGKTSy
         /Aha9hxa+6MxuSgCoJs067A6Xo2E//7FdAaIWCb2mXLYFQkzp0AIX/uUFxDSdYmiEQnB
         sOSA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=tB0LdfSX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r18-v6si17074246pgj.194.2018.10.08.11.48.45;
        Mon, 08 Oct 2018 11:49:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=tB0LdfSX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731702AbeJICBn (ORCPT <rfc822;jandrusk@gmail.com> + 99 others);
        Mon, 8 Oct 2018 22:01:43 -0400
Received: from mail.kernel.org ([198.145.29.99]:50850 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726991AbeJICBn (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Oct 2018 22:01:43 -0400
Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id BDF62204FD;
        Mon,  8 Oct 2018 18:48:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539024516;
        bh=8pUKi1ECc84rTxYAC5+B35DRtth8UMwSYIhCCCZJ1mU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=tB0LdfSXH4eMgoeDMH37/DT5EhIveK7PuZ4eh3y4kza1W2Qdn7YWjIVFHO0IG40QF
         qjiJFoZDLz6VFYy2qlgUKfr6mO7DYZ0SjP1ZRBd46zYU5MJyuFZjYwTSyuY0/79dQD
         Ns9z5PlqiRLoDKS49tOcVhZBPO+DQEwmfjxKMR70=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Vincent Whitchurch <vincent.whitchurch@axis.com>,
        Linus Walleij <linus.walleij@linaro.org>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.18 043/168] gpio: Fix crash due to registration race
Date:   Mon,  8 Oct 2018 20:30:23 +0200
Message-Id: <20181008175621.689365223@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20181008175620.043587728@linuxfoundation.org>
References: <20181008175620.043587728@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vincent Whitchurch <vincent.whitchurch@axis.com>

[ Upstream commit d49b48f088c323dbacae44dfbe56d9c985c8a2a1 ]

gpiochip_add_data_with_key() adds the gpiochip to the gpio_devices list
before of_gpiochip_add() is called, but it's only the latter which sets
the ->of_xlate function pointer.  gpiochip_find() can be called by
someone else between these two actions, and it can find the chip and
call of_gpiochip_match_node_and_xlate() which leads to the following
crash due to a NULL ->of_xlate().

 Unhandled prefetch abort: page domain fault (0x01b) at 0x00000000
 Modules linked in: leds_gpio(+) gpio_generic(+)
 CPU: 0 PID: 830 Comm: insmod Not tainted 4.18.0+ #43
 Hardware name: ARM-Versatile Express
 PC is at   (null)
 LR is at of_gpiochip_match_node_and_xlate+0x2c/0x38
 Process insmod (pid: 830, stack limit = 0x(ptrval))
  (of_gpiochip_match_node_and_xlate) from  (gpiochip_find+0x48/0x84)
  (gpiochip_find) from  (of_get_named_gpiod_flags+0xa8/0x238)
  (of_get_named_gpiod_flags) from  (gpiod_get_from_of_node+0x2c/0xc8)
  (gpiod_get_from_of_node) from  (devm_fwnode_get_index_gpiod_from_child+0xb8/0x144)
  (devm_fwnode_get_index_gpiod_from_child) from  (gpio_led_probe+0x208/0x3c4 [leds_gpio])
  (gpio_led_probe [leds_gpio]) from  (platform_drv_probe+0x48/0x9c)
  (platform_drv_probe) from  (really_probe+0x1d0/0x3d4)
  (really_probe) from  (driver_probe_device+0x78/0x1c0)
  (driver_probe_device) from  (__driver_attach+0x120/0x13c)
  (__driver_attach) from  (bus_for_each_dev+0x68/0xb4)
  (bus_for_each_dev) from  (bus_add_driver+0x1a8/0x268)
  (bus_add_driver) from  (driver_register+0x78/0x10c)
  (driver_register) from  (do_one_initcall+0x54/0x1fc)
  (do_one_initcall) from  (do_init_module+0x64/0x1f4)
  (do_init_module) from  (load_module+0x2198/0x26ac)
  (load_module) from  (sys_finit_module+0xe0/0x110)
  (sys_finit_module) from  (ret_fast_syscall+0x0/0x54)

One way to fix this would be to rework the hairy registration sequence
in gpiochip_add_data_with_key(), but since I'd probably introduce a
couple of new bugs if I attempted that, simply add a check for a
non-NULL of_xlate function pointer in
of_gpiochip_match_node_and_xlate().  This works since the driver looking
for the gpio will simply fail to find the gpio and defer its probe and
be reprobed when the driver which is registering the gpiochip has fully
completed its probe.

Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpio/gpiolib-of.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpio/gpiolib-of.c
+++ b/drivers/gpio/gpiolib-of.c
@@ -31,6 +31,7 @@ static int of_gpiochip_match_node_and_xl
 	struct of_phandle_args *gpiospec = data;
 
 	return chip->gpiodev->dev.of_node == gpiospec->np &&
+				chip->of_xlate &&
 				chip->of_xlate(chip, gpiospec, NULL) >= 0;
 }