Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3926838imm; Mon, 8 Oct 2018 11:49:00 -0700 (PDT) X-Google-Smtp-Source: ACcGV62ux3w7d/uN/ZLSbSo4u+Ppk+4ncz326SWPjRbiRZU/pPI6xxlH3FMQrSd05iA+VcQeVZ5/ X-Received: by 2002:a17:902:9b84:: with SMTP id y4-v6mr25472518plp.332.1539024540160; Mon, 08 Oct 2018 11:49:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539024540; cv=none; d=google.com; s=arc-20160816; b=QmjuaOVfWQpn5/1m2zRin3EITBd2exlnWAPcpNBl8LUjjSFdAYXQzaoRSrX+8UAnRf 8/2uh+9rha1iyYKXyn5FbyWMwl6MvL0AEs8/5SI9WUXv/u3cuMGutTwu0GOv/28F5LVP wz2vIbDbx6tM2rLsHlnW/Wn2JYtVj8f2lmsedKT2JDGgig6U3I4Q2TWOeS0r5BtIdjJ6 YUSe4f5d4VUJkZ+BH87Sz2Cf0EJHs2oetFffq7x9smgkkkaRqQgyBzu8G76q6eXofIbm w22MTE8uFBD5lJ/h8Y2Klza8ga3RmKty8/EIbvZUp9cwr8PTw4oQJZJNQ75mwSoTIRnT LrVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZTrQyWnHuBzyy2ceIc3XCTlYZwyl0LqQQZPHKjdaBBc=; b=OD6rEES1WYsdJgSehPIUbvKp/7xswVF9aeeU/ceKvUbAaU5RjlQuKFkGNdQHj5p2WY QrrgYcCRWvnxrEIgGgHjn6sjhEyJXrYqr6Bv77XMsAUlTw5CjX2x+UWuQThftnUDytZ3 2Fxze4UwQIzh0jF8ZVSmFSVNneTTYdzQ/Dh33nL8KoiROpQymWJgaPjkbQmiCiBoL2Zu qmY42JXWhXZGsmrROJeQv+4jMQnZiFrqRXQ6MMoWrLRBwVUzjxhv4XeZ3Wh4YIMGKTSy /Aha9hxa+6MxuSgCoJs067A6Xo2E//7FdAaIWCb2mXLYFQkzp0AIX/uUFxDSdYmiEQnB sOSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=tB0LdfSX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r18-v6si17074246pgj.194.2018.10.08.11.48.45; Mon, 08 Oct 2018 11:49:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=tB0LdfSX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731702AbeJICBn (ORCPT + 99 others); Mon, 8 Oct 2018 22:01:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:50850 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726991AbeJICBn (ORCPT ); Mon, 8 Oct 2018 22:01:43 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BDF62204FD; Mon, 8 Oct 2018 18:48:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024516; bh=8pUKi1ECc84rTxYAC5+B35DRtth8UMwSYIhCCCZJ1mU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tB0LdfSXH4eMgoeDMH37/DT5EhIveK7PuZ4eh3y4kza1W2Qdn7YWjIVFHO0IG40QF qjiJFoZDLz6VFYy2qlgUKfr6mO7DYZ0SjP1ZRBd46zYU5MJyuFZjYwTSyuY0/79dQD Ns9z5PlqiRLoDKS49tOcVhZBPO+DQEwmfjxKMR70= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vincent Whitchurch , Linus Walleij , Sasha Levin Subject: [PATCH 4.18 043/168] gpio: Fix crash due to registration race Date: Mon, 8 Oct 2018 20:30:23 +0200 Message-Id: <20181008175621.689365223@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175620.043587728@linuxfoundation.org> References: <20181008175620.043587728@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Vincent Whitchurch [ Upstream commit d49b48f088c323dbacae44dfbe56d9c985c8a2a1 ] gpiochip_add_data_with_key() adds the gpiochip to the gpio_devices list before of_gpiochip_add() is called, but it's only the latter which sets the ->of_xlate function pointer. gpiochip_find() can be called by someone else between these two actions, and it can find the chip and call of_gpiochip_match_node_and_xlate() which leads to the following crash due to a NULL ->of_xlate(). Unhandled prefetch abort: page domain fault (0x01b) at 0x00000000 Modules linked in: leds_gpio(+) gpio_generic(+) CPU: 0 PID: 830 Comm: insmod Not tainted 4.18.0+ #43 Hardware name: ARM-Versatile Express PC is at (null) LR is at of_gpiochip_match_node_and_xlate+0x2c/0x38 Process insmod (pid: 830, stack limit = 0x(ptrval)) (of_gpiochip_match_node_and_xlate) from (gpiochip_find+0x48/0x84) (gpiochip_find) from (of_get_named_gpiod_flags+0xa8/0x238) (of_get_named_gpiod_flags) from (gpiod_get_from_of_node+0x2c/0xc8) (gpiod_get_from_of_node) from (devm_fwnode_get_index_gpiod_from_child+0xb8/0x144) (devm_fwnode_get_index_gpiod_from_child) from (gpio_led_probe+0x208/0x3c4 [leds_gpio]) (gpio_led_probe [leds_gpio]) from (platform_drv_probe+0x48/0x9c) (platform_drv_probe) from (really_probe+0x1d0/0x3d4) (really_probe) from (driver_probe_device+0x78/0x1c0) (driver_probe_device) from (__driver_attach+0x120/0x13c) (__driver_attach) from (bus_for_each_dev+0x68/0xb4) (bus_for_each_dev) from (bus_add_driver+0x1a8/0x268) (bus_add_driver) from (driver_register+0x78/0x10c) (driver_register) from (do_one_initcall+0x54/0x1fc) (do_one_initcall) from (do_init_module+0x64/0x1f4) (do_init_module) from (load_module+0x2198/0x26ac) (load_module) from (sys_finit_module+0xe0/0x110) (sys_finit_module) from (ret_fast_syscall+0x0/0x54) One way to fix this would be to rework the hairy registration sequence in gpiochip_add_data_with_key(), but since I'd probably introduce a couple of new bugs if I attempted that, simply add a check for a non-NULL of_xlate function pointer in of_gpiochip_match_node_and_xlate(). This works since the driver looking for the gpio will simply fail to find the gpio and defer its probe and be reprobed when the driver which is registering the gpiochip has fully completed its probe. Signed-off-by: Vincent Whitchurch Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpio/gpiolib-of.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/gpio/gpiolib-of.c +++ b/drivers/gpio/gpiolib-of.c @@ -31,6 +31,7 @@ static int of_gpiochip_match_node_and_xl struct of_phandle_args *gpiospec = data; return chip->gpiodev->dev.of_node == gpiospec->np && + chip->of_xlate && chip->of_xlate(chip, gpiospec, NULL) >= 0; }