Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3948423imm;
        Mon, 8 Oct 2018 12:09:01 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61I6J9Eyogwy1JECaRmXAiFTvTu2/uo3FHSRN2wapVP673RgXYvZW5UP9Ffuw4XVexmM0Hi
X-Received: by 2002:a17:902:bcc2:: with SMTP id o2-v6mr25570178pls.22.1539025741801;
        Mon, 08 Oct 2018 12:09:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539025741; cv=none;
        d=google.com; s=arc-20160816;
        b=utmELrzgzCZsDepWwmvq1R1KhKW752O/2Tf2/eYUI/yKNyMi4gpJKaFtLjYXyFa5Pf
         y5wDc1aZyhNWeqsUq5763lXmamkQBw0ymF8MGZkkzlgmEKD/uxOFYfHJMcKd93NedH80
         B1+JpOlh+zUhFxuKYyxfIymCZezOCmgdte2TcBKDI//k89sqLJc8MvN6UFufRRBHF9sZ
         8gbcTJpbF6P3GM0c13YzH0+3kX/8LNFZMU2D1foqiZkIZ+SrKzKhIrHFFOMB3Bwa4MQv
         1+fN893W+1otCgoYPTi7vrd7MzC954JfKWXdJ8KMimY8gDZ9+kbnGfJbK4JX3VJHu0Jd
         6V4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Hd8I6NABBbj5JWC1i1lp1DCWETNyFFJd2AkSlxOHt7A=;
        b=irHiC204GYjpoINY8wgbV+LsDjchIwDFiTjXSzP9IRyLEwlq8aKvJCHe/5x9mH2MCK
         sZUOqZf+PBJ7IlxLb3rtapbpQ36EzVh1SGU/XTql29A09tp3EvrHsMbFWwJYTMAbEPXx
         k7OFIoOxJGiWQxk9OYYLyUohlBYCkKru3RIir4Ha2ytoe+AMgU+0BNtxepfS/Hoprz1c
         5bQXC7c1nC2PxLrX2ktCl5WC4HSyI73hH8VQDIB0bxe9rq9CYSzRymps1ZwzvvfelZ3j
         u7jDak15u69yGd1bo4QDqT1+yUy4MNFe/yJa5IwbqTlc85IBMohsgWD/g5YzHUy8dpR4
         jeSg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="RNbgL/Z0";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z10-v6si14804278pgv.487.2018.10.08.12.08.46;
        Mon, 08 Oct 2018 12:09:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="RNbgL/Z0";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730101AbeJIBy6 (ORCPT <rfc822;jandrusk@gmail.com> + 99 others);
        Mon, 8 Oct 2018 21:54:58 -0400
Received: from mail.kernel.org ([198.145.29.99]:42494 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729388AbeJIBy6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Oct 2018 21:54:58 -0400
Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 78F2121479;
        Mon,  8 Oct 2018 18:41:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539024113;
        bh=Qab+PAM/0dm6uH3gkHC7+DUQEFJIeRLUon07ofbF/ac=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=RNbgL/Z0H6utPNRm3jH9QgxEHnDrCdDsj7r4jLjgb2v2rtJh/0SiDEWKqAdytjYQ3
         HVgxSD8tYA3tm6atEDwNJlcE7UG0iay0oY+StjHok5qG3sra1xYdAL6cRJV2DRznvN
         db4ZBM4Ap/aglwaGCptvQx3Bp3M6r5G6xx87l5J4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Vincent Whitchurch <vincent.whitchurch@axis.com>,
        Linus Walleij <linus.walleij@linaro.org>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 24/94] gpio: Fix crash due to registration race
Date:   Mon,  8 Oct 2018 20:31:05 +0200
Message-Id: <20181008175606.184668294@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20181008175605.067676667@linuxfoundation.org>
References: <20181008175605.067676667@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vincent Whitchurch <vincent.whitchurch@axis.com>

[ Upstream commit d49b48f088c323dbacae44dfbe56d9c985c8a2a1 ]

gpiochip_add_data_with_key() adds the gpiochip to the gpio_devices list
before of_gpiochip_add() is called, but it's only the latter which sets
the ->of_xlate function pointer.  gpiochip_find() can be called by
someone else between these two actions, and it can find the chip and
call of_gpiochip_match_node_and_xlate() which leads to the following
crash due to a NULL ->of_xlate().

 Unhandled prefetch abort: page domain fault (0x01b) at 0x00000000
 Modules linked in: leds_gpio(+) gpio_generic(+)
 CPU: 0 PID: 830 Comm: insmod Not tainted 4.18.0+ #43
 Hardware name: ARM-Versatile Express
 PC is at   (null)
 LR is at of_gpiochip_match_node_and_xlate+0x2c/0x38
 Process insmod (pid: 830, stack limit = 0x(ptrval))
  (of_gpiochip_match_node_and_xlate) from  (gpiochip_find+0x48/0x84)
  (gpiochip_find) from  (of_get_named_gpiod_flags+0xa8/0x238)
  (of_get_named_gpiod_flags) from  (gpiod_get_from_of_node+0x2c/0xc8)
  (gpiod_get_from_of_node) from  (devm_fwnode_get_index_gpiod_from_child+0xb8/0x144)
  (devm_fwnode_get_index_gpiod_from_child) from  (gpio_led_probe+0x208/0x3c4 [leds_gpio])
  (gpio_led_probe [leds_gpio]) from  (platform_drv_probe+0x48/0x9c)
  (platform_drv_probe) from  (really_probe+0x1d0/0x3d4)
  (really_probe) from  (driver_probe_device+0x78/0x1c0)
  (driver_probe_device) from  (__driver_attach+0x120/0x13c)
  (__driver_attach) from  (bus_for_each_dev+0x68/0xb4)
  (bus_for_each_dev) from  (bus_add_driver+0x1a8/0x268)
  (bus_add_driver) from  (driver_register+0x78/0x10c)
  (driver_register) from  (do_one_initcall+0x54/0x1fc)
  (do_one_initcall) from  (do_init_module+0x64/0x1f4)
  (do_init_module) from  (load_module+0x2198/0x26ac)
  (load_module) from  (sys_finit_module+0xe0/0x110)
  (sys_finit_module) from  (ret_fast_syscall+0x0/0x54)

One way to fix this would be to rework the hairy registration sequence
in gpiochip_add_data_with_key(), but since I'd probably introduce a
couple of new bugs if I attempted that, simply add a check for a
non-NULL of_xlate function pointer in
of_gpiochip_match_node_and_xlate().  This works since the driver looking
for the gpio will simply fail to find the gpio and defer its probe and
be reprobed when the driver which is registering the gpiochip has fully
completed its probe.

Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpio/gpiolib-of.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpio/gpiolib-of.c
+++ b/drivers/gpio/gpiolib-of.c
@@ -31,6 +31,7 @@ static int of_gpiochip_match_node_and_xl
 	struct of_phandle_args *gpiospec = data;
 
 	return chip->gpiodev->dev.of_node == gpiospec->np &&
+				chip->of_xlate &&
 				chip->of_xlate(chip, gpiospec, NULL) >= 0;
 }