Re: FAILED: patch "[PATCH] gpio: fix gpio-device list corruption" failed to apply to 5.11-stable tree

Johan Hovold <johan@xxxxxxxxxx> · Fri, 12 Mar 2021 09:47:24 +0100

On Thu, Mar 11, 2021 at 06:41:41PM +0100, Greg Kroah-Hartman wrote:
> 
> The patch below does not apply to the 5.11-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@xxxxxxxxxxxxxxx>.

> ------------------ original commit in Linus's tree ------------------
> 
> From cf25ef6b631c6fc6c0435fc91eba8734cca20511 Mon Sep 17 00:00:00 2001
> From: Johan Hovold <johan@xxxxxxxxxx>
> Date: Mon, 1 Mar 2021 10:05:19 +0100
> Subject: [PATCH] gpio: fix gpio-device list corruption
> 
> Make sure to hold the gpio_lock when removing the gpio device from the
> gpio_devices list (when dropping the last reference) to avoid corrupting
> the list when there are concurrent accesses.
> 
> Fixes: ff2b13592299 ("gpio: make the gpiochip a real device")
> Cc: stable@xxxxxxxxxxxxxxx      # 4.6
> Reviewed-by: Saravana Kannan <saravanak@xxxxxxxxxx>
> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> Signed-off-by: Bartosz Golaszewski <bgolaszewski@xxxxxxxxxxxx>
> 
> diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
> index 6e0572515d02..4253837f870b 100644
> --- a/drivers/gpio/gpiolib.c
> +++ b/drivers/gpio/gpiolib.c
> @@ -475,8 +475,12 @@ EXPORT_SYMBOL_GPL(gpiochip_line_is_valid);
>  static void gpiodevice_release(struct device *dev)
>  {
>  	struct gpio_device *gdev = container_of(dev, struct gpio_device, dev);
> +	unsigned long flags;
>  
> +	spin_lock_irqsave(&gpio_lock, flags);
>  	list_del(&gdev->list);
> +	spin_unlock_irqrestore(&gpio_lock, flags);
> +
>  	ida_free(&gpio_ida, gdev->id);
>  	kfree_const(gdev->label);
>  	kfree(gdev->descs);
> 

Bah, that's because of a6112998ee45 ("gpio: fix
NULL-deref-on-deregistration regression") which is strictly only needed
in 5.12 even if it could be backported (the commit message might be a
bit confusing though).

I should have reversed the order of these two.

Below is a backport to 5.11.

Johan


>From 7599320f36bb5273844dfb749861a5361d8aa5b7 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@xxxxxxxxxx>
Date: Mon, 1 Mar 2021 10:05:19 +0100
Subject: [PATCH] gpio: fix gpio-device list corruption

Make sure to hold the gpio_lock when removing the gpio device from the
gpio_devices list (when dropping the last reference) to avoid corrupting
the list when there are concurrent accesses.

Fixes: ff2b13592299 ("gpio: make the gpiochip a real device")
Cc: stable@xxxxxxxxxxxxxxx      # 4.6
Reviewed-by: Saravana Kannan <saravanak@xxxxxxxxxx>
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@xxxxxxxxxxxx>
[ johan: adjust context to 5.11 ]
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
---
 drivers/gpio/gpiolib.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index adf55db080d8..0069b115928c 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -475,8 +475,12 @@ EXPORT_SYMBOL_GPL(gpiochip_line_is_valid);
 static void gpiodevice_release(struct device *dev)
 {
 	struct gpio_device *gdev = dev_get_drvdata(dev);
+	unsigned long flags;
 
+	spin_lock_irqsave(&gpio_lock, flags);
 	list_del(&gdev->list);
+	spin_unlock_irqrestore(&gpio_lock, flags);
+
 	ida_free(&gpio_ida, gdev->id);
 	kfree_const(gdev->label);
 	kfree(gdev->descs);
-- 
2.26.2







