linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Geert Uytterhoeven <geert+renesas@glider.be>,
	Mukesh Ojha <mojha@codeaurora.org>,
	Linus Walleij <linus.walleij@linaro.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-gpio@vger.kernel.org
Subject: [PATCH AUTOSEL 5.0 91/99] gpio: Fix gpiochip_add_data_with_key() error path
Date: Tue,  7 May 2019 01:32:25 -0400	[thread overview]
Message-ID: <20190507053235.29900-91-sashal@kernel.org> (raw)
In-Reply-To: <20190507053235.29900-1-sashal@kernel.org>

From: Geert Uytterhoeven <geert+renesas@glider.be>

[ Upstream commit 357798909164bf423eac6a78ff7da7e98d2d7f7f ]

The err_remove_chip block is too coarse, and may perform cleanup that
must not be done.  E.g. if of_gpiochip_add() fails, of_gpiochip_remove()
is still called, causing:

    OF: ERROR: Bad of_node_put() on /soc/gpio@e6050000
    CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted 5.1.0-rc2-koelsch+ #407
    Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
    Workqueue: events deferred_probe_work_func
    [<c020ec74>] (unwind_backtrace) from [<c020ae58>] (show_stack+0x10/0x14)
    [<c020ae58>] (show_stack) from [<c07c1224>] (dump_stack+0x7c/0x9c)
    [<c07c1224>] (dump_stack) from [<c07c5a80>] (kobject_put+0x94/0xbc)
    [<c07c5a80>] (kobject_put) from [<c0470420>] (gpiochip_add_data_with_key+0x8d8/0xa3c)
    [<c0470420>] (gpiochip_add_data_with_key) from [<c0473738>] (gpio_rcar_probe+0x1d4/0x314)
    [<c0473738>] (gpio_rcar_probe) from [<c052fca8>] (platform_drv_probe+0x48/0x94)

and later, if a GPIO consumer tries to use a GPIO from a failed
controller:

    WARNING: CPU: 0 PID: 1 at lib/refcount.c:156 kobject_get+0x38/0x4c
    refcount_t: increment on 0; use-after-free.
    Modules linked in:
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.1.0-rc2-koelsch+ #407
    Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
    [<c020ec74>] (unwind_backtrace) from [<c020ae58>] (show_stack+0x10/0x14)
    [<c020ae58>] (show_stack) from [<c07c1224>] (dump_stack+0x7c/0x9c)
    [<c07c1224>] (dump_stack) from [<c0221580>] (__warn+0xd0/0xec)
    [<c0221580>] (__warn) from [<c02215e0>] (warn_slowpath_fmt+0x44/0x6c)
    [<c02215e0>] (warn_slowpath_fmt) from [<c07c58fc>] (kobject_get+0x38/0x4c)
    [<c07c58fc>] (kobject_get) from [<c068b3ec>] (of_node_get+0x14/0x1c)
    [<c068b3ec>] (of_node_get) from [<c0686f24>] (of_find_node_by_phandle+0xc0/0xf0)
    [<c0686f24>] (of_find_node_by_phandle) from [<c0686fbc>] (of_phandle_iterator_next+0x68/0x154)
    [<c0686fbc>] (of_phandle_iterator_next) from [<c0687fe4>] (__of_parse_phandle_with_args+0x40/0xd0)
    [<c0687fe4>] (__of_parse_phandle_with_args) from [<c0688204>] (of_parse_phandle_with_args_map+0x100/0x3ac)
    [<c0688204>] (of_parse_phandle_with_args_map) from [<c0471240>] (of_get_named_gpiod_flags+0x38/0x380)
    [<c0471240>] (of_get_named_gpiod_flags) from [<c046f864>] (gpiod_get_from_of_node+0x24/0xd8)
    [<c046f864>] (gpiod_get_from_of_node) from [<c0470aa4>] (devm_fwnode_get_index_gpiod_from_child+0xa0/0x144)
    [<c0470aa4>] (devm_fwnode_get_index_gpiod_from_child) from [<c05f425c>] (gpio_keys_probe+0x418/0x7bc)
    [<c05f425c>] (gpio_keys_probe) from [<c052fca8>] (platform_drv_probe+0x48/0x94)

Fix this by splitting the cleanup block, and adding a missing call to
gpiochip_irqchip_remove().

Fixes: 28355f81969962cf ("gpio: defer probe if pinctrl cannot be found")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpio/gpiolib.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index d1adfdf50fb3..34fbf879411f 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1379,7 +1379,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data,
 
 	status = gpiochip_add_irqchip(chip, lock_key, request_key);
 	if (status)
-		goto err_remove_chip;
+		goto err_free_gpiochip_mask;
 
 	status = of_gpiochip_add(chip);
 	if (status)
@@ -1387,7 +1387,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data,
 
 	status = gpiochip_init_valid_mask(chip);
 	if (status)
-		goto err_remove_chip;
+		goto err_remove_of_chip;
 
 	for (i = 0; i < chip->ngpio; i++) {
 		struct gpio_desc *desc = &gdev->descs[i];
@@ -1415,14 +1415,18 @@ int gpiochip_add_data_with_key(struct gpio_chip *chip, void *data,
 	if (gpiolib_initialized) {
 		status = gpiochip_setup_dev(gdev);
 		if (status)
-			goto err_remove_chip;
+			goto err_remove_acpi_chip;
 	}
 	return 0;
 
-err_remove_chip:
+err_remove_acpi_chip:
 	acpi_gpiochip_remove(chip);
+err_remove_of_chip:
 	gpiochip_free_hogs(chip);
 	of_gpiochip_remove(chip);
+err_remove_chip:
+	gpiochip_irqchip_remove(chip);
+err_free_gpiochip_mask:
 	gpiochip_free_valid_mask(chip);
 err_remove_irqchip_mask:
 	gpiochip_irqchip_free_valid_mask(chip);
-- 
2.20.1


  parent reply	other threads:[~2019-05-07  6:02 UTC|newest]

Thread overview: 101+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-07  5:30 [PATCH AUTOSEL 5.0 01/99] iio: adc: xilinx: fix potential use-after-free on remove Sasha Levin
2019-05-07  5:30 ` [PATCH AUTOSEL 5.0 02/99] iio: adc: xilinx: fix potential use-after-free on probe Sasha Levin
2019-05-07  5:30 ` [PATCH AUTOSEL 5.0 03/99] iio: adc: xilinx: prevent touching unclocked h/w on remove Sasha Levin
2019-05-07  5:30 ` [PATCH AUTOSEL 5.0 04/99] acpi/nfit: Always dump _DSM output payload Sasha Levin
2019-05-07  5:30 ` [PATCH AUTOSEL 5.0 05/99] libnvdimm/namespace: Fix a potential NULL pointer dereference Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 06/99] HID: input: add mapping for Expose/Overview key Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 07/99] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 08/99] HID: input: add mapping for "Toggle Display" key Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 09/99] libnvdimm/btt: Fix a kmemdup failure check Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 10/99] s390/dasd: Fix capacity calculation for large volumes Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 11/99] mac80211: fix unaligned access in mesh table hash function Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 12/99] mac80211: Increase MAX_MSG_LEN Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 13/99] cfg80211: Handle WMM rules in regulatory domain intersection Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 14/99] mac80211: fix memory accounting with A-MSDU aggregation Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 15/99] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 16/99] libnvdimm/security: provide fix for secure-erase to use zero-key Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 17/99] Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 18/99] libnvdimm/pmem: fix a possible OOB access when read and write pmem Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 19/99] tools/testing/nvdimm: Retain security state after overwrite Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 20/99] mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 21/99] s390/3270: fix lockdep false positive on view->lock Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 22/99] drm/ttm: fix dma_fence refcount imbalance on error path Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 23/99] drm/amd/display: extending AUX SW Timeout Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 24/99] clocksource/drivers/npcm: select TIMER_OF Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 25/99] clocksource/drivers/oxnas: Fix OX820 compatible Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 26/99] selftests: fib_tests: Fix 'Command line is not complete' errors Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 27/99] drm/amdgpu: shadow in shadow_list without tbo.mem.start cause page fault in sriov TDR Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 28/99] mISDN: Check address length before reading address family Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 29/99] vxge: fix return of a free'd memblock on a failed dma mapping Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 30/99] qede: fix write to free'd pointer error and double free of ptp Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 31/99] afs: Unlock pages for __pagevec_release() Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 32/99] afs: Fix in-progess ops to ignore server-level callback invalidation Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 33/99] bfq: update internal depth state when queue depth changes Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 34/99] qed: Delete redundant doorbell recovery types Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 35/99] qed: Fix the doorbell address sanity check Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 36/99] qed: Fix missing DORQ attentions Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 37/99] qed: Fix the DORQ's attentions handling Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 38/99] drm/amd/display: If one stream full updates, full update all planes Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 39/99] s390/pkey: add one more argument space for debug feature entry Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 40/99] x86/build/lto: Fix truncated .bss with -fdata-sections Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 41/99] x86/mm: Prevent bogus warnings with "noexec=off" Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 42/99] x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 43/99] x86/mm/tlb: Revert "x86/mm: Align TLB invalidation info" Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 44/99] KVM: nVMX: always use early vmcs check when EPT is disabled Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 45/99] KVM: x86: Raise #GP when guest vCPU do not support PMU Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 46/99] KVM: nVMX: Expose RDPMC-exiting only when guest supports PMU Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 47/99] KVM: fix spectrev1 gadgets Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 48/99] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 49/99] tools lib traceevent: Fix missing equality check for strcmp Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 50/99] perf top: Always sample time to satisfy needs of use of ordered queuing Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 51/99] ipmi: ipmi_si_hardcode.c: init si_type array to fix a crash Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 52/99] ocelot: Don't sleep in atomic context (irqs_disabled()) Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 53/99] perf tools: Fix map reference counting Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 54/99] x86/mm/KASLR: Fix the size of the direct mapping section Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 55/99] scsi: aic7xxx: fix EISA support Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 56/99] slab: store tagged freelist for off-slab slabmgmt Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 57/99] mm/hotplug: treat CMA pages as unmovable Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 58/99] mm: fix inactive list balancing between NUMA nodes and cgroups Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 59/99] init: initialize jump labels before command line option parsing Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 60/99] drm: bridge: dw-hdmi: Fix overflow workaround for Rockchip SoCs Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 61/99] selftests: netfilter: check icmp pkttoobig errors are set as related Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 62/99] ipvs: do not schedule icmp errors from tunnels Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 63/99] netfilter: ctnetlink: don't use conntrack/expect object addresses as id Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 64/99] netfilter: nf_tables: prevent shift wrap in nft_chain_parse_hook() Sasha Levin
2019-05-07  5:31 ` [PATCH AUTOSEL 5.0 65/99] netfilter: nat: fix icmp id randomization Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 66/99] MIPS: perf: ath79: Fix perfcount IRQ assignment Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 67/99] IB/mlx5: Fix scatter to CQE in DCT QP creation Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 68/99] s390: ctcm: fix ctcm_new_device error return code Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 69/99] drm/sun4i: Set device driver data at bind time for use in unbind Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 70/99] drm/sun4i: Fix component unbinding and component master deletion Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 71/99] of_net: Fix residues after of_get_nvmem_mac_address removal Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 72/99] selftests/net: correct the return value for run_netsocktests Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 73/99] selftests/net: correct the return value for run_afpackettests Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 74/99] netfilter: never get/set skb->tstamp Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 75/99] netfilter: fix nf_l4proto_log_invalid to log invalid packets Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 76/99] dmaengine: bcm2835: Avoid GFP_KERNEL in device_prep_slave_sg Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 77/99] arm64/module: ftrace: deal with place relative nature of PLTs Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 78/99] gpu: ipu-v3: dp: fix CSC handling Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 79/99] drm/imx: don't skip DP channel disable for background plane Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 80/99] ARM: fix function graph tracer and unwinder dependencies Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 81/99] ARM: 8856/1: NOMMU: Fix CCR register faulty initialization when MPU is disabled Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 82/99] spi: Micrel eth switch: declare missing of table Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 83/99] spi: ST ST95HF NFC: " Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 84/99] ceph: handle the case where a dentry has been renamed on outstanding req Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 85/99] Revert "drm/virtio: drop prime import/export callbacks" Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 86/99] x86/mm: Fix a crash with kmemleak_scan() Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 87/99] drm/sun4i: Unbind components before releasing DRM and memory Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 88/99] Input: snvs_pwrkey - make it depend on ARCH_MXC Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 89/99] Input: synaptics-rmi4 - fix possible double free Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 90/99] net: vrf: Fix operation not supported when set vrf mac Sasha Levin
2019-05-07  5:32 ` Sasha Levin [this message]
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 92/99] btrfs: Switch memory allocations in async csum calculation path to kvmalloc Sasha Levin
2019-05-07  7:49   ` David Sterba
2019-05-13 13:37     ` Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 93/99] RDMA/hns: Bugfix for mapping user db Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 94/99] mm/memory_hotplug.c: drop memory device reference after find_memory_block() Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 95/99] mm/page_alloc.c: avoid potential NULL pointer dereference Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 96/99] bpf: only test gso type on gso packets Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 97/99] net: sched: fix cleanup NULL pointer exception in act_mirr Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 98/99] net: mvpp2: fix validate for PPv2.1 Sasha Levin
2019-05-07  5:32 ` [PATCH AUTOSEL 5.0 99/99] drm/rockchip: fix for mailbox read validation Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190507053235.29900-91-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=geert+renesas@glider.be \
    --cc=linus.walleij@linaro.org \
    --cc=linux-gpio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mojha@codeaurora.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).