1. Patchew
  2. linux
  3. View series

[PATCH v2] platform/x86: int3472: Fix double free of GPIO device during unregister

Qiu Wenbo posted 1 patch 3 months, 1 week ago 
drivers/platform/x86/intel/int3472/clk_and_regulator.c | 5 +----
include/linux/platform_data/x86/int3472.h              | 1 -
2 files changed, 1 insertion(+), 5 deletions(-)
[PATCH v2] platform/x86: int3472: Fix double free of GPIO device during unregister
Posted by Qiu Wenbo 3 months, 1 week ago 
From: Qiu Wenbo <qiuwenbo@kylinsec.com.cn>

regulator_unregister() already frees the associated GPIO device. On
ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to
random failures when other drivers (typically Intel THC) attempt to
allocate interrupts. The root cause is that the reference count of the
pinctrl_intel_platform module unexpectedly drops to zero when this
driver defers its probe.

This behavior can also be reproduced by unloading the module directly.

Fix the issue by removing the redundant release of the GPIO device
during regulator unregistration.

Cc: stable@vger.kernel.org
Fixes: 1e5d088a52c2 ("platform/x86: int3472: Stop using devm_gpiod_get()")
Signed-off-by: Qiu Wenbo <qiuwenbo@kylinsec.com.cn>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
---
Changes since V1:
 - Add Reviewed-by: from Andy Shevchenko and Sakari Ailus
 - Add Cc to stable@
 - Remove the blank line after Fixes:

 drivers/platform/x86/intel/int3472/clk_and_regulator.c | 5 +----
 include/linux/platform_data/x86/int3472.h              | 1 -
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/platform/x86/intel/int3472/clk_and_regulator.c b/drivers/platform/x86/intel/int3472/clk_and_regulator.c
index 476ec24d37020..9e052b164a1ab 100644
--- a/drivers/platform/x86/intel/int3472/clk_and_regulator.c
+++ b/drivers/platform/x86/intel/int3472/clk_and_regulator.c
@@ -245,15 +245,12 @@ int skl_int3472_register_regulator(struct int3472_discrete_device *int3472,
 	if (IS_ERR(regulator->rdev))
 		return PTR_ERR(regulator->rdev);
 
-	int3472->regulators[int3472->n_regulator_gpios].ena_gpio = gpio;
 	int3472->n_regulator_gpios++;
 	return 0;
 }
 
 void skl_int3472_unregister_regulator(struct int3472_discrete_device *int3472)
 {
-	for (int i = 0; i < int3472->n_regulator_gpios; i++) {
+	for (int i = 0; i < int3472->n_regulator_gpios; i++)
 		regulator_unregister(int3472->regulators[i].rdev);
-		gpiod_put(int3472->regulators[i].ena_gpio);
-	}
 }
diff --git a/include/linux/platform_data/x86/int3472.h b/include/linux/platform_data/x86/int3472.h
index 1571e9157fa50..b1b837583d544 100644
--- a/include/linux/platform_data/x86/int3472.h
+++ b/include/linux/platform_data/x86/int3472.h
@@ -100,7 +100,6 @@ struct int3472_gpio_regulator {
 	struct regulator_consumer_supply supply_map[GPIO_REGULATOR_SUPPLY_MAP_COUNT * 2];
 	char supply_name_upper[GPIO_SUPPLY_NAME_LENGTH];
 	char regulator_name[GPIO_REGULATOR_NAME_LENGTH];
-	struct gpio_desc *ena_gpio;
 	struct regulator_dev *rdev;
 	struct regulator_desc rdesc;
 };
-- 
2.51.2
Re: [PATCH v2] platform/x86: int3472: Fix double free of GPIO device during unregister
Posted by Ilpo Järvinen 3 months, 1 week ago 
On Tue, 28 Oct 2025 14:30:09 +0800, Qiu Wenbo wrote:

> regulator_unregister() already frees the associated GPIO device. On
> ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to
> random failures when other drivers (typically Intel THC) attempt to
> allocate interrupts. The root cause is that the reference count of the
> pinctrl_intel_platform module unexpectedly drops to zero when this
> driver defers its probe.
> 
> [...]


Thank you for your contribution, it has been applied to my local
review-ilpo-fixes branch. Note it will show up in the public
platform-drivers-x86/review-ilpo-fixes branch only once I've pushed my
local branch there, which might take a while.

The list of commits applied:
[1/1] platform/x86: int3472: Fix double free of GPIO device during unregister
      commit: f0f7a3f542c1698edb69075f25a3f846207facba

--
 i.
Re: [PATCH v2] platform/x86: int3472: Fix double free of GPIO device during unregister
Posted by Hans de Goede 3 months, 1 week ago 
Hi,

On 28-Oct-25 7:30 AM, Qiu Wenbo wrote:
> From: Qiu Wenbo <qiuwenbo@kylinsec.com.cn>
> 
> regulator_unregister() already frees the associated GPIO device. On
> ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to
> random failures when other drivers (typically Intel THC) attempt to
> allocate interrupts. The root cause is that the reference count of the
> pinctrl_intel_platform module unexpectedly drops to zero when this
> driver defers its probe.
> 
> This behavior can also be reproduced by unloading the module directly.
> 
> Fix the issue by removing the redundant release of the GPIO device
> during regulator unregistration.
> 
> Cc: stable@vger.kernel.org
> Fixes: 1e5d088a52c2 ("platform/x86: int3472: Stop using devm_gpiod_get()")
> Signed-off-by: Qiu Wenbo <qiuwenbo@kylinsec.com.cn>
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
> Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>

Thanks, patch looks good to me:

Reviewed-by: Hans de Goede <hansg@kernel.org>

Regards,

Hans



> ---
> Changes since V1:
>  - Add Reviewed-by: from Andy Shevchenko and Sakari Ailus
>  - Add Cc to stable@
>  - Remove the blank line after Fixes:
> 
>  drivers/platform/x86/intel/int3472/clk_and_regulator.c | 5 +----
>  include/linux/platform_data/x86/int3472.h              | 1 -
>  2 files changed, 1 insertion(+), 5 deletions(-)
> 
> diff --git a/drivers/platform/x86/intel/int3472/clk_and_regulator.c b/drivers/platform/x86/intel/int3472/clk_and_regulator.c
> index 476ec24d37020..9e052b164a1ab 100644
> --- a/drivers/platform/x86/intel/int3472/clk_and_regulator.c
> +++ b/drivers/platform/x86/intel/int3472/clk_and_regulator.c
> @@ -245,15 +245,12 @@ int skl_int3472_register_regulator(struct int3472_discrete_device *int3472,
>  	if (IS_ERR(regulator->rdev))
>  		return PTR_ERR(regulator->rdev);
>  
> -	int3472->regulators[int3472->n_regulator_gpios].ena_gpio = gpio;
>  	int3472->n_regulator_gpios++;
>  	return 0;
>  }
>  
>  void skl_int3472_unregister_regulator(struct int3472_discrete_device *int3472)
>  {
> -	for (int i = 0; i < int3472->n_regulator_gpios; i++) {
> +	for (int i = 0; i < int3472->n_regulator_gpios; i++)
>  		regulator_unregister(int3472->regulators[i].rdev);
> -		gpiod_put(int3472->regulators[i].ena_gpio);
> -	}
>  }
> diff --git a/include/linux/platform_data/x86/int3472.h b/include/linux/platform_data/x86/int3472.h
> index 1571e9157fa50..b1b837583d544 100644
> --- a/include/linux/platform_data/x86/int3472.h
> +++ b/include/linux/platform_data/x86/int3472.h
> @@ -100,7 +100,6 @@ struct int3472_gpio_regulator {
>  	struct regulator_consumer_supply supply_map[GPIO_REGULATOR_SUPPLY_MAP_COUNT * 2];
>  	char supply_name_upper[GPIO_SUPPLY_NAME_LENGTH];
>  	char regulator_name[GPIO_REGULATOR_NAME_LENGTH];
> -	struct gpio_desc *ena_gpio;
>  	struct regulator_dev *rdev;
>  	struct regulator_desc rdesc;
>  };

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.