From nobody Tue Jun 16 02:39:29 2026 Received: from smtp-190b.mail.infomaniak.ch (smtp-190b.mail.infomaniak.ch [185.125.25.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1CB06314B76 for ; Wed, 15 Apr 2026 11:16:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776251774; cv=none; b=fVgGZt8vcvS4tid77qBkSHKEq1KSGPF2ZtQDmtI2wOVohE1e12FJwKdWpvYlu5tGdmmdhS3rifw3r4zJqcOgvq8w4bF45rJftMt6vkZp1EJIF19Hx0RF9K6aOnWoHJ2X5/WTYshMtyeD1v/S1OF2y7Jy0Efzi8Pcar4jGbo6sXI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776251774; c=relaxed/simple; bh=FwK7aiO0RWft5Qk9rOII/R/wsjA8XT8FnotMP7tgGJs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=c6P5i1SziijwPDb2iIfcMom80C1zaqrHl5umUxPOrK4C+CxbDlt+vHX0XAL/vVMHJJ4YynY6NYlS0tB4Fzy4Gx81Cc9d9pzMmG9O3D1AXINLWoqyaDRe4+qxRJJQCc/d5zL4MLV9h1HPrvZOhR+9b5GgvOfpy6FGrvJdSiAG71c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=0leil.net; spf=pass smtp.mailfrom=0leil.net; dkim=pass (2048-bit key) header.d=0leil.net header.i=@0leil.net header.b=jzkL3baO; arc=none smtp.client-ip=185.125.25.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=0leil.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=0leil.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=0leil.net header.i=@0leil.net header.b="jzkL3baO" Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4fwdqs0QYYzyg7; Wed, 15 Apr 2026 13:16:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=0leil.net; s=20231125; t=1776251768; bh=E5uIj97XCDhQeYrBq3CgyTfmjr97TvL+zt9wLLTXNA0=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=jzkL3baO24uAcq/8TGIozu9CbZeTtjOvG5NW4pWsaMSlba3J1NugL7XoakGdSioc5 LW4sDTIq91g6CJmbGrM8KuZswyOVaX03xK4NQyktWqiAmybeZag0CnvJ+SDlA3tgRq 2DyOENdBNLIVCuvlAHfOPZFTj6yx0zi3aa+L6M/64ywv+v22NN3UV71mk4Apj217Kw ecONrF9XInFBVtXHgCYIdKuNApTrbce1ExnBYmAAWb6Jb299oHnDlH0U61HsRu51cV GOEJPmFHCWBgH8rwE47hFV8LO/fEBXd5yrLuAcrDCHnumUVi9Ifk4lyHVufkT/hMVB JEZaWvl5TkA+Q== Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4fwdqr2RXwzwZ0; Wed, 15 Apr 2026 13:16:08 +0200 (CEST) From: Quentin Schulz Date: Wed, 15 Apr 2026 13:15:40 +0200 Subject: [PATCH 6.12.y 1/2] gpiolib: unify two loops initializing GPIO descriptors Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260415-6-12-gpiolib-cve-2026-22986-v1-1-3a7a6de332eb@cherry.de> References: <20260415-6-12-gpiolib-cve-2026-22986-v1-0-3a7a6de332eb@cherry.de> In-Reply-To: <20260415-6-12-gpiolib-cve-2026-22986-v1-0-3a7a6de332eb@cherry.de> To: Linus Walleij , Bartosz Golaszewski , Andy Shevchenko Cc: Heiko Stuebner , stable@vger.kernel.org, linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org, Bartosz Golaszewski , Quentin Schulz , Kent Gibson X-Mailer: b4 0.15-dev-47773 X-Infomaniak-Routing: alpha From: Bartosz Golaszewski [ Upstream commit fa17f749ee5bc6afdaa9e0ddbe6a816b490dad7d ] We currently iterate over the descriptors owned by the GPIO device we're adding twice with the first loop just setting the gdev pointer. It's not used anywhere between this and the second loop so just drop the first one and move the assignment to the second. Reviewed-by: Kent Gibson Link: https://lore.kernel.org/r/20241004-gpio-notify-in-kernel-events-v1-2-= 8ac29e1df4fe@linaro.org Signed-off-by: Bartosz Golaszewski Cc: stable@vger.kernel.org # 6.12 Signed-off-by: Quentin Schulz Acked-by: Bartosz Golaszewski --- drivers/gpio/gpiolib.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 967ff661e4c96..3f9019cc832ac 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -1026,9 +1026,6 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, = void *data, } } =20 - for (desc_index =3D 0; desc_index < gc->ngpio; desc_index++) - gdev->descs[desc_index].gdev =3D gdev; - BLOCKING_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier); BLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier); =20 @@ -1058,6 +1055,8 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, = void *data, for (desc_index =3D 0; desc_index < gc->ngpio; desc_index++) { struct gpio_desc *desc =3D &gdev->descs[desc_index]; =20 + desc->gdev =3D gdev; + if (gc->get_direction && gpiochip_line_is_valid(gc, desc_index)) { assign_bit(FLAG_IS_OUT, &desc->flags, !gc->get_direction(gc, desc_index)); --=20 2.53.0 From nobody Tue Jun 16 02:39:29 2026 Received: from smtp-42ad.mail.infomaniak.ch (smtp-42ad.mail.infomaniak.ch [84.16.66.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 26BA3314D26 for ; Wed, 15 Apr 2026 11:16:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776251775; cv=none; b=BEEh3Kx57+k41VIbG3l1P5VLijnDmlGeuvq7M3g5QupUx6t/531N9RGKqpmsldPYnWVkDqhw54y4KdMIgMKr7KRD0pD7rZhbaqCvPMFbVCBt5kh76DmZd4yBAi4orUXrxxNn7A1MQQqzIWwedNNgC4MPGrDdI+VpBT6FOgYVAz0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776251775; c=relaxed/simple; bh=2JbAD/DSNBNfRE24tbvNZj/0IfyRuIUOcjNQsNfyiZw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=CHra6eNihZ97C+3fQgSgIwuSzkeh9n8PapfWZRBGB1wSZ43XhDhStEKUjYQ9mNrwxyTqa7MLSXjAegN3nCaDeXphAhN+yOis9yNWoDBSbX2qiSIj2fGeiaVfC1OPigWA0bVVsHCZePgcTfqKyx+wEEEKkdCaQ+U2kwXd6aw4L2E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=0leil.net; spf=pass smtp.mailfrom=0leil.net; dkim=pass (2048-bit key) header.d=0leil.net header.i=@0leil.net header.b=gmt0lluC; arc=none smtp.client-ip=84.16.66.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=0leil.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=0leil.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=0leil.net header.i=@0leil.net header.b="gmt0lluC" Received: from smtp-4-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10::a6c]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4fwdqs5853zyTB; Wed, 15 Apr 2026 13:16:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=0leil.net; s=20231125; t=1776251769; bh=yfWCJrrXvC+OtV0W0WCKQPC1fpYnvPmsr7D+XYucFmY=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=gmt0lluCphkmSE2abwtDdfupMf8+4KqSVto9p7MkRdKDt6HvEtLcXmwNMDZWOkTKd ApnXYc7oQmVdmVwNVUsm4Cxj/v7Gba5QNpOOlqAMv8abd44BF4fq2JMt4jlQzb4QNS WgoYXy6Jd4AoFMks5EUsoqywMPzRX0e3fRU2FSbHVamJ8BWJRFYYkANTSfNts75mLj 6j0Q6UgaHihJpsVm+8POxRS6kUGnYm3yRGe68yGvsewctLlLwTESxbxmCPBDBVeE+Y 3PBW9E0Kl2g6478aQgjdl/kX6fyoSplXsHWqyxUvqrqTvF58uYGSbnQZHPlsA2Q5k3 pzuWGypY3CkEw== Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4fwdqr6Jzwzw5F; Wed, 15 Apr 2026 13:16:08 +0200 (CEST) From: Quentin Schulz Date: Wed, 15 Apr 2026 13:15:41 +0200 Subject: [PATCH 6.12.y 2/2] gpiolib: fix race condition for gdev->srcu Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de> References: <20260415-6-12-gpiolib-cve-2026-22986-v1-0-3a7a6de332eb@cherry.de> In-Reply-To: <20260415-6-12-gpiolib-cve-2026-22986-v1-0-3a7a6de332eb@cherry.de> To: Linus Walleij , Bartosz Golaszewski , Andy Shevchenko Cc: Heiko Stuebner , stable@vger.kernel.org, linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org, Bartosz Golaszewski , Quentin Schulz , =?utf-8?q?Pawe=C5=82_Narewski?= , Jakub Lewalski , Bartosz Golaszewski X-Mailer: b4 0.15-dev-47773 X-Infomaniak-Routing: alpha From: Pawe=C5=82 Narewski [ Upstream commit a7ac22d53d0990152b108c3f4fe30df45fcb0181 ] If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-protected timeframe, when one instance is dereferencing and using &gdev->srcu, before the other has initialized it, resulting in crash: [ 4.935481] Unable to handle kernel paging request at virtual address ff= ff800272bcc000 [ 4.943396] Mem abort info: [ 4.943400] ESR =3D 0x0000000096000005 [ 4.943403] EC =3D 0x25: DABT (current EL), IL =3D 32 bits [ 4.943407] SET =3D 0, FnV =3D 0 [ 4.943410] EA =3D 0, S1PTW =3D 0 [ 4.943413] FSC =3D 0x05: level 1 translation fault [ 4.943416] Data abort info: [ 4.943418] ISV =3D 0, ISS =3D 0x00000005, ISS2 =3D 0x00000000 [ 4.946220] CM =3D 0, WnR =3D 0, TnD =3D 0, TagAccess =3D 0 [ 4.955261] GCS =3D 0, Overlay =3D 0, DirtyBit =3D 0, Xs =3D 0 [ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=3D0000000038e6c0= 00 [ 4.961449] [ffff800272bcc000] pgd=3D0000000000000000 [ 4.969203] , p4d=3D1000000039739003 [ 4.979730] , pud=3D0000000000000000 [ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node= "reset" [ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP ... [ 5.121359] pc : __srcu_read_lock+0x44/0x98 [ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0 [ 5.153671] sp : ffff8000833bb430 [ 5.298440] [ 5.298443] Call trace: [ 5.298445] __srcu_read_lock+0x44/0x98 [ 5.309484] gpio_name_to_desc+0x60/0x1a0 [ 5.320692] gpiochip_add_data_with_key+0x488/0xf00 5.946419] ---[ end trace 0000000000000000 ]--- Move initialization code for gdev fields before it is added to gpio_devices, with adjacent initialization code. Adjust goto statements to reflect modified order of operations Fixes: 47d8b4c1d868 ("gpio: add SRCU infrastructure to struct gpio_device") Reviewed-by: Jakub Lewalski Signed-off-by: Pawe=C5=82 Narewski [Bartosz: fixed a build issue, removed stray newline] Link: https://lore.kernel.org/r/20251224082641.10769-1-bartosz.golaszewski@= oss.qualcomm.com Signed-off-by: Bartosz Golaszewski [missing commit fcc8b637c542 ("gpiolib: switch the line state notifier to atomic"), commit dcb73cbaaeb3 ("gpio: cdev: use raw notifier for line state events") and commit d4f335b410dd ("gpiolib: rename GPIO chip printk macros") in 6.12.y. Both notifiers as well as both srcu inits are moved before the scoped_guard, following same logic as in a7ac22d53d09. Rest is changes to git context only.] Cc: stable@vger.kernel.org # 6.12 Signed-off-by: Quentin Schulz Acked-by: Bartosz Golaszewski --- drivers/gpio/gpiolib.c | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 3f9019cc832ac..5c8cd81656963 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -988,6 +988,17 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, v= oid *data, gdev->ngpio =3D gc->ngpio; gdev->can_sleep =3D gc->can_sleep; =20 + BLOCKING_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier); + BLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier); + + ret =3D init_srcu_struct(&gdev->srcu); + if (ret) + goto err_free_label; + + ret =3D init_srcu_struct(&gdev->desc_srcu); + if (ret) + goto err_cleanup_gdev_srcu; + scoped_guard(mutex, &gpio_devices_lock) { /* * TODO: this allocates a Linux GPIO number base in the global @@ -1002,7 +1013,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, = void *data, if (base < 0) { ret =3D base; base =3D 0; - goto err_free_label; + goto err_cleanup_desc_srcu; } =20 /* @@ -1022,21 +1033,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc= , void *data, ret =3D gpiodev_add_to_list_unlocked(gdev); if (ret) { chip_err(gc, "GPIO integer space overlap, cannot add chip\n"); - goto err_free_label; + goto err_cleanup_desc_srcu; } } =20 - BLOCKING_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier); - BLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier); - - ret =3D init_srcu_struct(&gdev->srcu); - if (ret) - goto err_remove_from_list; - - ret =3D init_srcu_struct(&gdev->desc_srcu); - if (ret) - goto err_cleanup_gdev_srcu; - #ifdef CONFIG_PINCTRL INIT_LIST_HEAD(&gdev->pin_ranges); #endif @@ -1046,11 +1046,11 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc= , void *data, =20 ret =3D gpiochip_set_names(gc); if (ret) - goto err_cleanup_desc_srcu; + goto err_remove_from_list; =20 ret =3D gpiochip_init_valid_mask(gc); if (ret) - goto err_cleanup_desc_srcu; + goto err_remove_from_list; =20 for (desc_index =3D 0; desc_index < gc->ngpio; desc_index++) { struct gpio_desc *desc =3D &gdev->descs[desc_index]; @@ -1117,10 +1117,6 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc,= void *data, of_gpiochip_remove(gc); err_free_valid_mask: gpiochip_free_valid_mask(gc); -err_cleanup_desc_srcu: - cleanup_srcu_struct(&gdev->desc_srcu); -err_cleanup_gdev_srcu: - cleanup_srcu_struct(&gdev->srcu); err_remove_from_list: scoped_guard(mutex, &gpio_devices_lock) list_del_rcu(&gdev->list); @@ -1130,6 +1126,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc,= void *data, gpio_device_put(gdev); goto err_print_message; } +err_cleanup_desc_srcu: + cleanup_srcu_struct(&gdev->desc_srcu); +err_cleanup_gdev_srcu: + cleanup_srcu_struct(&gdev->srcu); err_free_label: kfree_const(gdev->label); err_free_descs: --=20 2.53.0