diff mbox series

pinctrl: avoid unsafe code pattern in find_pinctrl()

Message ID ZQs1RgTKg6VJqmPs@google.com
State Accepted
Commit c153a4edff6ab01370fcac8e46f9c89cca1060c2
Headers show
Series pinctrl: avoid unsafe code pattern in find_pinctrl() | expand

Commit Message

Dmitry Torokhov Sept. 20, 2023, 6:09 p.m. UTC
The code in find_pinctrl() takes a mutex and traverses a list of pinctrl
structures. Later the caller bumps up reference count on the found
structure. Such pattern is not safe as pinctrl that was found may get
deleted before the caller gets around to increasing the reference count.

Fix this by taking the reference count in find_pinctrl(), while it still
holds the mutex.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
---
 drivers/pinctrl/core.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

Comments

Linus Walleij Sept. 25, 2023, 1:30 p.m. UTC | #1
On Wed, Sep 20, 2023 at 8:09 PM Dmitry Torokhov
<dmitry.torokhov@gmail.com> wrote:

> The code in find_pinctrl() takes a mutex and traverses a list of pinctrl
> structures. Later the caller bumps up reference count on the found
> structure. Such pattern is not safe as pinctrl that was found may get
> deleted before the caller gets around to increasing the reference count.
>
> Fix this by taking the reference count in find_pinctrl(), while it still
> holds the mutex.
>
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

After some thinking, applied for fixes and tagged for stable as
it is a very real problem that can cause random crashes under
the right circumstances.

Thanks for finding this Dmitry!!

Yours,
Linus Walleij
Andy Shevchenko Oct. 17, 2023, 2:08 p.m. UTC | #2
On Mon, Sep 25, 2023 at 03:30:53PM +0200, Linus Walleij wrote:
> On Wed, Sep 20, 2023 at 8:09 PM Dmitry Torokhov
> <dmitry.torokhov@gmail.com> wrote:
> 
> > The code in find_pinctrl() takes a mutex and traverses a list of pinctrl
> > structures. Later the caller bumps up reference count on the found
> > structure. Such pattern is not safe as pinctrl that was found may get
> > deleted before the caller gets around to increasing the reference count.
> >
> > Fix this by taking the reference count in find_pinctrl(), while it still
> > holds the mutex.
> >
> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> 
> After some thinking, applied for fixes and tagged for stable as
> it is a very real problem that can cause random crashes under
> the right circumstances.

Follow the strange and weird bisection [1] this one at least confirmed to be
the culprit by reverting the only one from the v6.6-rc6 based branch.

Long story short, after this commit my user space setup (minimal Buildroot + Busybox)
has become broken in a sense of MMC enumeration. My all scripts were pointed to
mmcblk0 which becomes out of a sudden mmcblk1!

git bisect start
# status: waiting for both good and bad commits
# bad: [58720809f52779dc0f08e53e54b014209d13eebb] Linux 6.6-rc6
git bisect bad 58720809f52779dc0f08e53e54b014209d13eebb
# status: waiting for good commit(s), bad commit known
# good: [2dde18cd1d8fac735875f2e4987f11817cc0bc2c] Linux 6.5
git bisect good 2dde18cd1d8fac735875f2e4987f11817cc0bc2c
# good: [47ca50600efcf994adb62a9a4e75c77d91bd0781] Merge tag 'soc-defconfig-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
git bisect good 47ca50600efcf994adb62a9a4e75c77d91bd0781
# good: [b89b029377c8c441649c7a6be908386e74ea9420] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
git bisect good b89b029377c8c441649c7a6be908386e74ea9420
# good: [2a5a4326e58339a26cd1510259e7310b8c0980ff] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
git bisect good 2a5a4326e58339a26cd1510259e7310b8c0980ff
# good: [85eba5f1759f9eb89273225027254ced57bd18a2] Merge tag 'mm-hotfixes-stable-2023-09-23-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
git bisect good 85eba5f1759f9eb89273225027254ced57bd18a2
# good: [b78b18fb8ee19f7a05f20c3abc865b3bfe182884] Merge tag 'erofs-for-6.6-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs
git bisect good b78b18fb8ee19f7a05f20c3abc865b3bfe182884
# bad: [9a5a14948574ee09f339990cab69b4ab997d2f7d] Merge tag 'soc-fixes-6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
git bisect bad 9a5a14948574ee09f339990cab69b4ab997d2f7d
# good: [b9ddbb0cde2adcedda26045cc58f31316a492215] Merge tag 'parisc-for-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
git bisect good b9ddbb0cde2adcedda26045cc58f31316a492215
# good: [b711538a40b794ccc83838fb66990a091c56c101] Merge tag 'hyperv-fixes-signed-20231009' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
git bisect good b711538a40b794ccc83838fb66990a091c56c101
# good: [bab19d1b21547046b0a38dde948086f6cbcaefaa] Merge tag 'for-linus-2023101101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
git bisect good bab19d1b21547046b0a38dde948086f6cbcaefaa
# bad: [82a040a8fa9b4f3845eff73a69a9931a59335902] Merge tag 'pinctrl-v6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
git bisect bad 82a040a8fa9b4f3845eff73a69a9931a59335902
# good: [759d1b653f3c7c2249b7fe5f6b218f87a5842822] Merge tag 'for-6.6-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
git bisect good 759d1b653f3c7c2249b7fe5f6b218f87a5842822
# bad: [c153a4edff6ab01370fcac8e46f9c89cca1060c2] pinctrl: avoid unsafe code pattern in find_pinctrl()
git bisect bad c153a4edff6ab01370fcac8e46f9c89cca1060c2
# good: [87d315a34133edcb29c4cadbf196ec6c30dfd47b] pinctrl: nuvoton: wpcm450: fix out of bounds write
git bisect good 87d315a34133edcb29c4cadbf196ec6c30dfd47b
# good: [64061b67335e958e6328bcb5bb2b5490d57f3f59] pinctrl: starfive: jh7110: Add system pm ops to save and restore context
git bisect good 64061b67335e958e6328bcb5bb2b5490d57f3f59
# first bad commit: [c153a4edff6ab01370fcac8e46f9c89cca1060c2] pinctrl: avoid unsafe code pattern in find_pinctrl()

[1]: https://lore.kernel.org/r/20230830102434.xnlh66omhs6ninet@quack3
Andy Shevchenko Oct. 17, 2023, 2:14 p.m. UTC | #3
On Tue, Oct 17, 2023 at 05:08:05PM +0300, Andy Shevchenko wrote:
> On Mon, Sep 25, 2023 at 03:30:53PM +0200, Linus Walleij wrote:
> > On Wed, Sep 20, 2023 at 8:09 PM Dmitry Torokhov
> > <dmitry.torokhov@gmail.com> wrote:
> > 
> > > The code in find_pinctrl() takes a mutex and traverses a list of pinctrl
> > > structures. Later the caller bumps up reference count on the found
> > > structure. Such pattern is not safe as pinctrl that was found may get
> > > deleted before the caller gets around to increasing the reference count.
> > >
> > > Fix this by taking the reference count in find_pinctrl(), while it still
> > > holds the mutex.
> > >
> > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> > 
> > After some thinking, applied for fixes and tagged for stable as
> > it is a very real problem that can cause random crashes under
> > the right circumstances.
> 
> Follow the strange and weird bisection [1] this one at least confirmed to be
> the culprit by reverting the only one from the v6.6-rc6 based branch.
> 
> Long story short, after this commit my user space setup (minimal Buildroot + Busybox)
> has become broken in a sense of MMC enumeration. My all scripts were pointed to
> mmcblk0 which becomes out of a sudden mmcblk1!

`dmesg` after revert:

[   36.439057] mmc0: SDHCI controller on PCI [0000:00:01.0] using ADMA
[   36.450924] mmc2: SDHCI controller on PCI [0000:00:01.3] using ADMA
[   36.459355] mmc1: SDHCI controller on PCI [0000:00:01.2] using ADMA
[   36.706399] mmc0: new DDR MMC card at address 0001
[   37.058972] mmc2: new ultra high speed DDR50 SDIO card at address 0001
[   37.278977] mmcblk0: mmc0:0001 H4G1d 3.64 GiB
[   37.297300]  mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10

and before:

[   36.436704] mmc2: SDHCI controller on PCI [0000:00:01.3] using ADMA
[   36.436720] mmc1: SDHCI controller on PCI [0000:00:01.0] using ADMA
[   36.463685] mmc0: SDHCI controller on PCI [0000:00:01.2] using ADMA
[   36.720627] mmc1: new DDR MMC card at address 0001
[   37.068181] mmc2: new ultra high speed DDR50 SDIO card at address 0001
[   37.279998] mmcblk1: mmc1:0001 H4G1d 3.64 GiB
[   37.302670]  mmcblk1: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10

Reproducibility 100%.

> git bisect start
> # status: waiting for both good and bad commits
> # bad: [58720809f52779dc0f08e53e54b014209d13eebb] Linux 6.6-rc6
> git bisect bad 58720809f52779dc0f08e53e54b014209d13eebb
> # status: waiting for good commit(s), bad commit known
> # good: [2dde18cd1d8fac735875f2e4987f11817cc0bc2c] Linux 6.5
> git bisect good 2dde18cd1d8fac735875f2e4987f11817cc0bc2c
> # good: [47ca50600efcf994adb62a9a4e75c77d91bd0781] Merge tag 'soc-defconfig-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
> git bisect good 47ca50600efcf994adb62a9a4e75c77d91bd0781
> # good: [b89b029377c8c441649c7a6be908386e74ea9420] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
> git bisect good b89b029377c8c441649c7a6be908386e74ea9420
> # good: [2a5a4326e58339a26cd1510259e7310b8c0980ff] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
> git bisect good 2a5a4326e58339a26cd1510259e7310b8c0980ff
> # good: [85eba5f1759f9eb89273225027254ced57bd18a2] Merge tag 'mm-hotfixes-stable-2023-09-23-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
> git bisect good 85eba5f1759f9eb89273225027254ced57bd18a2
> # good: [b78b18fb8ee19f7a05f20c3abc865b3bfe182884] Merge tag 'erofs-for-6.6-rc5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs
> git bisect good b78b18fb8ee19f7a05f20c3abc865b3bfe182884
> # bad: [9a5a14948574ee09f339990cab69b4ab997d2f7d] Merge tag 'soc-fixes-6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
> git bisect bad 9a5a14948574ee09f339990cab69b4ab997d2f7d
> # good: [b9ddbb0cde2adcedda26045cc58f31316a492215] Merge tag 'parisc-for-6.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
> git bisect good b9ddbb0cde2adcedda26045cc58f31316a492215
> # good: [b711538a40b794ccc83838fb66990a091c56c101] Merge tag 'hyperv-fixes-signed-20231009' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux
> git bisect good b711538a40b794ccc83838fb66990a091c56c101
> # good: [bab19d1b21547046b0a38dde948086f6cbcaefaa] Merge tag 'for-linus-2023101101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
> git bisect good bab19d1b21547046b0a38dde948086f6cbcaefaa
> # bad: [82a040a8fa9b4f3845eff73a69a9931a59335902] Merge tag 'pinctrl-v6.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
> git bisect bad 82a040a8fa9b4f3845eff73a69a9931a59335902
> # good: [759d1b653f3c7c2249b7fe5f6b218f87a5842822] Merge tag 'for-6.6-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
> git bisect good 759d1b653f3c7c2249b7fe5f6b218f87a5842822
> # bad: [c153a4edff6ab01370fcac8e46f9c89cca1060c2] pinctrl: avoid unsafe code pattern in find_pinctrl()
> git bisect bad c153a4edff6ab01370fcac8e46f9c89cca1060c2
> # good: [87d315a34133edcb29c4cadbf196ec6c30dfd47b] pinctrl: nuvoton: wpcm450: fix out of bounds write
> git bisect good 87d315a34133edcb29c4cadbf196ec6c30dfd47b
> # good: [64061b67335e958e6328bcb5bb2b5490d57f3f59] pinctrl: starfive: jh7110: Add system pm ops to save and restore context
> git bisect good 64061b67335e958e6328bcb5bb2b5490d57f3f59
> # first bad commit: [c153a4edff6ab01370fcac8e46f9c89cca1060c2] pinctrl: avoid unsafe code pattern in find_pinctrl()
> 
> [1]: https://lore.kernel.org/r/20230830102434.xnlh66omhs6ninet@quack3
diff mbox series

Patch

diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
index e9dc9638120a..e2f7519bef04 100644
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -1022,17 +1022,20 @@  static int add_setting(struct pinctrl *p, struct pinctrl_dev *pctldev,
 
 static struct pinctrl *find_pinctrl(struct device *dev)
 {
-	struct pinctrl *p;
+	struct pinctrl *entry, *p = NULL;
 
 	mutex_lock(&pinctrl_list_mutex);
-	list_for_each_entry(p, &pinctrl_list, node)
-		if (p->dev == dev) {
-			mutex_unlock(&pinctrl_list_mutex);
-			return p;
+
+	list_for_each_entry(entry, &pinctrl_list, node) {
+		if (entry->dev == dev) {
+			p = entry;
+			kref_get(&p->users);
+			break;
 		}
+	}
 
 	mutex_unlock(&pinctrl_list_mutex);
-	return NULL;
+	return p;
 }
 
 static void pinctrl_free(struct pinctrl *p, bool inlist);
@@ -1140,7 +1143,6 @@  struct pinctrl *pinctrl_get(struct device *dev)
 	p = find_pinctrl(dev);
 	if (p) {
 		dev_dbg(dev, "obtain a copy of previously claimed pinctrl\n");
-		kref_get(&p->users);
 		return p;
 	}