Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2223488,
    "url": "http://patchwork.ozlabs.org/api/1.2/patches/2223488/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/linux-gpio/patch/20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de/",
    "project": {
        "id": 42,
        "url": "http://patchwork.ozlabs.org/api/1.2/projects/42/?format=api",
        "name": "Linux GPIO development",
        "link_name": "linux-gpio",
        "list_id": "linux-gpio.vger.kernel.org",
        "list_email": "linux-gpio@vger.kernel.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de>",
    "list_archive_url": null,
    "date": "2026-04-15T11:15:41",
    "name": "[6.12.y,2/2] gpiolib: fix race condition for gdev->srcu",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "0c6a7143ed72f862d6b532c61557caef45deb577",
    "submitter": {
        "id": 82991,
        "url": "http://patchwork.ozlabs.org/api/1.2/people/82991/?format=api",
        "name": "Quentin Schulz",
        "email": "foss+kernel@0leil.net"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/linux-gpio/patch/20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de/mbox/",
    "series": [
        {
            "id": 499972,
            "url": "http://patchwork.ozlabs.org/api/1.2/series/499972/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/linux-gpio/list/?series=499972",
            "date": "2026-04-15T11:15:39",
            "name": "gpiolib: backport fa17f749ee5b and a7ac22d53d09",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/499972/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2223488/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2223488/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <linux-gpio+bounces-35164-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "linux-gpio@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=0leil.net header.i=@0leil.net header.a=rsa-sha256\n header.s=20231125 header.b=gmt0lluC;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-gpio+bounces-35164-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=0leil.net header.i=@0leil.net\n header.b=\"gmt0lluC\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=185.125.25.15",
            "smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=0leil.net",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=0leil.net"
        ],
        "Received": [
            "from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwdxr5LL8z1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 21:21:20 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 331B131333C2\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 11:16:18 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 623153783D1;\n\tWed, 15 Apr 2026 11:16:15 +0000 (UTC)",
            "from smtp-190f.mail.infomaniak.ch (smtp-190f.mail.infomaniak.ch\n [185.125.25.15])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 934043431F5\n\tfor <linux-gpio@vger.kernel.org>; Wed, 15 Apr 2026 11:16:11 +0000 (UTC)",
            "from smtp-4-0001.mail.infomaniak.ch (unknown\n [IPv6:2001:1600:7:10::a6c])\n\tby smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4fwdqs5853zyTB;\n\tWed, 15 Apr 2026 13:16:09 +0200 (CEST)",
            "from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA\n id 4fwdqr6Jzwzw5F;\n\tWed, 15 Apr 2026 13:16:08 +0200 (CEST)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776251775; cv=none;\n b=LNPrvYRTvb67HL+z3xUPY+qfQL0LPl4Qun2Wvv9s/6YFiWwvtgLdmiCxD9o2fJ6LJqNu4Vn73Hp16HKe2JC3x+FJeqBmSs/RpzAgw7TwCn/c3M29OuaDcsKt1pQ1VJbWUztPCLUdK/Hrfnox3SHsIrjwhPJmeze1QjiCJMLB9xY=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776251775; c=relaxed/simple;\n\tbh=2JbAD/DSNBNfRE24tbvNZj/0IfyRuIUOcjNQsNfyiZw=;\n\th=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:\n\t In-Reply-To:To:Cc;\n b=CHra6eNihZ97C+3fQgSgIwuSzkeh9n8PapfWZRBGB1wSZ43XhDhStEKUjYQ9mNrwxyTqa7MLSXjAegN3nCaDeXphAhN+yOis9yNWoDBSbX2qiSIj2fGeiaVfC1OPigWA0bVVsHCZePgcTfqKyx+wEEEKkdCaQ+U2kwXd6aw4L2E=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=0leil.net;\n spf=pass smtp.mailfrom=0leil.net;\n dkim=pass (2048-bit key) header.d=0leil.net header.i=@0leil.net\n header.b=gmt0lluC; arc=none smtp.client-ip=185.125.25.15",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=0leil.net;\n\ts=20231125; t=1776251769;\n\tbh=yfWCJrrXvC+OtV0W0WCKQPC1fpYnvPmsr7D+XYucFmY=;\n\th=From:Date:Subject:References:In-Reply-To:To:Cc:From;\n\tb=gmt0lluCphkmSE2abwtDdfupMf8+4KqSVto9p7MkRdKDt6HvEtLcXmwNMDZWOkTKd\n\t ApnXYc7oQmVdmVwNVUsm4Cxj/v7Gba5QNpOOlqAMv8abd44BF4fq2JMt4jlQzb4QNS\n\t WgoYXy6Jd4AoFMks5EUsoqywMPzRX0e3fRU2FSbHVamJ8BWJRFYYkANTSfNts75mLj\n\t 6j0Q6UgaHihJpsVm+8POxRS6kUGnYm3yRGe68yGvsewctLlLwTESxbxmCPBDBVeE+Y\n\t 3PBW9E0Kl2g6478aQgjdl/kX6fyoSplXsHWqyxUvqrqTvF58uYGSbnQZHPlsA2Q5k3\n\t pzuWGypY3CkEw==",
        "From": "Quentin Schulz <foss+kernel@0leil.net>",
        "Date": "Wed, 15 Apr 2026 13:15:41 +0200",
        "Subject": "[PATCH 6.12.y 2/2] gpiolib: fix race condition for gdev->srcu",
        "Precedence": "bulk",
        "X-Mailing-List": "linux-gpio@vger.kernel.org",
        "List-Id": "<linux-gpio.vger.kernel.org>",
        "List-Subscribe": "<mailto:linux-gpio+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:linux-gpio+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "8bit",
        "Message-Id": "<20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de>",
        "References": "<20260415-6-12-gpiolib-cve-2026-22986-v1-0-3a7a6de332eb@cherry.de>",
        "In-Reply-To": "\n <20260415-6-12-gpiolib-cve-2026-22986-v1-0-3a7a6de332eb@cherry.de>",
        "To": "Linus Walleij <linus.walleij@linaro.org>,\n Bartosz Golaszewski <brgl@bgdev.pl>,\n Andy Shevchenko <andriy.shevchenko@linux.intel.com>",
        "Cc": "Heiko Stuebner <heiko.stuebner@cherry.de>, stable@vger.kernel.org,\n  linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org,\n  Bartosz Golaszewski <bartosz.golaszewski@linaro.org>,\n  Quentin Schulz <quentin.schulz@cherry.de>,\n =?utf-8?q?Pawe=C5=82_Narewski?= <pawel.narewski@nokia.com>,\n  Jakub Lewalski <jakub.lewalski@nokia.com>,\n  Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>",
        "X-Mailer": "b4 0.15-dev-47773",
        "X-Infomaniak-Routing": "alpha"
    },
    "content": "From: Paweł Narewski <pawel.narewski@nokia.com>\n\n[ Upstream commit a7ac22d53d0990152b108c3f4fe30df45fcb0181 ]\n\nIf two drivers were calling gpiochip_add_data_with_key(), one may be\ntraversing the srcu-protected list in gpio_name_to_desc(), meanwhile\nother has just added its gdev in gpiodev_add_to_list_unlocked().\nThis creates a non-mutexed and non-protected timeframe, when one\ninstance is dereferencing and using &gdev->srcu, before the other\nhas initialized it, resulting in crash:\n\n[    4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000\n[    4.943396] Mem abort info:\n[    4.943400]   ESR = 0x0000000096000005\n[    4.943403]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    4.943407]   SET = 0, FnV = 0\n[    4.943410]   EA = 0, S1PTW = 0\n[    4.943413]   FSC = 0x05: level 1 translation fault\n[    4.943416] Data abort info:\n[    4.943418]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[    4.946220]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    4.955261]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000\n[    4.961449] [ffff800272bcc000] pgd=0000000000000000\n[    4.969203] , p4d=1000000039739003\n[    4.979730] , pud=0000000000000000\n[    4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node \"reset\"\n[    4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n...\n[    5.121359] pc : __srcu_read_lock+0x44/0x98\n[    5.131091] lr : gpio_name_to_desc+0x60/0x1a0\n[    5.153671] sp : ffff8000833bb430\n[    5.298440]\n[    5.298443] Call trace:\n[    5.298445]  __srcu_read_lock+0x44/0x98\n[    5.309484]  gpio_name_to_desc+0x60/0x1a0\n[    5.320692]  gpiochip_add_data_with_key+0x488/0xf00\n    5.946419] ---[ end trace 0000000000000000 ]---\n\nMove initialization code for gdev fields before it is added to\ngpio_devices, with adjacent initialization code.\nAdjust goto statements  to reflect modified order of operations\n\nFixes: 47d8b4c1d868 (\"gpio: add SRCU infrastructure to struct gpio_device\")\nReviewed-by: Jakub Lewalski <jakub.lewalski@nokia.com>\nSigned-off-by: Paweł Narewski <pawel.narewski@nokia.com>\n[Bartosz: fixed a build issue, removed stray newline]\nLink: https://lore.kernel.org/r/20251224082641.10769-1-bartosz.golaszewski@oss.qualcomm.com\nSigned-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>\n[missing commit fcc8b637c542 (\"gpiolib: switch the line state notifier\n to atomic\"), commit dcb73cbaaeb3 (\"gpio: cdev: use raw notifier for\n line state events\") and commit d4f335b410dd (\"gpiolib: rename GPIO chip\n printk macros\") in 6.12.y.\n Both notifiers as well as both srcu inits are moved before the\n scoped_guard, following same logic as in a7ac22d53d09.\n Rest is changes to git context only.]\nCc: stable@vger.kernel.org # 6.12\nSigned-off-by: Quentin Schulz <quentin.schulz@cherry.de>\n---\n drivers/gpio/gpiolib.c | 38 +++++++++++++++++++-------------------\n 1 file changed, 19 insertions(+), 19 deletions(-)",
    "diff": "diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c\nindex 3f9019cc832ac..5c8cd81656963 100644\n--- a/drivers/gpio/gpiolib.c\n+++ b/drivers/gpio/gpiolib.c\n@@ -988,6 +988,17 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \tgdev->ngpio = gc->ngpio;\n \tgdev->can_sleep = gc->can_sleep;\n \n+\tBLOCKING_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier);\n+\tBLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier);\n+\n+\tret = init_srcu_struct(&gdev->srcu);\n+\tif (ret)\n+\t\tgoto err_free_label;\n+\n+\tret = init_srcu_struct(&gdev->desc_srcu);\n+\tif (ret)\n+\t\tgoto err_cleanup_gdev_srcu;\n+\n \tscoped_guard(mutex, &gpio_devices_lock) {\n \t\t/*\n \t\t * TODO: this allocates a Linux GPIO number base in the global\n@@ -1002,7 +1013,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \t\t\tif (base < 0) {\n \t\t\t\tret = base;\n \t\t\t\tbase = 0;\n-\t\t\t\tgoto err_free_label;\n+\t\t\t\tgoto err_cleanup_desc_srcu;\n \t\t\t}\n \n \t\t\t/*\n@@ -1022,21 +1033,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \t\tret = gpiodev_add_to_list_unlocked(gdev);\n \t\tif (ret) {\n \t\t\tchip_err(gc, \"GPIO integer space overlap, cannot add chip\\n\");\n-\t\t\tgoto err_free_label;\n+\t\t\tgoto err_cleanup_desc_srcu;\n \t\t}\n \t}\n \n-\tBLOCKING_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier);\n-\tBLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier);\n-\n-\tret = init_srcu_struct(&gdev->srcu);\n-\tif (ret)\n-\t\tgoto err_remove_from_list;\n-\n-\tret = init_srcu_struct(&gdev->desc_srcu);\n-\tif (ret)\n-\t\tgoto err_cleanup_gdev_srcu;\n-\n #ifdef CONFIG_PINCTRL\n \tINIT_LIST_HEAD(&gdev->pin_ranges);\n #endif\n@@ -1046,11 +1046,11 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \n \tret = gpiochip_set_names(gc);\n \tif (ret)\n-\t\tgoto err_cleanup_desc_srcu;\n+\t\tgoto err_remove_from_list;\n \n \tret = gpiochip_init_valid_mask(gc);\n \tif (ret)\n-\t\tgoto err_cleanup_desc_srcu;\n+\t\tgoto err_remove_from_list;\n \n \tfor (desc_index = 0; desc_index < gc->ngpio; desc_index++) {\n \t\tstruct gpio_desc *desc = &gdev->descs[desc_index];\n@@ -1117,10 +1117,6 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \tof_gpiochip_remove(gc);\n err_free_valid_mask:\n \tgpiochip_free_valid_mask(gc);\n-err_cleanup_desc_srcu:\n-\tcleanup_srcu_struct(&gdev->desc_srcu);\n-err_cleanup_gdev_srcu:\n-\tcleanup_srcu_struct(&gdev->srcu);\n err_remove_from_list:\n \tscoped_guard(mutex, &gpio_devices_lock)\n \t\tlist_del_rcu(&gdev->list);\n@@ -1130,6 +1126,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \t\tgpio_device_put(gdev);\n \t\tgoto err_print_message;\n \t}\n+err_cleanup_desc_srcu:\n+\tcleanup_srcu_struct(&gdev->desc_srcu);\n+err_cleanup_gdev_srcu:\n+\tcleanup_srcu_struct(&gdev->srcu);\n err_free_label:\n \tkfree_const(gdev->label);\n err_free_descs:\n",
    "prefixes": [
        "6.12.y",
        "2/2"
    ]
}