{"id":2223488,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2223488/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-gpio/patch/20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de/","project":{"id":42,"url":"http://patchwork.ozlabs.org/api/1.2/projects/42/?format=json","name":"Linux GPIO development","link_name":"linux-gpio","list_id":"linux-gpio.vger.kernel.org","list_email":"linux-gpio@vger.kernel.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de>","list_archive_url":null,"date":"2026-04-15T11:15:41","name":"[6.12.y,2/2] gpiolib: fix race condition for gdev->srcu","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"0c6a7143ed72f862d6b532c61557caef45deb577","submitter":{"id":82991,"url":"http://patchwork.ozlabs.org/api/1.2/people/82991/?format=json","name":"Quentin Schulz","email":"foss+kernel@0leil.net"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-gpio/patch/20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de/mbox/","series":[{"id":499972,"url":"http://patchwork.ozlabs.org/api/1.2/series/499972/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-gpio/list/?series=499972","date":"2026-04-15T11:15:39","name":"gpiolib: backport fa17f749ee5b and a7ac22d53d09","version":1,"mbox":"http://patchwork.ozlabs.org/series/499972/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223488/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223488/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-gpio@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=0leil.net header.i=@0leil.net header.a=rsa-sha256\n header.s=20231125 header.b=gmt0lluC;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-gpio+bounces-35164-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=0leil.net header.i=@0leil.net\n header.b=\"gmt0lluC\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=185.125.25.15","smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=0leil.net","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=0leil.net"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwdxr5LL8z1yCv\n\tfor ; Wed, 15 Apr 2026 21:21:20 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 331B131333C2\n\tfor ; Wed, 15 Apr 2026 11:16:18 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 623153783D1;\n\tWed, 15 Apr 2026 11:16:15 +0000 (UTC)","from smtp-190f.mail.infomaniak.ch (smtp-190f.mail.infomaniak.ch\n [185.125.25.15])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 934043431F5\n\tfor ; Wed, 15 Apr 2026 11:16:11 +0000 (UTC)","from smtp-4-0001.mail.infomaniak.ch (unknown\n [IPv6:2001:1600:7:10::a6c])\n\tby smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4fwdqs5853zyTB;\n\tWed, 15 Apr 2026 13:16:09 +0200 (CEST)","from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA\n id 4fwdqr6Jzwzw5F;\n\tWed, 15 Apr 2026 13:16:08 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776251775; cv=none;\n b=LNPrvYRTvb67HL+z3xUPY+qfQL0LPl4Qun2Wvv9s/6YFiWwvtgLdmiCxD9o2fJ6LJqNu4Vn73Hp16HKe2JC3x+FJeqBmSs/RpzAgw7TwCn/c3M29OuaDcsKt1pQ1VJbWUztPCLUdK/Hrfnox3SHsIrjwhPJmeze1QjiCJMLB9xY=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776251775; c=relaxed/simple;\n\tbh=2JbAD/DSNBNfRE24tbvNZj/0IfyRuIUOcjNQsNfyiZw=;\n\th=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:\n\t In-Reply-To:To:Cc;\n b=CHra6eNihZ97C+3fQgSgIwuSzkeh9n8PapfWZRBGB1wSZ43XhDhStEKUjYQ9mNrwxyTqa7MLSXjAegN3nCaDeXphAhN+yOis9yNWoDBSbX2qiSIj2fGeiaVfC1OPigWA0bVVsHCZePgcTfqKyx+wEEEKkdCaQ+U2kwXd6aw4L2E=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=0leil.net;\n spf=pass smtp.mailfrom=0leil.net;\n dkim=pass (2048-bit key) header.d=0leil.net header.i=@0leil.net\n header.b=gmt0lluC; arc=none smtp.client-ip=185.125.25.15","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=0leil.net;\n\ts=20231125; t=1776251769;\n\tbh=yfWCJrrXvC+OtV0W0WCKQPC1fpYnvPmsr7D+XYucFmY=;\n\th=From:Date:Subject:References:In-Reply-To:To:Cc:From;\n\tb=gmt0lluCphkmSE2abwtDdfupMf8+4KqSVto9p7MkRdKDt6HvEtLcXmwNMDZWOkTKd\n\t ApnXYc7oQmVdmVwNVUsm4Cxj/v7Gba5QNpOOlqAMv8abd44BF4fq2JMt4jlQzb4QNS\n\t WgoYXy6Jd4AoFMks5EUsoqywMPzRX0e3fRU2FSbHVamJ8BWJRFYYkANTSfNts75mLj\n\t 6j0Q6UgaHihJpsVm+8POxRS6kUGnYm3yRGe68yGvsewctLlLwTESxbxmCPBDBVeE+Y\n\t 3PBW9E0Kl2g6478aQgjdl/kX6fyoSplXsHWqyxUvqrqTvF58uYGSbnQZHPlsA2Q5k3\n\t pzuWGypY3CkEw==","From":"Quentin Schulz ","Date":"Wed, 15 Apr 2026 13:15:41 +0200","Subject":"[PATCH 6.12.y 2/2] gpiolib: fix race condition for gdev->srcu","Precedence":"bulk","X-Mailing-List":"linux-gpio@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"8bit","Message-Id":"<20260415-6-12-gpiolib-cve-2026-22986-v1-2-3a7a6de332eb@cherry.de>","References":"<20260415-6-12-gpiolib-cve-2026-22986-v1-0-3a7a6de332eb@cherry.de>","In-Reply-To":"\n <20260415-6-12-gpiolib-cve-2026-22986-v1-0-3a7a6de332eb@cherry.de>","To":"Linus Walleij ,\n Bartosz Golaszewski ,\n Andy Shevchenko ","Cc":"Heiko Stuebner , stable@vger.kernel.org,\n linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org,\n Bartosz Golaszewski ,\n Quentin Schulz ,\n =?utf-8?q?Pawe=C5=82_Narewski?= ,\n Jakub Lewalski ,\n Bartosz Golaszewski ","X-Mailer":"b4 0.15-dev-47773","X-Infomaniak-Routing":"alpha"},"content":"From: Paweł Narewski \n\n[ Upstream commit a7ac22d53d0990152b108c3f4fe30df45fcb0181 ]\n\nIf two drivers were calling gpiochip_add_data_with_key(), one may be\ntraversing the srcu-protected list in gpio_name_to_desc(), meanwhile\nother has just added its gdev in gpiodev_add_to_list_unlocked().\nThis creates a non-mutexed and non-protected timeframe, when one\ninstance is dereferencing and using &gdev->srcu, before the other\nhas initialized it, resulting in crash:\n\n[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000\n[ 4.943396] Mem abort info:\n[ 4.943400] ESR = 0x0000000096000005\n[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 4.943407] SET = 0, FnV = 0\n[ 4.943410] EA = 0, S1PTW = 0\n[ 4.943413] FSC = 0x05: level 1 translation fault\n[ 4.943416] Data abort info:\n[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000\n[ 4.961449] [ffff800272bcc000] pgd=0000000000000000\n[ 4.969203] , p4d=1000000039739003\n[ 4.979730] , pud=0000000000000000\n[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node \"reset\"\n[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n...\n[ 5.121359] pc : __srcu_read_lock+0x44/0x98\n[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0\n[ 5.153671] sp : ffff8000833bb430\n[ 5.298440]\n[ 5.298443] Call trace:\n[ 5.298445] __srcu_read_lock+0x44/0x98\n[ 5.309484] gpio_name_to_desc+0x60/0x1a0\n[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00\n 5.946419] ---[ end trace 0000000000000000 ]---\n\nMove initialization code for gdev fields before it is added to\ngpio_devices, with adjacent initialization code.\nAdjust goto statements to reflect modified order of operations\n\nFixes: 47d8b4c1d868 (\"gpio: add SRCU infrastructure to struct gpio_device\")\nReviewed-by: Jakub Lewalski \nSigned-off-by: Paweł Narewski \n[Bartosz: fixed a build issue, removed stray newline]\nLink: https://lore.kernel.org/r/20251224082641.10769-1-bartosz.golaszewski@oss.qualcomm.com\nSigned-off-by: Bartosz Golaszewski \n[missing commit fcc8b637c542 (\"gpiolib: switch the line state notifier\n to atomic\"), commit dcb73cbaaeb3 (\"gpio: cdev: use raw notifier for\n line state events\") and commit d4f335b410dd (\"gpiolib: rename GPIO chip\n printk macros\") in 6.12.y.\n Both notifiers as well as both srcu inits are moved before the\n scoped_guard, following same logic as in a7ac22d53d09.\n Rest is changes to git context only.]\nCc: stable@vger.kernel.org # 6.12\nSigned-off-by: Quentin Schulz \n---\n drivers/gpio/gpiolib.c | 38 +++++++++++++++++++-------------------\n 1 file changed, 19 insertions(+), 19 deletions(-)","diff":"diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c\nindex 3f9019cc832ac..5c8cd81656963 100644\n--- a/drivers/gpio/gpiolib.c\n+++ b/drivers/gpio/gpiolib.c\n@@ -988,6 +988,17 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \tgdev->ngpio = gc->ngpio;\n \tgdev->can_sleep = gc->can_sleep;\n \n+\tBLOCKING_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier);\n+\tBLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier);\n+\n+\tret = init_srcu_struct(&gdev->srcu);\n+\tif (ret)\n+\t\tgoto err_free_label;\n+\n+\tret = init_srcu_struct(&gdev->desc_srcu);\n+\tif (ret)\n+\t\tgoto err_cleanup_gdev_srcu;\n+\n \tscoped_guard(mutex, &gpio_devices_lock) {\n \t\t/*\n \t\t * TODO: this allocates a Linux GPIO number base in the global\n@@ -1002,7 +1013,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \t\t\tif (base < 0) {\n \t\t\t\tret = base;\n \t\t\t\tbase = 0;\n-\t\t\t\tgoto err_free_label;\n+\t\t\t\tgoto err_cleanup_desc_srcu;\n \t\t\t}\n \n \t\t\t/*\n@@ -1022,21 +1033,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \t\tret = gpiodev_add_to_list_unlocked(gdev);\n \t\tif (ret) {\n \t\t\tchip_err(gc, \"GPIO integer space overlap, cannot add chip\\n\");\n-\t\t\tgoto err_free_label;\n+\t\t\tgoto err_cleanup_desc_srcu;\n \t\t}\n \t}\n \n-\tBLOCKING_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier);\n-\tBLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier);\n-\n-\tret = init_srcu_struct(&gdev->srcu);\n-\tif (ret)\n-\t\tgoto err_remove_from_list;\n-\n-\tret = init_srcu_struct(&gdev->desc_srcu);\n-\tif (ret)\n-\t\tgoto err_cleanup_gdev_srcu;\n-\n #ifdef CONFIG_PINCTRL\n \tINIT_LIST_HEAD(&gdev->pin_ranges);\n #endif\n@@ -1046,11 +1046,11 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \n \tret = gpiochip_set_names(gc);\n \tif (ret)\n-\t\tgoto err_cleanup_desc_srcu;\n+\t\tgoto err_remove_from_list;\n \n \tret = gpiochip_init_valid_mask(gc);\n \tif (ret)\n-\t\tgoto err_cleanup_desc_srcu;\n+\t\tgoto err_remove_from_list;\n \n \tfor (desc_index = 0; desc_index < gc->ngpio; desc_index++) {\n \t\tstruct gpio_desc *desc = &gdev->descs[desc_index];\n@@ -1117,10 +1117,6 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \tof_gpiochip_remove(gc);\n err_free_valid_mask:\n \tgpiochip_free_valid_mask(gc);\n-err_cleanup_desc_srcu:\n-\tcleanup_srcu_struct(&gdev->desc_srcu);\n-err_cleanup_gdev_srcu:\n-\tcleanup_srcu_struct(&gdev->srcu);\n err_remove_from_list:\n \tscoped_guard(mutex, &gpio_devices_lock)\n \t\tlist_del_rcu(&gdev->list);\n@@ -1130,6 +1126,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,\n \t\tgpio_device_put(gdev);\n \t\tgoto err_print_message;\n \t}\n+err_cleanup_desc_srcu:\n+\tcleanup_srcu_struct(&gdev->desc_srcu);\n+err_cleanup_gdev_srcu:\n+\tcleanup_srcu_struct(&gdev->srcu);\n err_free_label:\n \tkfree_const(gdev->label);\n err_free_descs:\n","prefixes":["6.12.y","2/2"]}