Mark Brown (1): spi: Fix deadlock when adding SPI controllers on SPI buses
Zeng Heng (1): spi: fix kabi breakage in struct spi_controller
drivers/spi/spi.c | 43 ++++++++++++++++++++++++++---------------- include/linux/device.h | 8 ++++++++ 2 files changed, 35 insertions(+), 16 deletions(-)
-- 2.25.1
From: Mark Brown broonie@kernel.org
mainline inclusion from mainline-v5.15-rc6 commit 6098475d4cb48d821bdf453c61118c56e26294f0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RBZI CVE: CVE-2021-47469
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
Currently we have a global spi_add_lock which we take when adding new devices so that we can check that we're not trying to reuse a chip select that's already controlled. This means that if the SPI device is itself a SPI controller and triggers the instantiation of further SPI devices we trigger a deadlock as we try to register and instantiate those devices while in the process of doing so for the parent controller and hence already holding the global spi_add_lock. Since we only care about concurrency within a single SPI bus move the lock to be per controller, avoiding the deadlock.
This can be easily triggered in the case of spi-mux.
Reported-by: Uwe Kleine-König u.kleine-koenig@pengutronix.de Signed-off-by: Mark Brown broonie@kernel.org Conflicts: drivers/spi/spi.c [Resolve conflicts due to several refactor patches not merged.] Signed-off-by: Zeng Heng zengheng4@huawei.com --- drivers/spi/spi.c | 15 +++++---------- include/linux/spi/spi.h | 3 +++ 2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index f0f21f93d293..b8177e09f1cc 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -433,12 +433,6 @@ static LIST_HEAD(spi_controller_list); */ static DEFINE_MUTEX(board_lock);
-/* - * Prevents addition of devices with same chip select and - * addition of devices below an unregistering controller. - */ -static DEFINE_MUTEX(spi_add_lock); - /** * spi_alloc_device - Allocate a new SPI device * @ctlr: Controller to which device is connected @@ -535,7 +529,7 @@ int spi_add_device(struct spi_device *spi) * chipselect **BEFORE** we call setup(), else we'll trash * its configuration. Lock against concurrent add() calls. */ - mutex_lock(&spi_add_lock); + mutex_lock(&ctlr->add_lock);
status = bus_for_each_dev(&spi_bus_type, NULL, spi, spi_dev_check); if (status) { @@ -574,7 +568,7 @@ int spi_add_device(struct spi_device *spi) dev_dbg(dev, "registered child %s\n", dev_name(&spi->dev));
done: - mutex_unlock(&spi_add_lock); + mutex_unlock(&ctlr->add_lock); return status; } EXPORT_SYMBOL_GPL(spi_add_device); @@ -2205,6 +2199,7 @@ int spi_register_controller(struct spi_controller *ctlr) spin_lock_init(&ctlr->bus_lock_spinlock); mutex_init(&ctlr->bus_lock_mutex); mutex_init(&ctlr->io_mutex); + mutex_init(&ctlr->add_lock); ctlr->bus_lock_flag = 0; init_completion(&ctlr->xfer_completion); if (!ctlr->max_dma_len) @@ -2326,7 +2321,7 @@ void spi_unregister_controller(struct spi_controller *ctlr)
/* Prevent addition of new devices, unregister existing ones */ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_lock(&spi_add_lock); + mutex_lock(&ctlr->add_lock);
device_for_each_child(&ctlr->dev, NULL, __unregister);
@@ -2350,7 +2345,7 @@ void spi_unregister_controller(struct spi_controller *ctlr) mutex_unlock(&board_lock);
if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_unlock(&spi_add_lock); + mutex_unlock(&ctlr->add_lock); } EXPORT_SYMBOL_GPL(spi_unregister_controller);
diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h index a64235e05321..449e961834e4 100644 --- a/include/linux/spi/spi.h +++ b/include/linux/spi/spi.h @@ -463,6 +463,9 @@ struct spi_controller { /* I/O mutex */ struct mutex io_mutex;
+ /* Used to avoid adding the same CS twice */ + struct mutex add_lock; + /* lock and mutex for SPI bus locking */ spinlock_t bus_lock_spinlock; struct mutex bus_lock_mutex;
hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RBZI CVE: CVE-2021-47469
--------------------------------
Move struct mutex add_lock from struct spi_controller to struct device in case of kabi breakage in struct spi_controller.
Fixes: 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on SPI buses") Signed-off-by: Zeng Heng zengheng4@huawei.com --- drivers/spi/spi.c | 38 +++++++++++++++++++++++++++----------- include/linux/device.h | 8 ++++++++ include/linux/spi/spi.h | 3 --- 3 files changed, 35 insertions(+), 14 deletions(-)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index b8177e09f1cc..1a32183b9df9 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -529,7 +529,7 @@ int spi_add_device(struct spi_device *spi) * chipselect **BEFORE** we call setup(), else we'll trash * its configuration. Lock against concurrent add() calls. */ - mutex_lock(&ctlr->add_lock); + mutex_lock(ctlr->dev.add_lock);
status = bus_for_each_dev(&spi_bus_type, NULL, spi, spi_dev_check); if (status) { @@ -568,7 +568,7 @@ int spi_add_device(struct spi_device *spi) dev_dbg(dev, "registered child %s\n", dev_name(&spi->dev));
done: - mutex_unlock(&ctlr->add_lock); + mutex_unlock(ctlr->dev.add_lock); return status; } EXPORT_SYMBOL_GPL(spi_add_device); @@ -2152,6 +2152,10 @@ int spi_register_controller(struct spi_controller *ctlr) return status; }
+ ctlr->dev.add_lock = kmalloc(sizeof(struct mutex), GFP_KERNEL); + if (!ctlr->dev.add_lock) + return -ENOMEM; + /* even if it's just one always-selected device, there must * be at least one chipselect */ @@ -2163,8 +2167,10 @@ int spi_register_controller(struct spi_controller *ctlr) id = idr_alloc(&spi_master_idr, ctlr, ctlr->bus_num, ctlr->bus_num + 1, GFP_KERNEL); mutex_unlock(&board_lock); - if (WARN(id < 0, "couldn't get idr")) - return id == -ENOSPC ? -EBUSY : id; + if (WARN(id < 0, "couldn't get idr")) { + status = (id == -ENOSPC) ? -EBUSY : id; + goto done; + } ctlr->bus_num = id; } else if (ctlr->dev.of_node) { /* allocate dynamic bus number using Linux idr */ @@ -2175,8 +2181,10 @@ int spi_register_controller(struct spi_controller *ctlr) id = idr_alloc(&spi_master_idr, ctlr, ctlr->bus_num, ctlr->bus_num + 1, GFP_KERNEL); mutex_unlock(&board_lock); - if (WARN(id < 0, "couldn't get idr")) - return id == -ENOSPC ? -EBUSY : id; + if (WARN(id < 0, "couldn't get idr")) { + status = (id == -ENOSPC) ? -EBUSY : id; + goto done; + } } } if (ctlr->bus_num < 0) { @@ -2190,8 +2198,11 @@ int spi_register_controller(struct spi_controller *ctlr) id = idr_alloc(&spi_master_idr, ctlr, first_dynamic, 0, GFP_KERNEL); mutex_unlock(&board_lock); - if (WARN(id < 0, "couldn't get idr")) - return id; + if (WARN(id < 0, "couldn't get idr")) { + status = id; + goto done; + } + ctlr->bus_num = id; } INIT_LIST_HEAD(&ctlr->queue); @@ -2199,7 +2210,7 @@ int spi_register_controller(struct spi_controller *ctlr) spin_lock_init(&ctlr->bus_lock_spinlock); mutex_init(&ctlr->bus_lock_mutex); mutex_init(&ctlr->io_mutex); - mutex_init(&ctlr->add_lock); + mutex_init(ctlr->dev.add_lock); ctlr->bus_lock_flag = 0; init_completion(&ctlr->xfer_completion); if (!ctlr->max_dma_len) @@ -2251,7 +2262,10 @@ int spi_register_controller(struct spi_controller *ctlr) /* Register devices from the device tree and ACPI */ of_register_spi_devices(ctlr); acpi_register_spi_devices(ctlr); + return status; + done: + kfree(ctlr->dev.add_lock); return status; } EXPORT_SYMBOL_GPL(spi_register_controller); @@ -2321,7 +2335,7 @@ void spi_unregister_controller(struct spi_controller *ctlr)
/* Prevent addition of new devices, unregister existing ones */ if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_lock(&ctlr->add_lock); + mutex_lock(ctlr->dev.add_lock);
device_for_each_child(&ctlr->dev, NULL, __unregister);
@@ -2345,7 +2359,9 @@ void spi_unregister_controller(struct spi_controller *ctlr) mutex_unlock(&board_lock);
if (IS_ENABLED(CONFIG_SPI_DYNAMIC)) - mutex_unlock(&ctlr->add_lock); + mutex_unlock(ctlr->dev.add_lock); + + kfree(ctlr->dev.add_lock); } EXPORT_SYMBOL_GPL(spi_unregister_controller);
diff --git a/include/linux/device.h b/include/linux/device.h index 44a3dd381f55..5f0b11297540 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -1078,7 +1078,15 @@ struct device { #else KABI_RESERVE(1) #endif +#ifdef CONFIG_SPI_MASTER + /* + * Reserved for struct spi_controller. + * Used to avoid adding the same CS twice. + */ + struct mutex *add_lock; +#else KABI_RESERVE(2) +#endif KABI_RESERVE(3) KABI_RESERVE(4) KABI_RESERVE(5) diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h index 449e961834e4..a64235e05321 100644 --- a/include/linux/spi/spi.h +++ b/include/linux/spi/spi.h @@ -463,9 +463,6 @@ struct spi_controller { /* I/O mutex */ struct mutex io_mutex;
- /* Used to avoid adding the same CS twice */ - struct mutex add_lock; - /* lock and mutex for SPI bus locking */ spinlock_t bus_lock_spinlock; struct mutex bus_lock_mutex;
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/9219 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/B...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/9219 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/B...