FROMGIT: pinmux: fix race causing mux_owner NULL with active mux_usecount
commit 5a3e85c3 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrl_select_state() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer. The issue occurs due to the following interleaving: cpu0 (process A) cpu1 (process B) pin_request() { pin_free() { mutex_lock() desc->mux_usecount--; //becomes 0 .. mutex_unlock() mutex_lock(desc->mux) desc->mux_usecount++; // becomes 1 desc->mux_owner = owner; mutex_unlock(desc->mux) mutex_lock(desc->mux) desc->mux_owner = NULL; mutex_unlock(desc->mux) This sequence leads to a state where the pin appears to be in use (`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can cause NULL pointer on next pin_request on the same pin. Ensure that updates to mux_usecount and mux_owner are performed atomically under the same lock. Only clear mux_owner when mux_usecount reaches zero and no new owner has been assigned. Bug: 430525600 Bug: 433603976 Fixes: 5a3e85c3 ("pinmux: Use sequential access to access desc->pinmux data") Link: https://lore.kernel.org/lkml/20250708-pinmux-race-fix-v2-1-8ae9e8a0d1a1@oss.qualcomm.com/ Signed-off-by:Mukesh Ojha <mukesh.ojha@oss.qualcomm.com> (cherry picked from commit 0b075c01 git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl.git for-next) Change-Id: Iec29ea201ef0fc3d205bbc4f1a90cb5a56a62039 Signed-off-by:
Loading
Please sign in to comment