[PATCH 0/3] Fix NULL pointer dereference in RZ/{G2L,V2M,A2} pinctrl driver

[PATCH 0/3] Fix NULL pointer dereference in RZ/{G2L,V2M,A2} pinctrl driver

[Biju Das]

Fix NULL pointer dereference in RZ/{G2L,V2M,A2M} pinctrl driver due to
a race condition during boot. We have seen issues with RZ/{G2L,V2M} boards.
Based on the code, RZ/A2 will also hit this issue. So fixing RZ/A2 aswell.

This issue is reproducible with 1/200 reboots.

Biju Das (3):
  pinctrl: renesas: rzg2l: Fix NULL pointer dereference in
    rzg2l_dt_subnode_to_map()
  pinctrl: renesas: rzv2m: Fix NULL pointer dereference in
    rzv2m_dt_subnode_to_map()
  pinctrl: renesas: rza2: Add lock around
    pinctrl_generic{{add,remove}_group,{add,remove}_function}

 drivers/pinctrl/renesas/pinctrl-rza2.c  | 11 ++++++++++-
 drivers/pinctrl/renesas/pinctrl-rzg2l.c |  8 ++++++++
 drivers/pinctrl/renesas/pinctrl-rzv2m.c |  8 ++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

-- 
2.25.1

[PATCH 1/3] pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()

[Biju Das]

Fix the below random NULL pointer crash during boot by serializing
pinctrl group and function creation/remove calls in
rzg2l_dt_subnode_to_map() with mutex lock.

Crash logs:
[   15.310036] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[   15.354291] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[   15.870714] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[   15.939989] Internal error: Oops: 0000000096000004 2 PREEMPT SMP
[   15.946285] Modules linked in: drm_shmem_helper rzg2l_mipi_dsi videobuf2_common display_connector gpu_sched mc drm_kms_helper rcar_fcp drm rcar_canfd snd_soc_wm8978 rtc_isl1208 can_dev rzg2l_adc snd_soc_rz_ssi renesas_rpc_if spi_rspi backlight ipv6
[   15.969077] CPU: 1 PID: 117 Comm: systemd-udevd Tainted: G      D            6.5.0-rc4-next-20230801-00013-gd1819ab30a54 #986
[   15.980351] Hardware name: Renesas SMARC EVK based on r9a07g054l2 (DT)
[   15.986857] pstate: 40400005 (nZcv daif +PAN UAO -TCO -DIT -SSBS BTYPE=-)
[   15.993797] pc : __pi_strcmp+0x20/0x140
[   15.997647] lr : pinmux_func_name_to_selector+0x68/0xa4
[   16.002876] sp : ffff800082d9b5a0
[   16.006210] x29: ffff800082d9b5a0 x28: 0000000000000002 x27: ffff00000cda7080
[   16.013338] x26: 0000000000000002 x25: ffff00000a1f26c0 x24: ffff00000cda7080
[   16.020456] x23: ffff800081224960 x22: ffff00007fc2e598 x21: 000000000000000c
[   16.027571] x20: ffff00000b6c8840 x19: 000000000000000b x18: 0000000000000002
[   16.034686] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[   16.041799] x14: 0000000000000001 x13: 0000000000068a68 x12: 0000000000000040
[   16.048913] x11: ffff00000b092ff8 x10: 0000ffff803d1a68 x9 : ffff00000b6c8888
[   16.056028] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000
[   16.063142] x5 : ffff00000b092ff8 x4 : ffff00000b093078 x3 : 0000000000000000
[   16.070256] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00007fc2e598
[   16.077370] Call trace:
[   16.079807]  __pi_strcmp+0x20/0x140
[   16.083296]  pinmux_generic_add_function+0x34/0xcc
[   16.088077]  rzg2l_dt_subnode_to_map+0x314/0x44c
[   16.092682]  rzg2l_dt_node_to_map+0x164/0x194
[   16.097025]  pinctrl_dt_to_map+0x218/0x37c
[   16.101107]  create_pinctrl+0x70/0x3d8

Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver")
Cc: stable@kernel.org
Tested-by: Chris Paterson <Chris.Paterson2@renesas.com>
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
 drivers/pinctrl/renesas/pinctrl-rzg2l.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
index 4f34f8f24bde..8a14cbb56449 100644
--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
@@ -11,6 +11,7 @@
 #include <linux/interrupt.h>
 #include <linux/io.h>
 #include <linux/module.h>
+#include <linux/mutex.h>
 #include <linux/of.h>
 #include <linux/of_irq.h>
 #include <linux/platform_device.h>
@@ -153,6 +154,7 @@ struct rzg2l_pinctrl {
 	unsigned int			hwirq[RZG2L_TINT_MAX_INTERRUPT];
 
 	spinlock_t			lock;
+	struct mutex			mutex; /* serialize adding groups and functions */
 };
 
 static const unsigned int iolh_groupa_mA[] = { 2, 4, 8, 12 };
@@ -362,10 +364,12 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev,
 		name = np->name;
 	}
 
+	mutex_lock(&pctrl->mutex);
 	/* Register a single pin group listing all the pins we read from DT */
 	gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL);
 	if (gsel < 0) {
 		ret = gsel;
+		mutex_unlock(&pctrl->mutex);
 		goto done;
 	}
 
@@ -380,6 +384,8 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev,
 		goto remove_group;
 	}
 
+	mutex_unlock(&pctrl->mutex);
+
 	maps[idx].type = PIN_MAP_TYPE_MUX_GROUP;
 	maps[idx].data.mux.group = name;
 	maps[idx].data.mux.function = name;
@@ -391,6 +397,7 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev,
 
 remove_group:
 	pinctrl_generic_remove_group(pctldev, gsel);
+	mutex_unlock(&pctrl->mutex);
 done:
 	*index = idx;
 	kfree(configs);
@@ -1503,6 +1510,7 @@ static int rzg2l_pinctrl_probe(struct platform_device *pdev)
 
 	spin_lock_init(&pctrl->lock);
 	spin_lock_init(&pctrl->bitmap_lock);
+	mutex_init(&pctrl->mutex);
 
 	platform_set_drvdata(pdev, pctrl);
 
-- 
2.25.1

Re: [PATCH 1/3] pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()

[andy.shevchenko]

Mon, Aug 14, 2023 at 08:24:34AM +0100, Biju Das kirjoitti:
> Fix the below random NULL pointer crash during boot by serializing
> pinctrl group and function creation/remove calls in
> rzg2l_dt_subnode_to_map() with mutex lock.

> Crash logs:
> [   15.310036] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> [   15.354291] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> [   15.870714] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
> [   15.939989] Internal error: Oops: 0000000096000004 2 PREEMPT SMP
> [   15.946285] Modules linked in: drm_shmem_helper rzg2l_mipi_dsi videobuf2_common display_connector gpu_sched mc drm_kms_helper rcar_fcp drm rcar_canfd snd_soc_wm8978 rtc_isl1208 can_dev rzg2l_adc snd_soc_rz_ssi renesas_rpc_if spi_rspi backlight ipv6
> [   15.969077] CPU: 1 PID: 117 Comm: systemd-udevd Tainted: G      D            6.5.0-rc4-next-20230801-00013-gd1819ab30a54 #986
> [   15.980351] Hardware name: Renesas SMARC EVK based on r9a07g054l2 (DT)
> [   15.986857] pstate: 40400005 (nZcv daif +PAN UAO -TCO -DIT -SSBS BTYPE=-)
> [   15.993797] pc : __pi_strcmp+0x20/0x140
> [   15.997647] lr : pinmux_func_name_to_selector+0x68/0xa4
> [   16.002876] sp : ffff800082d9b5a0
> [   16.006210] x29: ffff800082d9b5a0 x28: 0000000000000002 x27: ffff00000cda7080
> [   16.013338] x26: 0000000000000002 x25: ffff00000a1f26c0 x24: ffff00000cda7080
> [   16.020456] x23: ffff800081224960 x22: ffff00007fc2e598 x21: 000000000000000c
> [   16.027571] x20: ffff00000b6c8840 x19: 000000000000000b x18: 0000000000000002
> [   16.034686] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
> [   16.041799] x14: 0000000000000001 x13: 0000000000068a68 x12: 0000000000000040
> [   16.048913] x11: ffff00000b092ff8 x10: 0000ffff803d1a68 x9 : ffff00000b6c8888
> [   16.056028] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000
> [   16.063142] x5 : ffff00000b092ff8 x4 : ffff00000b093078 x3 : 0000000000000000
> [   16.070256] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00007fc2e598
> [   16.077370] Call trace:
> [   16.079807]  __pi_strcmp+0x20/0x140
> [   16.083296]  pinmux_generic_add_function+0x34/0xcc
> [   16.088077]  rzg2l_dt_subnode_to_map+0x314/0x44c
> [   16.092682]  rzg2l_dt_node_to_map+0x164/0x194
> [   16.097025]  pinctrl_dt_to_map+0x218/0x37c
> [   16.101107]  create_pinctrl+0x70/0x3d8

Submitting Patches says why the above is too noisy for the commit message.
Please, amend accordingly.

-- 
With Best Regards,
Andy Shevchenko

RE: [PATCH 1/3] pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()

[Biju Das]

Hi Andy,

Thanks for the feedback.

> Subject: Re: [PATCH 1/3] pinctrl: renesas: rzg2l: Fix NULL pointer
> dereference in rzg2l_dt_subnode_to_map()
> 
> Mon, Aug 14, 2023 at 08:24:34AM +0100, Biju Das kirjoitti:
> > Fix the below random NULL pointer crash during boot by serializing
> > pinctrl group and function creation/remove calls in
> > rzg2l_dt_subnode_to_map() with mutex lock.
> 
> > Crash logs:
> > [   15.310036] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000000
> > [   15.354291] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000000
> > [   15.870714] [0000000000000000] pgd=0000000000000000,
> p4d=0000000000000000
> > [   15.939989] Internal error: Oops: 0000000096000004 2 PREEMPT SMP
> > [   15.946285] Modules linked in: drm_shmem_helper rzg2l_mipi_dsi
> videobuf2_common display_connector gpu_sched mc drm_kms_helper rcar_fcp
> drm rcar_canfd snd_soc_wm8978 rtc_isl1208 can_dev rzg2l_adc snd_soc_rz_ssi
> renesas_rpc_if spi_rspi backlight ipv6
> > [   15.969077] CPU: 1 PID: 117 Comm: systemd-udevd Tainted: G      D
> 6.5.0-rc4-next-20230801-00013-gd1819ab30a54 #986
> > [   15.980351] Hardware name: Renesas SMARC EVK based on r9a07g054l2
> (DT)
> > [   15.986857] pstate: 40400005 (nZcv daif +PAN UAO -TCO -DIT -SSBS
> BTYPE=-)
> > [   15.993797] pc : __pi_strcmp+0x20/0x140
> > [   15.997647] lr : pinmux_func_name_to_selector+0x68/0xa4
> > [   16.002876] sp : ffff800082d9b5a0
> > [   16.006210] x29: ffff800082d9b5a0 x28: 0000000000000002 x27:
> ffff00000cda7080
> > [   16.013338] x26: 0000000000000002 x25: ffff00000a1f26c0 x24:
> ffff00000cda7080
> > [   16.020456] x23: ffff800081224960 x22: ffff00007fc2e598 x21:
> 000000000000000c
> > [   16.027571] x20: ffff00000b6c8840 x19: 000000000000000b x18:
> 0000000000000002
> > [   16.034686] x17: 0000000000000000 x16: 0000000000000000 x15:
> 0000000000000000
> > [   16.041799] x14: 0000000000000001 x13: 0000000000068a68 x12:
> 0000000000000040
> > [   16.048913] x11: ffff00000b092ff8 x10: 0000ffff803d1a68 x9 :
> ffff00000b6c8888
> > [   16.056028] x8 : 0101010101010101 x7 : 0000000000000000 x6 :
> 0000000000000000
> > [   16.063142] x5 : ffff00000b092ff8 x4 : ffff00000b093078 x3 :
> 0000000000000000
> > [   16.070256] x2 : 0000000000000000 x1 : 0000000000000000 x0 :
> ffff00007fc2e598
> > [   16.077370] Call trace:
> > [   16.079807]  __pi_strcmp+0x20/0x140
> > [   16.083296]  pinmux_generic_add_function+0x34/0xcc
> > [   16.088077]  rzg2l_dt_subnode_to_map+0x314/0x44c
> > [   16.092682]  rzg2l_dt_node_to_map+0x164/0x194
> > [   16.097025]  pinctrl_dt_to_map+0x218/0x37c
> > [   16.101107]  create_pinctrl+0x70/0x3d8
> 
> Submitting Patches says why the above is too noisy for the commit message.
> Please, amend accordingly.

OK, got it as per[1], this should be. 

Unable to handle kernel NULL pointer dereference at virtual address
Call trace:
	__pi_strcmp+0x20/0x140
	pinmux_generic_add_function+0x34/0xcc
	rzg2l_dt_subnode_to_map+0x314/0x44c
	rzg2l_dt_node_to_map+0x164/0x194
	pinctrl_dt_to_map+0x218/0x37c
	create_pinctrl+0x70/0x3d8

[1] https://docs.kernel.org/process/submitting-patches.html#backtraces-in-commit-messages

I will send V2 with these changes.

Cheers,
Biju

Re: [PATCH 1/3] pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()

[Linus Walleij]

On Mon, Aug 14, 2023 at 9:24 AM Biju Das <biju.das.jz@bp.renesas.com> wrote:

> Fix the below random NULL pointer crash during boot by serializing
> pinctrl group and function creation/remove calls in
> rzg2l_dt_subnode_to_map() with mutex lock.

What about using, hehe, scoped guards? Bartosz premiered the use
of this and I already like it a lot... see:
https://lore.kernel.org/linux-gpio/20230812183635.5478-1-brgl@bgdev.pl/

Yours,
Linus Walleij

Re: [PATCH 1/3] pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()

[Geert Uytterhoeven]

Hi Linus,

On Tue, Aug 15, 2023 at 11:14 AM Linus Walleij <linus.walleij@linaro.org> wrote:
> On Mon, Aug 14, 2023 at 9:24 AM Biju Das <biju.das.jz@bp.renesas.com> wrote:
> > Fix the below random NULL pointer crash during boot by serializing
> > pinctrl group and function creation/remove calls in
> > rzg2l_dt_subnode_to_map() with mutex lock.
>
> What about using, hehe, scoped guards? Bartosz premiered the use
> of this and I already like it a lot... see:
> https://lore.kernel.org/linux-gpio/20230812183635.5478-1-brgl@bgdev.pl/

Quoting the other Linus:

   "We should probably also strive to avoid it for bug-fixes that end up
    going to stable."

https://lore.kernel.org/all/CAHk-=wjsb5gZTvhXofPCQthk48S9_bSGohXKU8x8XDnf7=bROw@mail.gmail.com

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Re: [PATCH 1/3] pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()

[Linus Walleij]

On Tue, Aug 15, 2023 at 11:32 AM Geert Uytterhoeven
<geert@linux-m68k.org> wrote:
> On Tue, Aug 15, 2023 at 11:14 AM Linus Walleij <linus.walleij@linaro.org> wrote:
> > On Mon, Aug 14, 2023 at 9:24 AM Biju Das <biju.das.jz@bp.renesas.com> wrote:
> > > Fix the below random NULL pointer crash during boot by serializing
> > > pinctrl group and function creation/remove calls in
> > > rzg2l_dt_subnode_to_map() with mutex lock.
> >
> > What about using, hehe, scoped guards? Bartosz premiered the use
> > of this and I already like it a lot... see:
> > https://lore.kernel.org/linux-gpio/20230812183635.5478-1-brgl@bgdev.pl/
>
> Quoting the other Linus:
>
>    "We should probably also strive to avoid it for bug-fixes that end up
>     going to stable."
>
> https://lore.kernel.org/all/CAHk-=wjsb5gZTvhXofPCQthk48S9_bSGohXKU8x8XDnf7=bROw@mail.gmail.com

Right, I missed it's an urgent fix :/

Let's put a mental note to sweep over the driver once this is done and
see if we can use scoped guards to avoid more problems in the future?

Yours,
Linus Walleij

[PATCH 2/3] pinctrl: renesas: rzv2m: Fix NULL pointer dereference in rzv2m_dt_subnode_to_map()

[Biju Das]

Fix the below random NULL pointer crash during boot by serializing
groups and functions creation in rzv2m_dt_subnode_to_map() with
mutex lock.

Crash logs:
[ 9.215283] CPU: 0 PID: 104 Comm: systemd-udevd Tainted: G D 6.4.0-next-20230628-g9d42909cfd05-dirty #1
[ 9.226128] Hardware name: RZ/V2M Evaluation Kit 2.0 (DT)
[ 9.231555] pstate: 40000005 (nZcv daif PAN -UAO -TCO -DIT -SSBS BTYPE=-)
[ 9.238557] pc : __pi_strcmp+0x20/0x140
[ 9.242428] lr : pinmux_func_name_to_selector+0x68/0xa4
[ 9.247688] sp : ffff800082c1b630
[ 9.251018] x29: ffff800082c1b630 x28: 0000000000000002 x27: ffff000143ee35c0
[ 9.258201] x26: 0000000000000002 x25: ffff000143ee6100 x24: ffff000143ee35c0
[ 9.265385] x23: ffff80008120ecf8 x22: ffff0001bfab8e88 x21: 0000000000000007
[ 9.272569] x20: ffff0001437ee9c0 x19: 0000000000000006 x18: 0000000000000020
[ 9.279751] x17: 0000000000000000 x16: 0000000000000000 x15: ffffffffffffffff
[ 9.286933] x14: ffffffffffffffff x13: 0000000000000038 x12: 0000000000000040
[ 9.294117] x11: ffff0001430d4db0 x10: 0000fffe40547178 x9 : ffff0001437eea08
[ 9.301300] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000
[ 9.308483] x5 : ffff0001430d4db0 x4 : ffff0001430d4e08 x3 : 0000000000000000
[ 9.315666] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0001bfab8e88
[ 9.322850] Call trace:
[ 9.325308] __pi_strcmp+0x20/0x140
[ 9.328821] pinmux_generic_add_function+0x34/0xcc
[ 9.333643] rzv2m_dt_subnode_to_map+0x2e4/0x418
[ 9.338290] rzv2m_dt_node_to_map+0x15c/0x18c
[ 9.342672] pinctrl_dt_to_map+0x218/0x37c
[ 9.346795] create_pinctrl+0x70/0x3d8

Fixes: 92a9b8252576 ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver")
Cc: stable@kernel.org
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
 drivers/pinctrl/renesas/pinctrl-rzv2m.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c
index c73784b8b4ba..65718c9bfc0c 100644
--- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c
+++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c
@@ -14,6 +14,7 @@
 #include <linux/gpio/driver.h>
 #include <linux/io.h>
 #include <linux/module.h>
+#include <linux/mutex.h>
 #include <linux/of.h>
 #include <linux/platform_device.h>
 #include <linux/spinlock.h>
@@ -124,6 +125,7 @@ struct rzv2m_pinctrl {
 	struct pinctrl_gpio_range	gpio_range;
 
 	spinlock_t			lock;
+	struct mutex			mutex; /* serialize adding groups and functions */
 };
 
 static const unsigned int drv_1_8V_group2_uA[] = { 1800, 3800, 7800, 11000 };
@@ -322,10 +324,12 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev,
 		name = np->name;
 	}
 
+	mutex_lock(&pctrl->mutex);
 	/* Register a single pin group listing all the pins we read from DT */
 	gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL);
 	if (gsel < 0) {
 		ret = gsel;
+		mutex_unlock(&pctrl->mutex);
 		goto done;
 	}
 
@@ -340,6 +344,8 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev,
 		goto remove_group;
 	}
 
+	mutex_unlock(&pctrl->mutex);
+
 	maps[idx].type = PIN_MAP_TYPE_MUX_GROUP;
 	maps[idx].data.mux.group = name;
 	maps[idx].data.mux.function = name;
@@ -351,6 +357,7 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev,
 
 remove_group:
 	pinctrl_generic_remove_group(pctldev, gsel);
+	mutex_unlock(&pctrl->mutex);
 done:
 	*index = idx;
 	kfree(configs);
@@ -1065,6 +1072,7 @@ static int rzv2m_pinctrl_probe(struct platform_device *pdev)
 				     "failed to enable GPIO clk\n");
 
 	spin_lock_init(&pctrl->lock);
+	mutex_init(&pctrl->mutex);
 
 	platform_set_drvdata(pdev, pctrl);
 
-- 
2.25.1

Re: [PATCH 2/3] pinctrl: renesas: rzv2m: Fix NULL pointer dereference in rzv2m_dt_subnode_to_map()

[andy.shevchenko]

Mon, Aug 14, 2023 at 08:24:35AM +0100, Biju Das kirjoitti:
> Fix the below random NULL pointer crash during boot by serializing
> groups and functions creation in rzv2m_dt_subnode_to_map() with
> mutex lock.
> 
> Crash logs:
> [ 9.215283] CPU: 0 PID: 104 Comm: systemd-udevd Tainted: G D 6.4.0-next-20230628-g9d42909cfd05-dirty #1
> [ 9.226128] Hardware name: RZ/V2M Evaluation Kit 2.0 (DT)
> [ 9.231555] pstate: 40000005 (nZcv daif PAN -UAO -TCO -DIT -SSBS BTYPE=-)
> [ 9.238557] pc : __pi_strcmp+0x20/0x140
> [ 9.242428] lr : pinmux_func_name_to_selector+0x68/0xa4
> [ 9.247688] sp : ffff800082c1b630
> [ 9.251018] x29: ffff800082c1b630 x28: 0000000000000002 x27: ffff000143ee35c0
> [ 9.258201] x26: 0000000000000002 x25: ffff000143ee6100 x24: ffff000143ee35c0
> [ 9.265385] x23: ffff80008120ecf8 x22: ffff0001bfab8e88 x21: 0000000000000007
> [ 9.272569] x20: ffff0001437ee9c0 x19: 0000000000000006 x18: 0000000000000020
> [ 9.279751] x17: 0000000000000000 x16: 0000000000000000 x15: ffffffffffffffff
> [ 9.286933] x14: ffffffffffffffff x13: 0000000000000038 x12: 0000000000000040
> [ 9.294117] x11: ffff0001430d4db0 x10: 0000fffe40547178 x9 : ffff0001437eea08
> [ 9.301300] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000
> [ 9.308483] x5 : ffff0001430d4db0 x4 : ffff0001430d4e08 x3 : 0000000000000000
> [ 9.315666] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0001bfab8e88
> [ 9.322850] Call trace:
> [ 9.325308] __pi_strcmp+0x20/0x140
> [ 9.328821] pinmux_generic_add_function+0x34/0xcc
> [ 9.333643] rzv2m_dt_subnode_to_map+0x2e4/0x418
> [ 9.338290] rzv2m_dt_node_to_map+0x15c/0x18c
> [ 9.342672] pinctrl_dt_to_map+0x218/0x37c
> [ 9.346795] create_pinctrl+0x70/0x3d8

As per previous patch.

-- 
With Best Regards,
Andy Shevchenko

[PATCH 3/3] pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function}

[Biju Das]

The pinctrl group and function creation/remove calls expect
caller to take care of locking. Add lock around these functions.

Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller")
Cc: stable@kernel.org
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
 drivers/pinctrl/renesas/pinctrl-rza2.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c
index 0b454a31c4bd..afb595a6eb9e 100644
--- a/drivers/pinctrl/renesas/pinctrl-rza2.c
+++ b/drivers/pinctrl/renesas/pinctrl-rza2.c
@@ -14,6 +14,7 @@
 #include <linux/gpio/driver.h>
 #include <linux/io.h>
 #include <linux/module.h>
+#include <linux/mutex.h>
 #include <linux/of.h>
 #include <linux/pinctrl/pinmux.h>
 #include <linux/platform_device.h>
@@ -47,6 +48,7 @@ struct rza2_pinctrl_priv {
 	struct pinctrl_dev *pctl;
 	struct pinctrl_gpio_range gpio_range;
 	int npins;
+	struct mutex mutex; /* serialize adding groups and functions */
 };
 
 #define RZA2_PDR(port)		(0x0000 + (port) * 2)	/* Direction 16-bit */
@@ -359,10 +361,13 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev,
 		psel_val[i] = MUX_FUNC(value);
 	}
 
+	mutex_lock(&priv->mutex);
 	/* Register a single pin group listing all the pins we read from DT */
 	gsel = pinctrl_generic_add_group(pctldev, np->name, pins, npins, NULL);
-	if (gsel < 0)
+	if (gsel < 0) {
+		mutex_unlock(&priv->mutex);
 		return gsel;
+	}
 
 	/*
 	 * Register a single group function where the 'data' is an array PSEL
@@ -390,6 +395,7 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev,
 	(*map)->data.mux.group = np->name;
 	(*map)->data.mux.function = np->name;
 	*num_maps = 1;
+	mutex_unlock(&priv->mutex);
 
 	return 0;
 
@@ -398,6 +404,7 @@ static int rza2_dt_node_to_map(struct pinctrl_dev *pctldev,
 
 remove_group:
 	pinctrl_generic_remove_group(pctldev, gsel);
+	mutex_unlock(&priv->mutex);
 
 	dev_err(priv->dev, "Unable to parse DT node %s\n", np->name);
 
@@ -474,6 +481,8 @@ static int rza2_pinctrl_probe(struct platform_device *pdev)
 	if (IS_ERR(priv->base))
 		return PTR_ERR(priv->base);
 
+	mutex_init(&priv->mutex);
+
 	platform_set_drvdata(pdev, priv);
 
 	priv->npins = (int)(uintptr_t)of_device_get_match_data(&pdev->dev) *
-- 
2.25.1