From: Peng Fan peng.fan@nxp.com
[ Upstream commit dddbd233e67e792bb0a3f9694a4707e6be29b2c6 ]
&chan->lock is not supposed to protect 'chan->mbox'. And in __mbox_bind_client, try_module_get is also not protected by &chan->lock. So move module_put out of the lock protected region.
Signed-off-by: Peng Fan peng.fan@nxp.com Signed-off-by: Jassi Brar jassisinghbrar@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org ---
**YES** This commit should be backported to stable kernel trees. **Analysis:** 1. **Clear Bug Fix**: The commit fixes an improper use of `module_put()` under a spinlock in `mbox_free_channel()`. Looking at the current code in `/home/sasha/linux/drivers/mailbox/mailbox.c:489`, `module_put()` is called while holding `&chan->lock` with `spin_lock_irqsave()`. 2. **Locking Inconsistency**: The commit message correctly identifies that `&chan->lock` is not supposed to protect `chan->mbox`. In `__mbox_bind_client()` (line 324), `try_module_get(chan->mbox->dev->driver->owner)` is called **outside** the spinlock protection, making the current `module_put()` placement inconsistent. 3. **Minimal Risk Change**: The fix is extremely simple and low-risk - it just moves one line (`module_put()`) outside the spinlock region. This maintains the same operation order but fixes the locking issue. 4. **No Side Effects**: Moving `module_put()` outside the lock doesn't change the functionality or introduce new race conditions. The `module_put()` implementation uses `atomic_dec_if_positive()`, so it's safe to call without additional locking. 5. **Follows Stable Rules**: This commit: - Fixes a real locking issue that could potentially cause problems - Is small and contained (single line move) - Has minimal regression risk - Doesn't introduce new features or architectural changes 6. **Similar Pattern**: Looking at similar commits in the historical references, commits that fix locking issues (like Similar Commit #5 which fixed a locking bug in mailbox-test) were marked as YES for backporting. The commit addresses a legitimate kernel locking violation where `module_put()` should not be called under a spinlock, making it a suitable candidate for stable tree backporting.
drivers/mailbox/mailbox.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c index 6f54501dc7762..cb31ad917b352 100644 --- a/drivers/mailbox/mailbox.c +++ b/drivers/mailbox/mailbox.c @@ -459,8 +459,8 @@ void mbox_free_channel(struct mbox_chan *chan) if (chan->txdone_method == TXDONE_BY_ACK) chan->txdone_method = TXDONE_BY_POLL;
- module_put(chan->mbox->dev->driver->owner); spin_unlock_irqrestore(&chan->lock, flags); + module_put(chan->mbox->dev->driver->owner); } EXPORT_SYMBOL_GPL(mbox_free_channel);