From b0dcf4ad9070dd34a95992e2edcec20adba55e3a Mon Sep 17 00:00:00 2001
From: zzzzzzzzzy9 <zhang.yu58@zte.com.cn>
Date: Mon, 30 Jun 2025 16:49:59 +0800
Subject: [PATCH] pinctrl: fix deadlock in create_pinctrl() when handling
 -EPROBE_DEFER

commit 4038c57bf61631219b31f1bd6e92106ec7f084dc upstream.

In create_pinctrl(), pinctrl_maps_mutex is acquired before calling
add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl()
calls pinctrl_free(). However, pinctrl_free() attempts to acquire
pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to
a potential deadlock.

This patch resolves the issue by releasing pinctrl_maps_mutex before
calling pinctrl_free(), preventing the deadlock.

This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.

Fixes: 42fed7ba44e4 ("pinctrl: move subsystem mutex to pinctrl_dev struct")
Suggested-by: Maximilian Heyne <mheyne@amazon.de>
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
Link: https://lore.kernel.org/r/20240604085838.3344-1-hagarhem@amazon.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Fixes: CVE-2024-42090
Signed-off-by: zzzzzzzzzy9 <zhang.yu58@zte.com.cn>
Reviewed-by: Huang Jian <huang.jian@zte.com.cn>
Link: https://gitee.com/anolis/embedded-kernel/pulls/923
---
 drivers/pinctrl/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
index 7f0557ba7e0d..7342148c6572 100644
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -1101,8 +1101,8 @@ static struct pinctrl *create_pinctrl(struct device *dev,
 		 * an -EPROBE_DEFER later, as that is the worst case.
 		 */
 		if (ret == -EPROBE_DEFER) {
-			pinctrl_free(p, false);
 			mutex_unlock(&pinctrl_maps_mutex);
+			pinctrl_free(p, false);
 			return ERR_PTR(ret);
 		}
 	}
-- 
Gitee