The gpiod_direction_input_nonotify() function is supposed to return zero
if the direction for the pin is input.  But instead it accidentally
returns GPIO_LINE_DIRECTION_IN (1) which will be cast into an ERR_PTR()
in gpiochip_request_own_desc().  The callers dereference it and it leads
to a crash.

I changed gpiod_direction_output_raw_commit() just for consistency but
returning GPIO_LINE_DIRECTION_OUT (0) is fine.

Cc: stable@vger.kernel.org
Fixes: 9d846b1aebbe ("gpiolib: check the return value of gpio_chip::get_direction()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/gpio/gpiolib.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index e8678a6c82ea..d41812468e1c 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -2804,11 +2804,13 @@ int gpiod_direction_input_nonotify(struct gpio_desc *desc)
 		ret = gpiochip_direction_input(guard.gc,
 					       gpio_chip_hwgpio(desc));
 	} else if (guard.gc->get_direction) {
-		ret = gpiochip_get_direction(guard.gc, gpio_chip_hwgpio(desc));
-		if (ret < 0)
-			return ret;
+		int dir;
+
+		dir = gpiochip_get_direction(guard.gc, gpio_chip_hwgpio(desc));
+		if (dir < 0)
+			return dir;
 
-		if (ret != GPIO_LINE_DIRECTION_IN) {
+		if (dir != GPIO_LINE_DIRECTION_IN) {
 			gpiod_warn(desc,
 				   "%s: missing direction_input() operation and line is output\n",
 				    __func__);
@@ -2851,12 +2853,14 @@ static int gpiod_direction_output_raw_commit(struct gpio_desc *desc, int value)
 	} else {
 		/* Check that we are in output mode if we can */
 		if (guard.gc->get_direction) {
-			ret = gpiochip_get_direction(guard.gc,
+			int dir;
+
+			dir = gpiochip_get_direction(guard.gc,
 						     gpio_chip_hwgpio(desc));
-			if (ret < 0)
-				return ret;
+			if (dir < 0)
+				return dir;
 
-			if (ret != GPIO_LINE_DIRECTION_OUT) {
+			if (dir != GPIO_LINE_DIRECTION_OUT) {
 				gpiod_warn(desc,
 					   "%s: missing direction_output() operation\n",
 					   __func__);
-- 
2.47.2

On Thu, Feb 27, 2025 at 9:17 AM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> The gpiod_direction_input_nonotify() function is supposed to return zero
> if the direction for the pin is input.  But instead it accidentally
> returns GPIO_LINE_DIRECTION_IN (1) which will be cast into an ERR_PTR()
> in gpiochip_request_own_desc().  The callers dereference it and it leads
> to a crash.
>
> I changed gpiod_direction_output_raw_commit() just for consistency but
> returning GPIO_LINE_DIRECTION_OUT (0) is fine.
>
> Cc: stable@vger.kernel.org
> Fixes: 9d846b1aebbe ("gpiolib: check the return value of gpio_chip::get_direction()")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---

This doesn't apply on top of v6.14-rc4, could you please rebase and
resend? Thanks for the catch!

Bartosz

On Fri, Feb 28, 2025 at 12:06:24PM +0100, Bartosz Golaszewski wrote:
> On Thu, Feb 27, 2025 at 9:17 AM Dan Carpenter <dan.carpenter@linaro.org> wrote:
> >
> > The gpiod_direction_input_nonotify() function is supposed to return zero
> > if the direction for the pin is input.  But instead it accidentally
> > returns GPIO_LINE_DIRECTION_IN (1) which will be cast into an ERR_PTR()
> > in gpiochip_request_own_desc().  The callers dereference it and it leads
> > to a crash.
> >
> > I changed gpiod_direction_output_raw_commit() just for consistency but
> > returning GPIO_LINE_DIRECTION_OUT (0) is fine.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: 9d846b1aebbe ("gpiolib: check the return value of gpio_chip::get_direction()")
> > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> > ---
> 
> This doesn't apply on top of v6.14-rc4, could you please rebase and
> resend? Thanks for the catch!

Sure, of course.

regards,
dan carpenter