From nobody Mon Feb  9 10:24:40 2026
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com
 [209.85.221.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2EE274E10
	for <linux-kernel@vger.kernel.org>; Thu,  4 Apr 2024 09:33:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712223220; cv=none;
 b=V0n10BLL7izUUs4z9vpsjs25PTmuiNKcCtp64CU+dmQUQNIy1J8EQWSOfB9gBRIcDlT+7fxtdRInN0INoVURGLDR0PeSSAHArlV20BUn5nEUoCPN/zpEoFzr7h7aaGSol+coIklNwYKrZAfE4+InXQdZZGVMVizCWdJLQjgIk0g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712223220; c=relaxed/simple;
	bh=4JZgCjJUm3vYm3YzQEvW4qxgetUWkPZYeaBKSxKI9SM=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=ZeCiJ6qpErl0BbJB4ZoqFqDVH7tszsFc7eUHLiM+R+K763rftj4LhkH+cD4KmGmV4mnYaYja/g0y/YhHHrVKFfbn4rB+0NKdwv15rWKfNEafg2IiKg6jXPSe0AqeNWELLdRkNOcsSJiZTN4jrUSNj0fb+vpxVQakaphei9rG2w4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=bgdev.pl;
 spf=none smtp.mailfrom=bgdev.pl;
 dkim=pass (2048-bit key) header.d=bgdev-pl.20230601.gappssmtp.com
 header.i=@bgdev-pl.20230601.gappssmtp.com header.b=1jUiGQsi;
 arc=none smtp.client-ip=209.85.221.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=bgdev.pl
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=bgdev.pl
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bgdev-pl.20230601.gappssmtp.com
 header.i=@bgdev-pl.20230601.gappssmtp.com header.b="1jUiGQsi"
Received: by mail-wr1-f51.google.com with SMTP id
 ffacd0b85a97d-341c7c8adf3so550775f8f.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 04 Apr 2024 02:33:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bgdev-pl.20230601.gappssmtp.com; s=20230601; t=1712223216;
 x=1712828016; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yCosdLqhfQl3fw66HOWtcsInpfXJnB5cNYDVDMw2WSI=;
        b=1jUiGQsi+WWK+1+qAiUAoUpvA1zYUELalUXm33hqzTGxHHB1vtemRxaPWq0Vbtb+T2
         Oixd2UB70tbG9KoM+yXI5yr8p/UdswUnq1nH+BpzwSR2WnImV5my+woLLfEijx1MZtk+
         rc4EZgOtyIMsybjCHpO4BFP22Ath8ARdkQqe1JGRlGna8ztlHxmbtT5wNT5KkNtmUENQ
         J9xQeS1u9Be3y2SX02NokVwD+3m+K+A18uUMrTDP+QvI1pfg3Qf75VEVnFoVt1+ch2HS
         QEl2paJCG339pbpwJKDX0jBNt4eUWGmhV14TYiTMAe226xhpuxRfH0HZicb22pqEojA6
         tQ4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712223216; x=1712828016;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=yCosdLqhfQl3fw66HOWtcsInpfXJnB5cNYDVDMw2WSI=;
        b=JVcZAG718JIaQYJ+2IWR1XQLPLGfTNckgfuKBdtYDXRlAKwchdbiKRhlWsxKo1ql9l
         fd39ZXVLd5lJwSp+F/8XyEIcK47a+ZHy1PIz/1/6iTPAkzYjhRwLa2VQL8yiyTBgRDpY
         ayLHajAgOpzBf0jKfhiQxhWrFuxFX2fzjPoYlXDzh5gtrpa7KWdJvNkaZqfNvpXrdZwD
         ZrHWsHZbgI9w/Ea9mYW4YtQmGSLTjYy3T2UBJ9WMFkAhf1k9FumnLi2F1dUNyOr6SCRl
         tf02aCVxiEjHnLLT4GSvYl4DWqmm+S/kDYPM/RaV8eJcm4IkqoaZOfjMfj8T0LBob6II
         3f3w==
X-Forwarded-Encrypted: i=1;
 AJvYcCVQA7BQPyYu5j08x3N34mNL1GHusgglCJ15PytmGJkF+HFcZNyCQK6Qx2xH6GJKZTuJILgFgReYMJYcPaVYWYnSjSuqblLmw5hlrLYW
X-Gm-Message-State: AOJu0YyAXWOe0YuzTRCP6T5rQjCv+eE6YZ6XdCIEtHCn+pVLvs5Afjyo
	o64r9olW6kRW0nvArfZJaHivNnQZBCAR0iLKQdTYka8BOdE5fWysH+dVm/sELPI=
X-Google-Smtp-Source: 
 AGHT+IG/TIAUQlpBfX246W5n8aJB90Wlo9DLZd33LwoDVmI9J0u0/E/wz4hT0vsMAcQf6ic4xbbomA==
X-Received: by 2002:a5d:5242:0:b0:343:aeab:2cd9 with SMTP id
 k2-20020a5d5242000000b00343aeab2cd9mr1250422wrc.11.1712223215865;
        Thu, 04 Apr 2024 02:33:35 -0700 (PDT)
Received: from brgl-uxlite.home ([2a01:cb1d:75a:e000:220a:565e:2927:8cf0])
        by smtp.gmail.com with ESMTPSA id
 dj13-20020a0560000b0d00b0033e9fca1e49sm19436385wrb.60.2024.04.04.02.33.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Apr 2024 02:33:34 -0700 (PDT)
From: Bartosz Golaszewski <brgl@bgdev.pl>
To: Kent Gibson <warthog618@gmail.com>,
	Linus Walleij <linus.walleij@linaro.org>
Cc: linux-gpio@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Alexey Dobriyan <adobriyan@gmail.com>,
	stable@vger.kernel.org,
	Stefan Wahren <wahrenst@gmx.net>,
	Bartosz Golaszewski <bartosz.golaszewski@linaro.org>,
	Linux Kernel Functional Testing <lkft@linaro.org>
Subject: [PATCH v2 1/2] gpio: cdev: check for NULL labels when sanitizing them
 for irqs
Date: Thu,  4 Apr 2024 11:33:27 +0200
Message-Id: <20240404093328.21604-2-brgl@bgdev.pl>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20240404093328.21604-1-brgl@bgdev.pl>
References: <20240404093328.21604-1-brgl@bgdev.pl>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

We need to take into account that a line's consumer label may be NULL
and not try to kstrdup() it in that case but rather pass the NULL
pointer up the stack to the interrupt request function.

To that end: let make_irq_label() return NULL as a valid return value
and use ERR_PTR() instead to signal an allocation failure to callers.

Cc: stable@vger.kernel.org
Fixes: b34490879baa ("gpio: cdev: sanitize the label before requesting the =
interrupt")
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Closes: https://lore.kernel.org/lkml/20240402093534.212283-1-naresh.kamboju=
@linaro.org/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Tested-by: Anders Roxell <anders.roxell@linaro.org>
---
 drivers/gpio/gpiolib-cdev.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index fa9635610251..1426cc1c4a28 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -1085,7 +1085,16 @@ static u32 gpio_v2_line_config_debounce_period(struc=
t gpio_v2_line_config *lc,
=20
 static inline char *make_irq_label(const char *orig)
 {
-	return kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
+	char *new;
+
+	if (!orig)
+		return NULL;
+
+	new =3D kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
+	if (!new)
+		return ERR_PTR(-ENOMEM);
+
+	return new;
 }
=20
 static inline void free_irq_label(const char *label)
@@ -1158,8 +1167,8 @@ static int edge_detector_setup(struct line *line,
 	irqflags |=3D IRQF_ONESHOT;
=20
 	label =3D make_irq_label(line->req->label);
-	if (!label)
-		return -ENOMEM;
+	if (IS_ERR(label))
+		return PTR_ERR(label);
=20
 	/* Request a thread to read the events */
 	ret =3D request_threaded_irq(irq, edge_irq_handler, edge_irq_thread,
@@ -2217,8 +2226,8 @@ static int lineevent_create(struct gpio_device *gdev,=
 void __user *ip)
 		goto out_free_le;
=20
 	label =3D make_irq_label(le->label);
-	if (!label) {
-		ret =3D -ENOMEM;
+	if (IS_ERR(label)) {
+		ret =3D PTR_ERR(label);
 		goto out_free_le;
 	}
=20
--=20
2.40.1
From nobody Mon Feb  9 10:24:40 2026
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com
 [209.85.221.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F9958287C
	for <linux-kernel@vger.kernel.org>; Thu,  4 Apr 2024 09:33:38 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712223221; cv=none;
 b=Ol1kTktX7ifw2ebEywJNdT5FYv1xM3H1u+4yDFpPMekcp9puml4xSDvotpXYTorGpxHzFO6wE9t1w83xKamlFnj2ZXiCxsiiEjv5hfVOSJtSRG8DBFmjvtemIOahBMBQ8Eo47bcYVMiG0hnFCgJq8lNNO1Y5GIiMyNbH8uJ+rVY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712223221; c=relaxed/simple;
	bh=QikKFsZX5Z+SQME56UGEE4G7WVpkXWaJpct3ts0Ipc8=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=q88ByZMR+z/dT2GNUhOn3Gvw6ruGhoMnJbuVsrpLUy+mu95Qic2E4cv1CCc9/ztLL9YaVRcwlutr1TT5qffPvB+30Au/jiRRSN4RKioUI8nZIN4Tx/mB9KRH0ZE6km5aBQ8b4dHYIKjExSjPJW5/2vAtqlaIrkTSDtEFa6hXwxo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=bgdev.pl;
 spf=none smtp.mailfrom=bgdev.pl;
 dkim=pass (2048-bit key) header.d=bgdev-pl.20230601.gappssmtp.com
 header.i=@bgdev-pl.20230601.gappssmtp.com header.b=gYZuhYkC;
 arc=none smtp.client-ip=209.85.221.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=bgdev.pl
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=bgdev.pl
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bgdev-pl.20230601.gappssmtp.com
 header.i=@bgdev-pl.20230601.gappssmtp.com header.b="gYZuhYkC"
Received: by mail-wr1-f51.google.com with SMTP id
 ffacd0b85a97d-343cfa6faf0so8391f8f.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 04 Apr 2024 02:33:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bgdev-pl.20230601.gappssmtp.com; s=20230601; t=1712223217;
 x=1712828017; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qbnVrvd22lq0FsuqRTbRtCkxT8J8OwHTwKvqCj8JxUU=;
        b=gYZuhYkCmSQM23wfzmyDfHLLvPED4Wl4mOgWYUOe1wVSBG8B/BgZ+NmNjPplVkp28F
         PP7oTAv+NWWzoAJeQt8/SmhqlvRgBB5MB25APnFqIRLpX3cL5jj+AbhEWIB3pK4ACXXu
         NOWqg0SyEIBvy0j7uDNxmOCvbV46xBclFU2MxB9wKAcxKk8p2v7AJz0AJB6EYXjKl+11
         P46WvFau/yoB/ht+tVsB5ELkS5Y32fK9ANb9afde22CT3qdmYTjduXsjudZAw/DSlAP2
         R+OzRPorUxtLMYPgTZx1FHitg0vDQSnIGP1CglJPQiRwhuMNzukQvjjHJtGZWfqZUPz0
         c65w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712223217; x=1712828017;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=qbnVrvd22lq0FsuqRTbRtCkxT8J8OwHTwKvqCj8JxUU=;
        b=M/8SQ+CsDkEa9G4k7nWwHAsrCSkwN3LzUhV7iVOf20/B4A6YvTfIJNiTgp/aD2S/aI
         vuvP5NVIYlcvmMEFCe1BjVDvl5d5om6y9paz3iud7xpsXc44GFSUA7MG16o/DeAORncA
         e3nxyzZu+z3byHu2YPQfyAggyNiwCfD8ea4yLYnQnVsGr/46+XrA5ZMf7cHt7PB5Sifu
         DM+ibiHTkag9GXp/kP9wzEpIC0JeKPjPfpIOxJ1Z5IF4xamD14ydCC9+W3Q5ilYxd2hc
         Jwc29fNyy4sOA4ti2MESBFDnZCpB3/7YUIiHf5Vlr6OmgC01skihEvUsEg745GS/064e
         8BTw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXse4fskZNzZ5njc4HSOsFoFL5uTCxExZoHZPAjHOWGhwQ6IxN6l155x0LFhNYh7z+9duIzl0S3MERjCqBoltO5j9LYxbx4fMSA7EVj
X-Gm-Message-State: AOJu0Yy81a3e5+LPyfOD19H8Z9NJqPevAJfhLZJ/cBtF0MgGEjSlK4BQ
	rvJxteVfGYpikwHW/YPHUzAVNe+84sFoMTR77z8uYwgQrqY7nXcotruEDurXQt4=
X-Google-Smtp-Source: 
 AGHT+IH4Xuhodhs7j0LM3R9BjUEjQahSlYUFbtB6dhoYLc15+hktejYI24fxveoEX5zCL0O3Jf423g==
X-Received: by 2002:a5d:568a:0:b0:33e:cf4d:c583 with SMTP id
 f10-20020a5d568a000000b0033ecf4dc583mr1724153wrv.16.1712223217370;
        Thu, 04 Apr 2024 02:33:37 -0700 (PDT)
Received: from brgl-uxlite.home ([2a01:cb1d:75a:e000:220a:565e:2927:8cf0])
        by smtp.gmail.com with ESMTPSA id
 dj13-20020a0560000b0d00b0033e9fca1e49sm19436385wrb.60.2024.04.04.02.33.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 04 Apr 2024 02:33:36 -0700 (PDT)
From: Bartosz Golaszewski <brgl@bgdev.pl>
To: Kent Gibson <warthog618@gmail.com>,
	Linus Walleij <linus.walleij@linaro.org>
Cc: linux-gpio@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Alexey Dobriyan <adobriyan@gmail.com>,
	stable@vger.kernel.org,
	Stefan Wahren <wahrenst@gmx.net>,
	Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Subject: [PATCH v2 2/2] gpio: cdev: fix missed label sanitizing in
 debounce_setup()
Date: Thu,  4 Apr 2024 11:33:28 +0200
Message-Id: <20240404093328.21604-3-brgl@bgdev.pl>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20240404093328.21604-1-brgl@bgdev.pl>
References: <20240404093328.21604-1-brgl@bgdev.pl>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Kent Gibson <warthog618@gmail.com>

When adding sanitization of the label, the path through
edge_detector_setup() that leads to debounce_setup() was overlooked.
A request taking this path does not allocate a new label and the
request label is freed twice when the request is released, resulting
in memory corruption.

Add label sanitization to debounce_setup().

Cc: stable@vger.kernel.org
Fixes: b34490879baa ("gpio: cdev: sanitize the label before requesting the =
interrupt")
Signed-off-by: Kent Gibson <warthog618@gmail.com>
[Bartosz: rebased on top of the fix for empty GPIO labels]
Co-developed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
 drivers/gpio/gpiolib-cdev.c | 47 +++++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 1426cc1c4a28..6fe978535047 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -728,6 +728,25 @@ static u32 line_event_id(int level)
 		       GPIO_V2_LINE_EVENT_FALLING_EDGE;
 }
=20
+static inline char *make_irq_label(const char *orig)
+{
+	char *new;
+
+	if (!orig)
+		return NULL;
+
+	new =3D kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
+	if (!new)
+		return ERR_PTR(-ENOMEM);
+
+	return new;
+}
+
+static inline void free_irq_label(const char *label)
+{
+	kfree(label);
+}
+
 #ifdef CONFIG_HTE
=20
 static enum hte_return process_hw_ts_thread(void *p)
@@ -1015,6 +1034,7 @@ static int debounce_setup(struct line *line, unsigned=
 int debounce_period_us)
 {
 	unsigned long irqflags;
 	int ret, level, irq;
+	char *label;
=20
 	/* try hardware */
 	ret =3D gpiod_set_debounce(line->desc, debounce_period_us);
@@ -1037,11 +1057,17 @@ static int debounce_setup(struct line *line, unsign=
ed int debounce_period_us)
 			if (irq < 0)
 				return -ENXIO;
=20
+			label =3D make_irq_label(line->req->label);
+			if (IS_ERR(label))
+				return -ENOMEM;
+
 			irqflags =3D IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING;
 			ret =3D request_irq(irq, debounce_irq_handler, irqflags,
 					  line->req->label, line);
-			if (ret)
+			if (ret) {
+				free_irq_label(label);
 				return ret;
+			}
 			line->irq =3D irq;
 		} else {
 			ret =3D hte_edge_setup(line, GPIO_V2_LINE_FLAG_EDGE_BOTH);
@@ -1083,25 +1109,6 @@ static u32 gpio_v2_line_config_debounce_period(struc=
t gpio_v2_line_config *lc,
 	return 0;
 }
=20
-static inline char *make_irq_label(const char *orig)
-{
-	char *new;
-
-	if (!orig)
-		return NULL;
-
-	new =3D kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
-	if (!new)
-		return ERR_PTR(-ENOMEM);
-
-	return new;
-}
-
-static inline void free_irq_label(const char *label)
-{
-	kfree(label);
-}
-
 static void edge_detector_stop(struct line *line)
 {
 	if (line->irq) {
--=20
2.40.1