1. Patchew
  2. linux
  3. View series

[PATCH] gpiolib: fix a NULL-pointer dereference when setting direction

Bartosz Golaszewski posted 1 patch 1 month ago 
drivers/gpio/gpiolib.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
[PATCH] gpiolib: fix a NULL-pointer dereference when setting direction
Posted by Bartosz Golaszewski 1 month ago 
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

For optional GPIOs we may pass NULL to gpiod_direction_(input|output)().
With the call to the notifier chain added by commit 07c61d4da43f
("gpiolib: notify user-space about in-kernel line state changes") we
will now dereference a NULL pointer in this case. The reason for that is
the fact that the expansion of the VALIDATE_DESC() macro (which returns
0 for NULL descriptors) was moved into the nonotify variants of the
direction setters.

Move them back to the top-level interfaces as the nonotify ones are only
ever called from inside the GPIO core and are always passed valid GPIO
descriptors. This way we'll never call the line_state notifier chain
with non-valid descs.

Fixes: 07c61d4da43f ("gpiolib: notify user-space about in-kernel line state changes")
Reported-by: Mark Brown <broonie@kernel.org>
Closes: https://lore.kernel.org/all/d6601a31-7685-4b21-9271-1b76116cc483@sirena.org.uk/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
 drivers/gpio/gpiolib.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index ae758ba6dc3d1..6001ec96693c5 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -2695,6 +2695,8 @@ int gpiod_direction_input(struct gpio_desc *desc)
 {
 	int ret;
 
+	VALIDATE_DESC(desc);
+
 	ret = gpiod_direction_input_nonotify(desc);
 	if (ret == 0)
 		gpiod_line_state_notify(desc, GPIO_V2_LINE_CHANGED_CONFIG);
@@ -2707,8 +2709,6 @@ int gpiod_direction_input_nonotify(struct gpio_desc *desc)
 {
 	int ret = 0;
 
-	VALIDATE_DESC(desc);
-
 	CLASS(gpio_chip_guard, guard)(desc);
 	if (!guard.gc)
 		return -ENODEV;
@@ -2841,6 +2841,8 @@ int gpiod_direction_output(struct gpio_desc *desc, int value)
 {
 	int ret;
 
+	VALIDATE_DESC(desc);
+
 	ret = gpiod_direction_output_nonotify(desc, value);
 	if (ret == 0)
 		gpiod_line_state_notify(desc, GPIO_V2_LINE_CHANGED_CONFIG);
@@ -2854,8 +2856,6 @@ int gpiod_direction_output_nonotify(struct gpio_desc *desc, int value)
 	unsigned long flags;
 	int ret;
 
-	VALIDATE_DESC(desc);
-
 	flags = READ_ONCE(desc->flags);
 
 	if (test_bit(FLAG_ACTIVE_LOW, &flags))
-- 
2.30.2
Re: [PATCH] gpiolib: fix a NULL-pointer dereference when setting direction
Posted by Bartosz Golaszewski 1 month ago 
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>


On Thu, 24 Oct 2024 15:38:34 +0200, Bartosz Golaszewski wrote:
> For optional GPIOs we may pass NULL to gpiod_direction_(input|output)().
> With the call to the notifier chain added by commit 07c61d4da43f
> ("gpiolib: notify user-space about in-kernel line state changes") we
> will now dereference a NULL pointer in this case. The reason for that is
> the fact that the expansion of the VALIDATE_DESC() macro (which returns
> 0 for NULL descriptors) was moved into the nonotify variants of the
> direction setters.
> 
> [...]

Applied, thanks!

[1/1] gpiolib: fix a NULL-pointer dereference when setting direction
      commit: 1f4a640e9ac7f450752365541ad9c064b13ef8bf

Best regards,
-- 
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Re: [PATCH] gpiolib: fix a NULL-pointer dereference when setting direction
Posted by Mark Brown 1 month ago 
On Thu, Oct 24, 2024 at 03:38:34PM +0200, Bartosz Golaszewski wrote:
> From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> 
> For optional GPIOs we may pass NULL to gpiod_direction_(input|output)().
> With the call to the notifier chain added by commit 07c61d4da43f
> ("gpiolib: notify user-space about in-kernel line state changes") we
> will now dereference a NULL pointer in this case. The reason for that is
> the fact that the expansion of the VALIDATE_DESC() macro (which returns
> 0 for NULL descriptors) was moved into the nonotify variants of the
> direction setters.

I didn't test all the boards but this does get several of them working
so

Tested-by: Mark Brown <broonie@kernel.org>
Re: [PATCH] gpiolib: fix a NULL-pointer dereference when setting direction
Posted by Klara Modin 1 month ago 
On 2024-10-24 15:38, Bartosz Golaszewski wrote:
> From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> 
> For optional GPIOs we may pass NULL to gpiod_direction_(input|output)().
> With the call to the notifier chain added by commit 07c61d4da43f
> ("gpiolib: notify user-space about in-kernel line state changes") we
> will now dereference a NULL pointer in this case. The reason for that is
> the fact that the expansion of the VALIDATE_DESC() macro (which returns
> 0 for NULL descriptors) was moved into the nonotify variants of the
> direction setters.
> 
> Move them back to the top-level interfaces as the nonotify ones are only
> ever called from inside the GPIO core and are always passed valid GPIO
> descriptors. This way we'll never call the line_state notifier chain
> with non-valid descs.
> 
> Fixes: 07c61d4da43f ("gpiolib: notify user-space about in-kernel line state changes")
> Reported-by: Mark Brown <broonie@kernel.org>
> Closes: https://lore.kernel.org/all/d6601a31-7685-4b21-9271-1b76116cc483@sirena.org.uk/
> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> ---
>   drivers/gpio/gpiolib.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
> index ae758ba6dc3d1..6001ec96693c5 100644
> --- a/drivers/gpio/gpiolib.c
> +++ b/drivers/gpio/gpiolib.c
> @@ -2695,6 +2695,8 @@ int gpiod_direction_input(struct gpio_desc *desc)
>   {
>   	int ret;
>   
> +	VALIDATE_DESC(desc);
> +
>   	ret = gpiod_direction_input_nonotify(desc);
>   	if (ret == 0)
>   		gpiod_line_state_notify(desc, GPIO_V2_LINE_CHANGED_CONFIG);
> @@ -2707,8 +2709,6 @@ int gpiod_direction_input_nonotify(struct gpio_desc *desc)
>   {
>   	int ret = 0;
>   
> -	VALIDATE_DESC(desc);
> -
>   	CLASS(gpio_chip_guard, guard)(desc);
>   	if (!guard.gc)
>   		return -ENODEV;
> @@ -2841,6 +2841,8 @@ int gpiod_direction_output(struct gpio_desc *desc, int value)
>   {
>   	int ret;
>   
> +	VALIDATE_DESC(desc);
> +
>   	ret = gpiod_direction_output_nonotify(desc, value);
>   	if (ret == 0)
>   		gpiod_line_state_notify(desc, GPIO_V2_LINE_CHANGED_CONFIG);
> @@ -2854,8 +2856,6 @@ int gpiod_direction_output_nonotify(struct gpio_desc *desc, int value)
>   	unsigned long flags;
>   	int ret;
>   
> -	VALIDATE_DESC(desc);
> -
>   	flags = READ_ONCE(desc->flags);
>   
>   	if (test_bit(FLAG_ACTIVE_LOW, &flags))

This patch fixes the issue for me, thanks!

Tested-by: Klara Modin <klarasmodin@gmail.com>
Re: [PATCH] gpiolib: fix a NULL-pointer dereference when setting direction
Posted by Bartosz Golaszewski 1 month ago 
On Thu, Oct 24, 2024 at 3:44 PM Klara Modin <klarasmodin@gmail.com> wrote:
>
> On 2024-10-24 15:38, Bartosz Golaszewski wrote:
> > From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> >
> > For optional GPIOs we may pass NULL to gpiod_direction_(input|output)().
> > With the call to the notifier chain added by commit 07c61d4da43f
> > ("gpiolib: notify user-space about in-kernel line state changes") we
> > will now dereference a NULL pointer in this case. The reason for that is
> > the fact that the expansion of the VALIDATE_DESC() macro (which returns
> > 0 for NULL descriptors) was moved into the nonotify variants of the
> > direction setters.
> >
> > Move them back to the top-level interfaces as the nonotify ones are only
> > ever called from inside the GPIO core and are always passed valid GPIO
> > descriptors. This way we'll never call the line_state notifier chain
> > with non-valid descs.
> >
> > Fixes: 07c61d4da43f ("gpiolib: notify user-space about in-kernel line state changes")
> > Reported-by: Mark Brown <broonie@kernel.org>
> > Closes: https://lore.kernel.org/all/d6601a31-7685-4b21-9271-1b76116cc483@sirena.org.uk/
> > Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> > ---
> >   drivers/gpio/gpiolib.c | 8 ++++----
> >   1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
> > index ae758ba6dc3d1..6001ec96693c5 100644
> > --- a/drivers/gpio/gpiolib.c
> > +++ b/drivers/gpio/gpiolib.c
> > @@ -2695,6 +2695,8 @@ int gpiod_direction_input(struct gpio_desc *desc)
> >   {
> >       int ret;
> >
> > +     VALIDATE_DESC(desc);
> > +
> >       ret = gpiod_direction_input_nonotify(desc);
> >       if (ret == 0)
> >               gpiod_line_state_notify(desc, GPIO_V2_LINE_CHANGED_CONFIG);
> > @@ -2707,8 +2709,6 @@ int gpiod_direction_input_nonotify(struct gpio_desc *desc)
> >   {
> >       int ret = 0;
> >
> > -     VALIDATE_DESC(desc);
> > -
> >       CLASS(gpio_chip_guard, guard)(desc);
> >       if (!guard.gc)
> >               return -ENODEV;
> > @@ -2841,6 +2841,8 @@ int gpiod_direction_output(struct gpio_desc *desc, int value)
> >   {
> >       int ret;
> >
> > +     VALIDATE_DESC(desc);
> > +
> >       ret = gpiod_direction_output_nonotify(desc, value);
> >       if (ret == 0)
> >               gpiod_line_state_notify(desc, GPIO_V2_LINE_CHANGED_CONFIG);
> > @@ -2854,8 +2856,6 @@ int gpiod_direction_output_nonotify(struct gpio_desc *desc, int value)
> >       unsigned long flags;
> >       int ret;
> >
> > -     VALIDATE_DESC(desc);
> > -
> >       flags = READ_ONCE(desc->flags);
> >
> >       if (test_bit(FLAG_ACTIVE_LOW, &flags))
>
> This patch fixes the issue for me, thanks!
>
> Tested-by: Klara Modin <klarasmodin@gmail.com>

Mark: if that fixes the issue for you as well, I'd like to pick up
quickly and fix linux-next ASAP. Let me know.

Thanks in advance,
Bartosz

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.