1. Patchew
  2. linux
  3. View series

[PATCH] gpiolib: fix lookup table matching

Bartosz Golaszewski posted 1 patch 1 month ago 
drivers/gpio/gpiolib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] gpiolib: fix lookup table matching
Posted by Bartosz Golaszewski 1 month ago 
If on any iteration in gpiod_find(), gpio_desc_table_match() returns
NULL (which is normal and expected), we never reinitialize desc back to
ERR_PTR(-ENOENT) and if we don't find a match later on, we will return
NULL causing a NULL-pointer dereference in users not expecting it. Don't
initialize desc, but return ERR_PTR(-ENOENT) explicitly at the end of
the function.

Fixes: 9700b0fccf38 ("gpiolib: allow multiple lookup tables per consumer")
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Closes: https://lore.kernel.org/all/00107523-7737-4b92-a785-14ce4e93b8cb@samsung.com/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
---
 drivers/gpio/gpiolib.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index fc382f43f9fc..0a14085f3871 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -4602,8 +4602,8 @@ static struct gpio_desc *gpio_desc_table_match(struct device *dev, const char *c
 static struct gpio_desc *gpiod_find(struct device *dev, const char *con_id,
 				    unsigned int idx, unsigned long *flags)
 {
-	struct gpio_desc *desc = ERR_PTR(-ENOENT);
 	struct gpiod_lookup_table *table;
+	struct gpio_desc *desc;
 
 	guard(mutex)(&gpio_lookup_lock);
 
@@ -4619,7 +4619,7 @@ static struct gpio_desc *gpiod_find(struct device *dev, const char *con_id,
 		return desc;
 	}
 
-	return desc;
+	return ERR_PTR(-ENOENT);
 }
 
 static int platform_gpio_count(struct device *dev, const char *con_id)
-- 
2.47.3
Re: [PATCH] gpiolib: fix lookup table matching
Posted by Val Packett 1 month ago 
On 1/8/26 7:23 AM, Bartosz Golaszewski wrote:

> If on any iteration in gpiod_find(), gpio_desc_table_match() returns
> NULL (which is normal and expected), we never reinitialize desc back to
> ERR_PTR(-ENOENT) and if we don't find a match later on, we will return
> NULL causing a NULL-pointer dereference in users not expecting it. Don't
> initialize desc, but return ERR_PTR(-ENOENT) explicitly at the end of
> the function.
>
> Fixes: 9700b0fccf38 ("gpiolib: allow multiple lookup tables per consumer")
> Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
> Closes: https://lore.kernel.org/all/00107523-7737-4b92-a785-14ce4e93b8cb@samsung.com/
> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>


Tested-by: Val Packett <val@packett.cool>

This also fixes things on Qualcomm x1e laptops (same NULL deref logged 
from snd_soc_wcd938x wcd938x_probe, but as a consequence the display&gpu 
subsystem also wouldn't work)
Re: [PATCH] gpiolib: fix lookup table matching
Posted by Bartosz Golaszewski 1 month ago 
On Thu, 08 Jan 2026 11:23:14 +0100, Bartosz Golaszewski wrote:
> If on any iteration in gpiod_find(), gpio_desc_table_match() returns
> NULL (which is normal and expected), we never reinitialize desc back to
> ERR_PTR(-ENOENT) and if we don't find a match later on, we will return
> NULL causing a NULL-pointer dereference in users not expecting it. Don't
> initialize desc, but return ERR_PTR(-ENOENT) explicitly at the end of
> the function.
> 
> [...]

Applied, thanks!

[1/1] gpiolib: fix lookup table matching
      commit: 36f597bba049928004a050c132ab787ba0eba524

Best regards,
-- 
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Re: [PATCH] gpiolib: fix lookup table matching
Posted by Marek Szyprowski 1 month ago 
On 08.01.2026 11:23, Bartosz Golaszewski wrote:
> If on any iteration in gpiod_find(), gpio_desc_table_match() returns
> NULL (which is normal and expected), we never reinitialize desc back to
> ERR_PTR(-ENOENT) and if we don't find a match later on, we will return
> NULL causing a NULL-pointer dereference in users not expecting it. Don't
> initialize desc, but return ERR_PTR(-ENOENT) explicitly at the end of
> the function.
>
> Fixes: 9700b0fccf38 ("gpiolib: allow multiple lookup tables per consumer")
> Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
> Closes: https://lore.kernel.org/all/00107523-7737-4b92-a785-14ce4e93b8cb@samsung.com/
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
> ---
>   drivers/gpio/gpiolib.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
> index fc382f43f9fc..0a14085f3871 100644
> --- a/drivers/gpio/gpiolib.c
> +++ b/drivers/gpio/gpiolib.c
> @@ -4602,8 +4602,8 @@ static struct gpio_desc *gpio_desc_table_match(struct device *dev, const char *c
>   static struct gpio_desc *gpiod_find(struct device *dev, const char *con_id,
>   				    unsigned int idx, unsigned long *flags)
>   {
> -	struct gpio_desc *desc = ERR_PTR(-ENOENT);
>   	struct gpiod_lookup_table *table;
> +	struct gpio_desc *desc;
>   
>   	guard(mutex)(&gpio_lookup_lock);
>   
> @@ -4619,7 +4619,7 @@ static struct gpio_desc *gpiod_find(struct device *dev, const char *con_id,
>   		return desc;
>   	}
>   
> -	return desc;
> +	return ERR_PTR(-ENOENT);
>   }
>   
>   static int platform_gpio_count(struct device *dev, const char *con_id)

Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.