If *ppos is non-zero then simple_write_to_buffer() won't initialize the
start of the buffer.  Really, non-zero values for *ppos aren't going to
work at all.  Check for that return -EINVAL at the start of the function.

Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GPIO API")
Signed-off-by: Dan Carpenter <error27@gmail.com>
---

 drivers/gpio/gpio-virtuser.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpio/gpio-virtuser.c b/drivers/gpio/gpio-virtuser.c
index 128520d340d4..846f8688fec5 100644
--- a/drivers/gpio/gpio-virtuser.c
+++ b/drivers/gpio/gpio-virtuser.c
@@ -397,7 +397,7 @@ static ssize_t gpio_virtuser_direction_do_write(struct file *file,
 	char buf[32], *trimmed;
 	int ret, dir, val = 0;
 
-	if (count >= sizeof(buf))
+	if (*ppos != 0 || count >= sizeof(buf))
 		return -EINVAL;
 
 	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
@@ -622,7 +622,7 @@ static ssize_t gpio_virtuser_consumer_write(struct file *file,
 	char buf[GPIO_VIRTUSER_NAME_BUF_LEN + 2];
 	int ret;
 
-	if (count >= sizeof(buf))
+	if (*ppos != 0 || count >= sizeof(buf))
 		return -EINVAL;
 
 	ret = simple_write_to_buffer(buf, GPIO_VIRTUSER_NAME_BUF_LEN, ppos,
-- 
2.53.0

On Mon, 25 May 2026 10:15:16 +0300, Dan Carpenter wrote:
> If *ppos is non-zero then simple_write_to_buffer() won't initialize the
> start of the buffer.  Really, non-zero values for *ppos aren't going to
> work at all.  Check for that return -EINVAL at the start of the function.
> 
> 

I tweaked the commit message a bit for clarity, thanks.

[1/1] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()
      https://git.kernel.org/brgl/c/39785f2b3e9fb8f3375dde1e3e4c94ff953871af

Best regards,
-- 
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>