From patchwork Thu Dec 1 12:59:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bartosz Golaszewski X-Patchwork-Id: 28363 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp247615wrr; Thu, 1 Dec 2022 05:03:33 -0800 (PST) X-Google-Smtp-Source: AA0mqf506jO0wymGfR9WkqIeosEXvRJUjKs7BjK22dbvkYaEhnzN/vgCzYVEZfY3FtLZ3QslQRDW X-Received: by 2002:a05:6a00:1515:b0:56b:abf4:f77c with SMTP id q21-20020a056a00151500b0056babf4f77cmr49984801pfu.37.1669899812992; Thu, 01 Dec 2022 05:03:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669899812; cv=none; d=google.com; s=arc-20160816; b=BS1Q9F3N4rDhxHDGjYvp+14vlySHiYY0B/271J1jnMlNGUQ0cT0fVJt2qqENQJ7Cqt grUhTIuiXFbk5fTp2bGFagrBldydmtOLPWb9R5e/j3HMIFIJNHxn18cDjhOySo8ihfik zj0M2JKTHJ3Zyo6vPLM7FCXlaPa9vsQ37fLDW3TYbyHOtqUpJ/osMf1ddei5bkYf/iNv DODxII7xQWvl2B5iTSi5BMluR6ruE1x5/IfpN0rdN4f1rSToe4zLybJj6WOp1JRqkdRx kd26PrA2/Cm7WBi8pap28/JHTR5hp4/QeqcomKauqhfCjdZhN423Ni1UdFtnhdMtbrae +YVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=piNk3HQx8v6RV+VtySfa+39thLEcT6PfvLiaaQdfR4s=; b=orTcNhBP41wPj2lK9NSH8yMZR/taL6evl939vsXrFsaGHI1kgkN8eriBHNbn5OgAuo 29gd9x646BxojVyfLGER4VJ6z2GQsjWw5g0goIurNgS7pjp7kezJYnUOJ4HI/KAP9ooc dTUQXPy3myTq+VxXlOt4eR+4Vm2QCYzhvIrUmwwThXF0PMkVcBjotTdZ2VFVVXexllHk d8l0KzaKFaaRUwMc2crppeX9U/ClmsaiBBGTsorMKOmGz3DUfQQp1xocIwccLGHS/+Gg eYL2v4Hgh03R6ud1dVArfvdMG0uHG0LmXqVKbNbeCkiEcbRM8KYY/2GgnG4//CuqtLGy I6bQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bgdev-pl.20210112.gappssmtp.com header.s=20210112 header.b=UN51+7NU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h191-20020a636cc8000000b0047872f423a5si1650559pgc.830.2022.12.01.05.02.56; Thu, 01 Dec 2022 05:03:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bgdev-pl.20210112.gappssmtp.com header.s=20210112 header.b=UN51+7NU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231304AbiLAM7j (ORCPT + 99 others); Thu, 1 Dec 2022 07:59:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231325AbiLAM7f (ORCPT ); Thu, 1 Dec 2022 07:59:35 -0500 Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A565DBB7E6 for ; Thu, 1 Dec 2022 04:59:33 -0800 (PST) Received: by mail-wr1-x42e.google.com with SMTP id bs21so2582473wrb.4 for ; Thu, 01 Dec 2022 04:59:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bgdev-pl.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=piNk3HQx8v6RV+VtySfa+39thLEcT6PfvLiaaQdfR4s=; b=UN51+7NUbTS+2jGB/BsiKU1lgHw/S2LelerW2RiPbetQObWH/mXnqoZituWCMQMcaz iMxqMhZVfiLKQ65SpJ0lEhxKcACqH11PWIi6tvvHVM2litc52pdc2aey8kF39ANn0j0v c1WxF3EQE2jzRpBbQ0utBcPsYOwGJt/0gbdulxL0TQqV43zxZ5ngPbdta02hnFEifq2P w13+ApcNKOzAXNa0jemykDnAQ2+cwpCvK9GqkBiyXdjQVouteaLKP6cGwBHfcDdH8pAE iBOjCTj7PTOXTFOr7ceMueiSm7LTWuPKbjN6nURStQqkqvBHudqLFIKRQsd3HDap58ly Hjpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=piNk3HQx8v6RV+VtySfa+39thLEcT6PfvLiaaQdfR4s=; b=COUqE2n/aCGweoTugkmrGZgNG69dF+2pIySK+/cQT0wp07YPBPb9V8nB+5hb/DaXqb J7s9L9soIJIGet7MIIzyVZmdq1HhOP1/pvO3xY8J/zaH14zVY4jnooCyzUyMxF00ExvH E46az+jIkfyaoHLdHQ06aaJmInI78nlyf5Rxe0tyFMvVtNVIMKd16x2uHKAtsU+b09Kc BN1MCphYRlWAAxy0pwTMXYgMzwsTmyVVLx8v8yCBx6W9SpUtet3INJLn8dKlXFd7198U e8jnM7RZ2rdgmUsLSKLatyzSeVkFPqP1lJWeJDUyqSeWemndYDqa4EMQOoV0hh97Taci 7VbQ== X-Gm-Message-State: ANoB5pkVL1Q1sR8QlPBV0R2rHQXr5jg8dmNu5Ph3Holm/V/JCEYPURWQ xCF4EXidwGqLmUoVXMdsGSQ1sg== X-Received: by 2002:a05:6000:1564:b0:241:e722:3f8e with SMTP id 4-20020a056000156400b00241e7223f8emr27465399wrz.133.1669899572182; Thu, 01 Dec 2022 04:59:32 -0800 (PST) Received: from brgl-uxlite.home ([2a01:cb1d:334:ac00:26bb:b860:c227:f05d]) by smtp.gmail.com with ESMTPSA id v14-20020a05600c444e00b003a1980d55c4sm9564753wmn.47.2022.12.01.04.59.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Dec 2022 04:59:31 -0800 (PST) From: Bartosz Golaszewski To: Kent Gibson , Linus Walleij , Andy Shevchenko Cc: linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org, Bartosz Golaszewski Subject: [PATCH v6 1/2] gpiolib: cdev: fix NULL-pointer dereferences Date: Thu, 1 Dec 2022 13:59:27 +0100 Message-Id: <20221201125928.3031325-2-brgl@bgdev.pl> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20221201125928.3031325-1-brgl@bgdev.pl> References: <20221201125928.3031325-1-brgl@bgdev.pl> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1751016866423429833?= X-GMAIL-MSGID: =?utf-8?q?1751016866423429833?= From: Bartosz Golaszewski There are several places where we can crash the kernel by requesting lines, unbinding the GPIO device, then calling any of the system calls relevant to the GPIO character device's annonymous file descriptors: ioctl(), read(), poll(). While I observed it with the GPIO simulator, it will also happen for any of the GPIO devices that can be hot-unplugged - for instance any HID GPIO expander (e.g. CP2112). This affects both v1 and v2 uAPI. This fixes it partially by checking if gdev->chip is not NULL but it doesn't entirely remedy the situation as we still have a race condition in which another thread can remove the device after the check. Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines") Fixes: 3c0d9c635ae2 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL") Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL") Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL") Fixes: 7b8e00d98168 ("gpiolib: cdev: support GPIO_V2_LINE_SET_VALUES_IOCTL") Signed-off-by: Bartosz Golaszewski Reviewed-by: Andy Shevchenko --- drivers/gpio/gpiolib-cdev.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index 0cb6b468f364..6fa5c2169985 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -201,6 +201,9 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd, unsigned int i; int ret; + if (!lh->gdev->chip) + return -ENODEV; + switch (cmd) { case GPIOHANDLE_GET_LINE_VALUES_IOCTL: /* NOTE: It's okay to read values of output lines */ @@ -1384,6 +1387,9 @@ static long linereq_ioctl(struct file *file, unsigned int cmd, struct linereq *lr = file->private_data; void __user *ip = (void __user *)arg; + if (!lr->gdev->chip) + return -ENODEV; + switch (cmd) { case GPIO_V2_LINE_GET_VALUES_IOCTL: return linereq_get_values(lr, ip); @@ -1410,6 +1416,9 @@ static __poll_t linereq_poll(struct file *file, struct linereq *lr = file->private_data; __poll_t events = 0; + if (!lr->gdev->chip) + return EPOLLHUP | EPOLLERR; + poll_wait(file, &lr->wait, wait); if (!kfifo_is_empty_spinlocked_noirqsave(&lr->events, @@ -1429,6 +1438,9 @@ static ssize_t linereq_read(struct file *file, ssize_t bytes_read = 0; int ret; + if (!lr->gdev->chip) + return -ENODEV; + if (count < sizeof(le)) return -EINVAL; @@ -1716,6 +1728,9 @@ static __poll_t lineevent_poll(struct file *file, struct lineevent_state *le = file->private_data; __poll_t events = 0; + if (!le->gdev->chip) + return EPOLLHUP | EPOLLERR; + poll_wait(file, &le->wait, wait); if (!kfifo_is_empty_spinlocked_noirqsave(&le->events, &le->wait.lock)) @@ -1740,6 +1755,9 @@ static ssize_t lineevent_read(struct file *file, ssize_t ge_size; int ret; + if (!le->gdev->chip) + return -ENODEV; + /* * When compatible system call is being used the struct gpioevent_data, * in case of at least ia32, has different size due to the alignment @@ -1821,6 +1839,9 @@ static long lineevent_ioctl(struct file *file, unsigned int cmd, void __user *ip = (void __user *)arg; struct gpiohandle_data ghd; + if (!le->gdev->chip) + return -ENODEV; + /* * We can get the value for an event line but not set it, * because it is input by definition. @@ -2407,6 +2428,9 @@ static __poll_t lineinfo_watch_poll(struct file *file, struct gpio_chardev_data *cdev = file->private_data; __poll_t events = 0; + if (!cdev->gdev->chip) + return EPOLLHUP | EPOLLERR; + poll_wait(file, &cdev->wait, pollt); if (!kfifo_is_empty_spinlocked_noirqsave(&cdev->events, @@ -2425,6 +2449,9 @@ static ssize_t lineinfo_watch_read(struct file *file, char __user *buf, int ret; size_t event_size; + if (!cdev->gdev->chip) + return -ENODEV; + #ifndef CONFIG_GPIO_CDEV_V1 event_size = sizeof(struct gpio_v2_line_info_changed); if (count < event_size)