From patchwork Fri Nov 25 15:32:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bartosz Golaszewski X-Patchwork-Id: 26074 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp4107008wrr; Fri, 25 Nov 2022 07:35:42 -0800 (PST) X-Google-Smtp-Source: AA0mqf4rPfZDmihsvXyWCFtLMUTbID62Lyss8L0CZE+LEKHFF1t+F8UhEOgy6Ll5KnywM11AAAKe X-Received: by 2002:a63:e644:0:b0:45f:702a:aec2 with SMTP id p4-20020a63e644000000b0045f702aaec2mr16818561pgj.450.1669390541840; Fri, 25 Nov 2022 07:35:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669390541; cv=none; d=google.com; s=arc-20160816; b=TXJkwkSkow7vdXQPKw0EpN2zIXypxE5nUTU3QO9EGPHUzQEbqeLKVHYY8sBSE1ySI1 H889Mcv+AOxyfHjQ+7tNg7NgSJBtREkO91vA9C1ztf5OKW3plxML9IDdWRBnfI4vrGQ/ I4UJmvgvm511KAjEWZxGrhdhMZTaC8uS7uP8WiViE4Uz6N9/QJ+hal3yFugRo3rjK07T DMI38sioYTW0QQt+oPMs6gblFxr/uFZqE3LUaT7768wHfpUar0bPVmUMuK4BmCTidxuj uoE2KEMWVxcSkv9azcPWuP0HvKxQzIRk2a+uQ7Nk1kuKcI+IrPA+ZqgExYbUP8ujjZdq GsNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=QdhY8dSfIHRpJ/W0A2WJrfMn7+PAB93k5IaJhxpKlZM=; b=qCu/eeIlXP2eXRcUaYA4uPE5nKmrRMLaur186I26h6ms936HA7gUiHSIiMBRSSlYhs OadlsRJiRRQGUt89I9gF8TCD40ZhEySPclmPPt3Gjr5S4UR0+IpMGATxJp+sKLTOPUso fMKc1M0/8eEOHRqZfsy0WREgEZ30hOHRwGBMrTC7R8J6vVS6SabTBCPY7YJkG1pRjdB1 qXxaRDNm2iXZBQ3eBtaBnXjOJb+NVYNgItfnOcGk339RqIcKzYtDGlR+1t8l2X8s7Yxb QYM63sRCo59l0jT0kR7Z21CZ2GI1XVOT0olEiqsdnRJJqnCLlW07jBZ/RMcwIik/yY5Q p4vA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bgdev-pl.20210112.gappssmtp.com header.s=20210112 header.b=DjXvbel7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a7-20020a170902900700b00176a87603dbsi3662674plp.156.2022.11.25.07.35.27; Fri, 25 Nov 2022 07:35:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bgdev-pl.20210112.gappssmtp.com header.s=20210112 header.b=DjXvbel7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229680AbiKYPdG (ORCPT + 99 others); Fri, 25 Nov 2022 10:33:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54844 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229662AbiKYPdE (ORCPT ); Fri, 25 Nov 2022 10:33:04 -0500 Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 750AD1FF9C for ; Fri, 25 Nov 2022 07:33:01 -0800 (PST) Received: by mail-wm1-x335.google.com with SMTP id 5so3739623wmo.1 for ; Fri, 25 Nov 2022 07:33:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bgdev-pl.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=QdhY8dSfIHRpJ/W0A2WJrfMn7+PAB93k5IaJhxpKlZM=; b=DjXvbel7vNNzZLkFArDYsCqy/oiIAtcFqjCyaOcL6WqERexX5DnU/PBbmTG/GSyj3f Q/7pbwxOLldT09F4kHnelKFDMEFQNborkJAf9AYf1mT8hOpEHr8DG0y6JMEEZeksfkAt qWHpY85iUasRn0z06vW1SBmEXIRBaJds2SPs8zPRAu2js33fVz0SFdIbRFg4FCaUOMQc Y2wIH/SdGAATo0q+6Pml4niKxs7zKym4YlFzgJIzzPnZtFiFKKb0gZq6cGH5kAgSvgsQ cFN0jKYyQlNODbhOaCWtpOzetiTWNMV9DU9squ2JKIqjpWGXEqMPIyc/KVMAakOftKQE dyhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QdhY8dSfIHRpJ/W0A2WJrfMn7+PAB93k5IaJhxpKlZM=; b=CECjvD92pdzW69qovsXLTCaWcWmI9saqT+ZzowZjlBfv4FoaUPxfH7hC/5NMvB68En Cq9bL8KIGBK9YWxYtN1mD1x6HcpL0KX8U6YD5jyT5BKhQyeKNYvL04PlbsWFQI1zE1W/ FpCnFgLSVclshjzVixZFlOvG08fJE171PlBUfThPB4SXFCU8uvVz6sKCZ8pVByNf6/wj QI90FFQ7MZpkUle/y7w9HUB6XSVHtNJdlTSzwrVMKLa12UjcLRh0AxHOM/qeUl7ziTfm 5UoZD1eEXvopHZyOAIbKTuU3LGIbrhQohIGq2ozm3g0MGqCkMiUvHZhK6e6uT0Lf1O0M KLfA== X-Gm-Message-State: ANoB5pmUPKnKoauQ/U/WPJFVwlJJgmFZm6A7oTwJxrsDHmi7mpTMg4zC /QKJdBcDM+ZPEL0v+ymrDMZzug== X-Received: by 2002:a05:600c:3acd:b0:3cf:550e:d7a2 with SMTP id d13-20020a05600c3acd00b003cf550ed7a2mr20624038wms.97.1669390380255; Fri, 25 Nov 2022 07:33:00 -0800 (PST) Received: from brgl-uxlite.home ([2a01:cb1d:334:ac00:febe:f1eb:8f01:12f8]) by smtp.gmail.com with ESMTPSA id o7-20020a5d4087000000b002366b17ca8bsm4539256wrp.108.2022.11.25.07.32.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Nov 2022 07:32:59 -0800 (PST) From: Bartosz Golaszewski To: Kent Gibson , Linus Walleij , Andy Shevchenko Cc: linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org, Bartosz Golaszewski Subject: [PATCH] gpiolib: cdev: fix NULL-pointer dereferences Date: Fri, 25 Nov 2022 16:32:57 +0100 Message-Id: <20221125153257.528826-1-brgl@bgdev.pl> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750482856869564080?= X-GMAIL-MSGID: =?utf-8?q?1750482856869564080?= From: Bartosz Golaszewski There are several places where we can crash the kernel by requesting lines, unbinding the GPIO device, then calling any of the system calls relevant to the GPIO character device's annonymous file descriptors: ioctl(), read(), poll(). While I observed it with the GPIO simulator, it will also happen for any of the GPIO devices that can be hot-unplugged - for instance any HID GPIO expander (e.g. CP2112). This affects both v1 and v2 uAPI. Fix this by simply checking if the GPIO chip pointer is not NULL. Signed-off-by: Bartosz Golaszewski --- drivers/gpio/gpiolib-cdev.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index 0cb6b468f364..d5632742942a 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -201,6 +201,9 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd, unsigned int i; int ret; + if (!lh->gdev->chip) + return -ENODEV; + switch (cmd) { case GPIOHANDLE_GET_LINE_VALUES_IOCTL: /* NOTE: It's okay to read values of output lines */ @@ -1384,6 +1387,9 @@ static long linereq_ioctl(struct file *file, unsigned int cmd, struct linereq *lr = file->private_data; void __user *ip = (void __user *)arg; + if (!lr->gdev->chip) + return -ENODEV; + switch (cmd) { case GPIO_V2_LINE_GET_VALUES_IOCTL: return linereq_get_values(lr, ip); @@ -1716,6 +1722,9 @@ static __poll_t lineevent_poll(struct file *file, struct lineevent_state *le = file->private_data; __poll_t events = 0; + if (!le->gdev->chip) + return -ENODEV; + poll_wait(file, &le->wait, wait); if (!kfifo_is_empty_spinlocked_noirqsave(&le->events, &le->wait.lock)) @@ -1740,6 +1749,9 @@ static ssize_t lineevent_read(struct file *file, ssize_t ge_size; int ret; + if (!le->gdev->chip) + return -ENODEV; + /* * When compatible system call is being used the struct gpioevent_data, * in case of at least ia32, has different size due to the alignment @@ -1821,6 +1833,9 @@ static long lineevent_ioctl(struct file *file, unsigned int cmd, void __user *ip = (void __user *)arg; struct gpiohandle_data ghd; + if (!le->gdev->chip) + return -ENODEV; + /* * We can get the value for an event line but not set it, * because it is input by definition.