Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp506392imw; Fri, 8 Jul 2022 06:53:19 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uAAZLtYiQKhbSiHLiap7PqsGuLU6RRzdneALicO2VrSNvLWQimxQ67HUmPIdmOzzgRkdZb X-Received: by 2002:a05:6402:3707:b0:437:61f9:57a9 with SMTP id ek7-20020a056402370700b0043761f957a9mr4922328edb.1.1657288399296; Fri, 08 Jul 2022 06:53:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657288399; cv=none; d=google.com; s=arc-20160816; b=SqE/dvFJ70Sdcus7VmBaHVXCy20IdbBNLkwH8CyymRH+w9GOq2guAhSwzcYjlUf/+S x3Qtd5Kq5ITX9n1VvQSpfznS6ldbGFyWe43v3/qNNzgzy252D6dotoMotPmj4+De7SdW NQopZ4XOY7nYPVxHDiLm6qB4OTPgHQX6oaCOsClwHjMtj5UZ7dyEPn0WpXtvsvs2jpIV fQhFZcAp3p/EhAli15yh4ACuLWTG1kovzCGK3iQRNHM8ninUWUP162/GqQdDlAF0+jnE yaa4sA2DNZaLvpoHJw7TRLJ3JBQC4BnJ28gC3tKSC+QXJrX7H/SFDg8VbAGJ1eihjClZ uKqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=nXchCjpvfgw2VLq3XlkWn91uUwD5uuuEBbcboem2nzU=; b=n7ckLTXLgPg5UrSqn7eRDNzxSUZv4f1CvG2vZaIxyr/OjGV/D8xllFwj1BTvwDe9vr gwXBl4s+RcgtYoGOiY8YpiAroe6GCaQNU9COC5Xamg6gGNgmE31D71CZJUBAledBDNxH j47rUGFkteikctYN0mENLAnIttGqCRgH4xLoe1n61wnGpwkghMOIKMQBaZi76f4UQPBI Z0aHEd8h1s5QnL67FFtevBYmuxxrC2L0i0C9eERWoB37CuNnowKrdPb6vSlAu7aZN5Lt xS28xEwv/TxDOT1Uf2Wznhugd51NYTpqOTeVZhYNdbhWKLEryR/qtpoUuwdpRy3qi8WO HvzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bgdev-pl.20210112.gappssmtp.com header.s=20210112 header.b=0LgFFamx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x22-20020a05640226d600b0043a84d80ad2si13145663edd.63.2022.07.08.06.52.54; Fri, 08 Jul 2022 06:53:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@bgdev-pl.20210112.gappssmtp.com header.s=20210112 header.b=0LgFFamx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238096AbiGHNbn (ORCPT + 99 others); Fri, 8 Jul 2022 09:31:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231918AbiGHNbl (ORCPT ); Fri, 8 Jul 2022 09:31:41 -0400 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D54D12E9F2 for ; Fri, 8 Jul 2022 06:31:40 -0700 (PDT) Received: by mail-ej1-x62a.google.com with SMTP id o25so37755051ejm.3 for ; Fri, 08 Jul 2022 06:31:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bgdev-pl.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nXchCjpvfgw2VLq3XlkWn91uUwD5uuuEBbcboem2nzU=; b=0LgFFamxmuotxlqwLBKlxFemyWD0spWfCWwFbQP+yx4pqumhzT6z1KG0inII/h/iRA +2+jLU4n9QYEptEi9IksNnS6+PX1jH/f1jhKCCqOAjRLu7L6R9KtSfPFXOQn0cN27Lvd oRPmb517fMWOAdi+FkV+E5TnHALtFgtPmCccDYIgLfMwoSYVKezixyIlYyIv/lWYwyNV E8Uz7KoCHpGTLRDpnXqm2KQ7wdIxgkFCvHOfDrh78pW7n23hzYcq+92fLgpeo46EQIUd CuJEhgwAlnvy4mLH8NGFRMCIAC5YCSbH4pBdvd9lEVyXOyhnSAWRt91lAorZiOKE3UFG V8Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nXchCjpvfgw2VLq3XlkWn91uUwD5uuuEBbcboem2nzU=; b=jKwDNfk6TH9vWz+KDHvx0lbzKT/qSAUwh6KP/HM39nvxYzQsIGIa0Y1lumG6it1u8/ UUKkF8OyiEM2lCYUGheJXJ36wQzzP2YNLKGkDyKvNiIngTgOmq5YZa4k0xWUtiGNNe2V 1TFe0V2sK176S9RLZlNDK1ExQ64jA9RCFNYUH1yuAlblq/lDXC4OKGkBpdu13OVXAiNX We5l2yB/qzlc0kbaysU12l4UUGdA2cbiMYOccUSTWtUcjWuh2lijPbuPcVdq8BoOXGez Lk78ZftmoA3dFNoZIP4ang0fabCfBxRjC+vG5ZItlNpitx58iFxqGoS5eFg3Mt0bcnaf Y3Xg== X-Gm-Message-State: AJIora/sXYE/AQpMM6qNbryC/SXODUXq272OdKX0kAv5C7uHWrROSvOt qhHALXDOpPSIrj1wURITgDrv9o1Yzx4thDqEZqqemA== X-Received: by 2002:a17:907:2c4b:b0:72a:f83b:35e7 with SMTP id hf11-20020a1709072c4b00b0072af83b35e7mr3679763ejc.636.1657287099444; Fri, 08 Jul 2022 06:31:39 -0700 (PDT) MIME-Version: 1.0 References: <585795d19c13a7136bc4b61307114591af2aea69.1657279521.git.viresh.kumar@linaro.org> In-Reply-To: <585795d19c13a7136bc4b61307114591af2aea69.1657279521.git.viresh.kumar@linaro.org> From: Bartosz Golaszewski Date: Fri, 8 Jul 2022 15:31:28 +0200 Message-ID: Subject: Re: [PATCH] gpiolib: cdev: Don't access uninitialized descriptor To: Viresh Kumar Cc: Linus Walleij , Dipen Patel , Thierry Reding , Vincent Guittot , "open list:GPIO SUBSYSTEM" , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 8, 2022 at 1:25 PM Viresh Kumar wrote: > > linereq_free() can be called from in the middle of errors, where the > descriptor may be NULL for few lines. Don't access uninitialized > descriptor pointer as it leads to kernel crash: > > Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 > > [...] > > Call trace: > linereq_free+0x54/0xb8 > linereq_create+0x424/0x570 > gpio_ioctl+0x94/0x640 > __arm64_sys_ioctl+0xac/0xf0 > invoke_syscall+0x44/0x100 > el0_svc_common.constprop.3+0x6c/0xf0 > do_el0_svc+0x2c/0xb8 > el0_svc+0x20/0x60 > el0t_64_sync_handler+0x98/0xc0 > el0t_64_sync+0x170/0x174 > > Fixes: 2068339a6c35 ("gpiolib: cdev: Add hardware timestamp clock type") > Signed-off-by: Viresh Kumar > --- > drivers/gpio/gpiolib-cdev.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c > index f5aa5f93342a..d3d1b5aed282 100644 > --- a/drivers/gpio/gpiolib-cdev.c > +++ b/drivers/gpio/gpiolib-cdev.c > @@ -1460,11 +1460,13 @@ static ssize_t linereq_read(struct file *file, > static void linereq_free(struct linereq *lr) > { > unsigned int i; > - bool hte; > + bool hte = false; > > for (i = 0; i < lr->num_lines; i++) { > - hte = !!test_bit(FLAG_EVENT_CLOCK_HTE, > - &lr->lines[i].desc->flags); > + if (lr->lines[i].desc) { > + hte = !!test_bit(FLAG_EVENT_CLOCK_HTE, > + &lr->lines[i].desc->flags); > + } > edge_detector_stop(&lr->lines[i], hte); > if (lr->lines[i].desc) > gpiod_free(lr->lines[i].desc); > -- > 2.31.1.272.g89b43f80a514 > Hey Viresh! Kent beat you to it with commit c8e27a4a5136e7230f9e4ffcf132705bf56864cc. Bart