Received: by 2002:ab2:2441:0:b0:1f3:1f8c:d0c6 with SMTP id k1csp183570lqe; Thu, 4 Apr 2024 03:47:30 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUO1AmujIQwg+eLsQZo6So/+8d8sazhdUV0/UvAMlkycB3R9SjyWPQiR2307Osbx7uACFCb7HxsZs69X8Ha90aMiQJx7QqLewUPJroc6Q== X-Google-Smtp-Source: AGHT+IEpBY9u3QR0NFyN8nQoAzAtesnGzg4bIR8juaoTJO2yCK6OC2HW2IVDtUrjovW0hz85+sMe X-Received: by 2002:a50:9f6b:0:b0:56e:23a1:a0da with SMTP id b98-20020a509f6b000000b0056e23a1a0damr149659edf.7.1712227650711; Thu, 04 Apr 2024 03:47:30 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712227650; cv=pass; d=google.com; s=arc-20160816; b=kEnTFAX7IstjdaqnsFEIWXNCsczTPOpIg+GgYfnbFBDLT4A23qGCjzMFLep/Cu6rFS TsbCPs7BoEOneBebdXi4hqkIcxnNxKM6fjJ6++MW6Gm8HT7kDfWcbWO5KGMnMiikayOg AJJG30pqkp3qPJLIJF1dM0v7SYoH4dIhJKVCKUVB+1eNw7mxVGHFrTB0XWEhfsSWdxEP mNP4TA2niPFPpJ8iFEjtUY3ymDk8MZSwmn+DKiB9K1Rnd9jhGfAbEVuetTu7GAV9+ego 7CoAOAxUNYjON4a1rCG3WL4YLld3OEOU3ZEb4N/AmoIkfCFvuyo8CNMuZKBxOmxssoo1 gZOA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=hA1F4ecNFaqy2INS6J/CJxJtqMknUSKBTL4J/GsVmSk=; fh=yuT5vuZuwsxx+AMmYypkKOiz/tW3HWPZCJI5Mocw4Uw=; b=WwiZ9HliwZ7LJHTQKJjSQyWhaPyHSY85b4+3ITS50Nzvnh+GodOloNJfFrR+/qBSx3 QCuew9Ptc//TynAIMlp63iMxSOD38PatwN5BL8ueNWxKiIbxsuN0NlS+YcTcQwmbCa7q FqVaN22icaeoHo0KIfp59OnPgtU77hDzD5qUs0P8kyA1fkEps2hbPOCh+eUHzW8yAiwN yl0zmPTS1me1V3oB2gUxNBKqMOac2i5apvWRpnBtdqic3f6bphDkk1FyJnUcJQCQujmL c167a+NLWalXAfE5JX/sRlvAnxXaWyvmRaliodXjra69eWFNEXszaeDulKeWHropULSV AWFQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@bgdev-pl.20230601.gappssmtp.com header.s=20230601 header.b=nlb9scJe; arc=pass (i=1 dkim=pass dkdomain=bgdev-pl.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-131096-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-131096-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id m30-20020a50d7de000000b0056dfdb5afdfsi1818067edj.368.2024.04.04.03.47.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 03:47:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-131096-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@bgdev-pl.20230601.gappssmtp.com header.s=20230601 header.b=nlb9scJe; arc=pass (i=1 dkim=pass dkdomain=bgdev-pl.20230601.gappssmtp.com); spf=pass (google.com: domain of linux-kernel+bounces-131096-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-131096-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 6CACA1F23B89 for ; Thu, 4 Apr 2024 08:20:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9E7116BB46; Thu, 4 Apr 2024 08:20:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bgdev-pl.20230601.gappssmtp.com header.i=@bgdev-pl.20230601.gappssmtp.com header.b="nlb9scJe" Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC37D6774E for ; Thu, 4 Apr 2024 08:20:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712218845; cv=none; b=djQAJqoNDC0f8BK6/A7VN8bJnk4+hPYJ2eTb7TU9evpczu/WYYO8cJPCESDbY46Mn7cJCTFJFZUhTHDcALL3x5fcJNobiAvFJfGdyWg+/9mMGCU6GNkfXodhX02rTplApW7kpfYxcGlLVVu5INWMB8Dr/RoM3oPxdfxI2DdNgTI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712218845; c=relaxed/simple; bh=DEtDOgJjtwKHKgzbnFh+oYPDkv4+cFLZBBuu6/r7Tl8=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Dg2T0uMLjhUf5PmroDkpJFHMS2uYzWl9kzh3qALusJoF9gtAdmKw9mARMXXyFM2d4De4dIoL3aXqnfPCUbKbW1BS/Rd5WX+Zu5wIPB0fgsEF3YKiXmeixmPDuI3JEbxDuafZXq4BmI7/2hDsHU562qFM/eFwPqZ/4Xj/iRg0nio= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=bgdev.pl; spf=none smtp.mailfrom=bgdev.pl; dkim=pass (2048-bit key) header.d=bgdev-pl.20230601.gappssmtp.com header.i=@bgdev-pl.20230601.gappssmtp.com header.b=nlb9scJe; arc=none smtp.client-ip=209.85.167.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=bgdev.pl Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=bgdev.pl Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-516c1bbe314so1069109e87.1 for ; Thu, 04 Apr 2024 01:20:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bgdev-pl.20230601.gappssmtp.com; s=20230601; t=1712218841; x=1712823641; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hA1F4ecNFaqy2INS6J/CJxJtqMknUSKBTL4J/GsVmSk=; b=nlb9scJeU/urPmrMrLDA0q2D5EsO4K3OsvIw/tE2jt1ryGv7LhnOnG7Xw6viXkXWy8 um/+EtNsCGYppQWT73cq5I3jmdLJe8cA2P456b5F9M2St/wKNhI9THg9R+og4HozGsCq JdxoS3F8079o9IgkfmLGsoYEddsXZHP0XDlrLso2w1l7v7BW7MU7KGR7GTsER2tQfT6r whx0QarqmEv5xPpV41ZfH0wzf1zidzSnxYK2y/TEOEor2BI+KanLJ0ysKVUVWpfUFwTV pRGWMP36gkvxbl9rBeQTp5Xk6jFpAhTRDdyVGv76UCfsWQMfuyVrk9DiONbwdSjaELQP 3A1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712218841; x=1712823641; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hA1F4ecNFaqy2INS6J/CJxJtqMknUSKBTL4J/GsVmSk=; b=d/YM3ij0U5QpMbzQxlAtiUUizOUH9KxIYQWxs/JocUfo/K6OMLxxwnVFIbBmPrjGjl pxjjMRmk8KMxhSSNfEYu4Q7CF3taoKdFMJglFRUdQ5fgD+byvZNrxYYvor0hSR8vCSEt zyoFfEhePXVQ9YNtO0RQ7BI7a5yH27dgtAsdayv9NNma0hGkrwN5pzhchrRrF+NmOAL1 iYwqnTl6nAG/BcoAB5FkKVdtofWFFURCtC19crJRC5xoWZ0x76sDRqetETWC/34yeFsp pI9T+kNz3tgiz/tLzI93aZli22AgYD/sErtQB0x9OZQckxww4AnLp99llVy4xi2eO1rZ xRIg== X-Gm-Message-State: AOJu0YxySLkWWlHt0UwapNSb5RZOlyLvrTxEaQKcxf1aIf873xsoCPAt vQm9FqffYY1fWA2EYCB6SSuBdHXzxxXM+PS5CZILKfHxSKgnOCsziA5ndVlWyhaZNRCyOh4n95E eivUGMs9M/qIY6teWoYXOBkgO0Z4AvIwpvvfbqW4cJpn8s3m9 X-Received: by 2002:a05:6512:6c4:b0:516:c763:b4f9 with SMTP id u4-20020a05651206c400b00516c763b4f9mr1773698lff.14.1712218840661; Thu, 04 Apr 2024 01:20:40 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240403131518.61392-1-warthog618@gmail.com> <20240403131518.61392-2-warthog618@gmail.com> In-Reply-To: <20240403131518.61392-2-warthog618@gmail.com> From: Bartosz Golaszewski Date: Thu, 4 Apr 2024 10:20:29 +0200 Message-ID: Subject: Re: [PATCH 1/2] gpio: cdev: fix missed label sanitizing in debounce_setup() To: Kent Gibson Cc: linux-kernel@vger.kernel.org, linux-gpio@vger.kernel.org, linus.walleij@linaro.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 3, 2024 at 3:15=E2=80=AFPM Kent Gibson w= rote: > > When adding sanitization of the label, the path through > edge_detector_setup() that leads to debounce_setup() was overlooked. > A request taking this path does not allocate a new label and the > request label is freed twice when the request is released, resulting > in memory corruption. > > Add label sanitization to debounce_setup(). > > Cc: stable@vger.kernel.org > Fixes: b34490879baa ("gpio: cdev: sanitize the label before requesting th= e interrupt") > Signed-off-by: Kent Gibson > --- > drivers/gpio/gpiolib-cdev.c | 31 +++++++++++++++++++------------ > 1 file changed, 19 insertions(+), 12 deletions(-) > > diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c > index fa9635610251..f4c2da2041e5 100644 > --- a/drivers/gpio/gpiolib-cdev.c > +++ b/drivers/gpio/gpiolib-cdev.c > @@ -728,6 +728,16 @@ static u32 line_event_id(int level) > GPIO_V2_LINE_EVENT_FALLING_EDGE; > } > > +static inline char *make_irq_label(const char *orig) > +{ > + return kstrdup_and_replace(orig, '/', ':', GFP_KERNEL); > +} > + > +static inline void free_irq_label(const char *label) > +{ > + kfree(label); > +} > + > #ifdef CONFIG_HTE > > static enum hte_return process_hw_ts_thread(void *p) > @@ -1015,6 +1025,7 @@ static int debounce_setup(struct line *line, unsign= ed int debounce_period_us) > { > unsigned long irqflags; > int ret, level, irq; > + char *label; > > /* try hardware */ > ret =3D gpiod_set_debounce(line->desc, debounce_period_us); > @@ -1037,11 +1048,17 @@ static int debounce_setup(struct line *line, unsi= gned int debounce_period_us) > if (irq < 0) > return -ENXIO; > > + label =3D make_irq_label(line->req->label); Now that I look at the actual patch, I don't really like it. We introduce a bug just to fix it a commit later. Such things have been frowned upon in the past. Let me shuffle the code a bit, I'll try to make it a bit more correct. Bart > + if (!label) > + return -ENOMEM; > + > irqflags =3D IRQF_TRIGGER_FALLING | IRQF_TRIGGER_= RISING; > ret =3D request_irq(irq, debounce_irq_handler, ir= qflags, > - line->req->label, line); > - if (ret) > + label, line); > + if (ret) { > + free_irq_label(label); > return ret; > + } > line->irq =3D irq; > } else { > ret =3D hte_edge_setup(line, GPIO_V2_LINE_FLAG_ED= GE_BOTH); > @@ -1083,16 +1100,6 @@ static u32 gpio_v2_line_config_debounce_period(str= uct gpio_v2_line_config *lc, > return 0; > } > > -static inline char *make_irq_label(const char *orig) > -{ > - return kstrdup_and_replace(orig, '/', ':', GFP_KERNEL); > -} > - > -static inline void free_irq_label(const char *label) > -{ > - kfree(label); > -} > - > static void edge_detector_stop(struct line *line) > { > if (line->irq) { > -- > 2.39.2 >