MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
2d008d4961
linux-yocto/drivers/gpio
History
Zhongqiu Han 2d008d4961 gpiolib: cdev: Fix use after free in lineinfo_changed_notify 
commit 02f6b0e1ec upstream.

The use-after-free issue occurs as follows: when the GPIO chip device file
is being closed by invoking gpio_chrdev_release(), watched_lines is freed
by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
chain failed due to waiting write rwsem. Additionally, one of the GPIO
chip's lines is also in the release process and holds the notifier chain's
read rwsem. Consequently, a race condition leads to the use-after-free of
watched_lines.

Here is the typical stack when issue happened:

[free]
gpio_chrdev_release()
  --> bitmap_free(cdev->watched_lines)                  <-- freed
  --> blocking_notifier_chain_unregister()
    --> down_write(&nh->rwsem)                          <-- waiting rwsem
          --> __down_write_common()
            --> rwsem_down_write_slowpath()
                  --> schedule_preempt_disabled()
                    --> schedule()

[use]
st54spi_gpio_dev_release()
  --> gpio_free()
    --> gpiod_free()
      --> gpiod_free_commit()
        --> gpiod_line_state_notify()
          --> blocking_notifier_call_chain()
            --> down_read(&nh->rwsem);                  <-- held rwsem
            --> notifier_call_chain()
              --> lineinfo_changed_notify()
                --> test_bit(xxxx, cdev->watched_lines) <-- use after free

The side effect of the use-after-free issue is that a GPIO line event is
being generated for userspace where it shouldn't. However, since the chrdev
is being closed, userspace won't have the chance to read that event anyway.

To fix the issue, call the bitmap_free() function after the unregistration
of lineinfo_changed_nb notifier chain.

Fixes: 51c1064e82 ("gpiolib: add new ioctl() for monitoring changes in line info")
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Link: https://lore.kernel.org/r/20240505141156.2944912-1-quic_zhonhan@quicinc.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-01-23 17:16:02 +01:00
..
gpio-74x164.c gpio: 74x164: Enable output pins after registers are reset 2024-03-06 14:38:50 +00:00
gpio-74xx-mmio.c
gpio-104-dio-48e.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-104-idi-48.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-104-idio-16.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-adnp.c gpio: adnp: Use irqchip template 2020-07-20 15:34:59 +02:00
gpio-adp5520.c gpio: adp5520: cleanup probe error path + remove platform_set_drvdata() 2021-05-21 15:29:53 +02:00
gpio-adp5588.c gpio: adp5588: Use irqchip template 2020-07-20 15:47:50 +02:00
gpio-aggregator.c gpio: aggregator: Fix calling into sleeping GPIO controllers 2022-02-16 12:56:24 +01:00
gpio-altera-a10sr.c gpio: altera-a10sr: remove platform_set_drvdata() + cleanup probe 2021-05-21 15:43:24 +02:00
gpio-altera.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-amd-fch.c gpio: amd-fch: correct logic of GPIO_LINE_DIRECTION 2020-09-28 12:22:04 +02:00
gpio-amd8111.c gpio: amd8111: Fix PCI device reference count leak 2022-12-14 11:37:23 +01:00
gpio-amdpt.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-arizona.c gpio: arizona: disable pm_runtime in case of failure 2020-12-02 10:40:54 +01:00
gpio-aspeed-sgpio.c gpio: aspeed-sgpio: Convert aspeed_sgpio.lock to raw_spinlock 2022-01-27 11:04:38 +01:00
gpio-aspeed.c gpio: aspeed: Use devm_clk api to manage clock source 2024-10-17 15:11:55 +02:00
gpio-ath79.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-bcm-kona.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-bd9571mwv.c gpio: bd9571mwv: remove platform_set_drvdata() + cleanup probe 2021-05-21 15:43:26 +02:00
gpio-bd70528.c gpio: bd7xxxx: use helper variable for pdev->dev 2021-02-15 11:43:27 +01:00
gpio-bd71815.c gpio: Support ROHM BD71815 GPOs 2021-04-14 10:19:22 +01:00
gpio-bd71828.c gpio: bd7xxxx: use helper variable for pdev->dev 2021-02-15 11:43:27 +01:00
gpio-brcmstb.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-bt8xx.c drivers: gpio: bt8xx: prefer dev_err()/dev_warn() over of raw printk 2020-12-08 09:41:32 +01:00
gpio-cadence.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-clps711x.c
gpio-creg-snps.c
gpio-crystalcove.c gpio: crystalcove: Use -ENOTSUPP consistently 2024-05-17 11:50:55 +02:00
gpio-cs5535.c gpio: cs5535: Simplify the return expression of cs5535_gpio_probe() 2020-12-12 01:37:46 +01:00
gpio-da9052.c gpio: da9052: remove platform_set_drvdata() + cleanup probe 2021-05-23 20:32:09 +02:00
gpio-da9055.c gpio: da9055: remove platform_set_drvdata() + cleanup probe 2021-05-21 14:45:57 +02:00
gpio-davinci.c gpio: davinci: fix lazy disable 2024-10-17 15:11:42 +02:00
gpio-dln2.c gpio: dln2: Fix interrupts when replugging the device 2021-12-29 12:28:56 +01:00
gpio-dwapb.c gpio: dwapb: mask/unmask IRQ when disable/enale it 2024-01-05 15:13:35 +01:00
gpio-eic-sprd.c gpio: eic-sprd: Clear interrupt after set the interrupt type 2024-02-23 08:54:35 +01:00
gpio-em.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-ep93xx.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-exar.c gpio: exar: set value when external pull-up or pull-down is present 2024-12-14 19:51:15 +01:00
gpio-f7188x.c gpio-f7188x: Add GPIO support for F81865 2020-05-05 18:22:26 +02:00
gpio-ftgpio010.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-ge.c
gpio-gpio-mm.c
gpio-grgpio.c gpio: grgpio: Add NULL check in grgpio_probe 2024-12-14 19:51:29 +01:00
gpio-gw-pld.c
gpio-hisi.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-hlwd.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-htc-egpio.c
gpio-ich.c gpio: ich: Switch to be dependent on LPC_ICH 2021-05-05 16:07:41 +02:00
gpio-idt3243x.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-iop.c
gpio-it87.c gpio: it87: remove unused code 2021-05-05 16:07:41 +02:00
gpio-ixp4xx.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-janz-ttl.c
gpio-kempld.c
gpio-logicvc.c gpio: logicvc: Remove redundant error printing in logicvc_gpio_probe() 2021-05-12 13:35:39 +02:00
gpio-loongson.c
gpio-loongson1.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-lp873x.c
gpio-lp3943.c
gpio-lp87565.c mfd: lp87565: Fix typo in define names 2021-05-19 13:33:49 +01:00
gpio-lpc18xx.c
gpio-lpc32xx.c
gpio-madera.c
gpio-max730x.c gpio: max730x: bring gpiochip_add_data after port config 2020-05-22 17:01:25 +02:00
gpio-max732x.c gpio: max732x: Use irqchip template 2020-08-04 01:12:43 +02:00
gpio-max3191x.c
gpio-max7300.c
gpio-max7301.c
gpio-max77620.c gpio: max77620: convert comma to semicolon 2021-02-15 11:43:29 +01:00
gpio-max77650.c
gpio-mb86s7x.c gpio: mb86s7x: Remove superfluous test for ACPI companion 2020-05-18 09:15:16 +02:00
gpio-mc33880.c
gpio-menz127.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-merrifield.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-ml-ioh.c gpio: ml-ioh: Convert to dev_pm_ops 2021-07-13 11:58:22 +03:00
gpio-mlxbf.c gpio: gpio-mlxbf: Tell the compiler that ACPI functions may not be used 2020-07-08 09:24:08 +02:00
gpio-mlxbf2.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-mm-lantiq.c gpio: mm-lantiq: Fix small typo 2020-04-28 22:41:25 +02:00
gpio-mmio.c gpio: use raw spinlock for gpio chip shadowed data 2023-02-01 08:27:08 +01:00
gpio-mockup.c gpio: mockup: Fix mode of debugfs files 2023-05-30 13:55:30 +01:00
gpio-moxtet.c treewide: change my e-mail address, fix my name 2021-04-09 14:54:23 -07:00
gpio-mpc8xxx.c gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx 2022-09-23 14:15:47 +02:00
gpio-mpc5200.c
gpio-msc313.c gpio: msc313: MStar MSC313 GPIO driver 2020-12-05 22:41:22 +01:00
gpio-mt7621.c gpio updates for v5.15 2021-09-07 12:27:27 -07:00
gpio-mvebu.c gpio: mvebu: fix irq domain leak 2023-08-03 10:22:26 +02:00
gpio-mxc.c gpio: mxc: Unlock on error path in mxc_flip_edge() 2023-02-01 08:27:28 +01:00
gpio-mxs.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-octeon.c
gpio-omap.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-palmas.c
gpio-pca953x.c gpio: pca953x: Add mutex_lock for regcache sync in PM 2022-09-08 12:28:05 +02:00
gpio-pca9570.c gpio: pca9570: add GPO driver for PCA9570 2020-07-16 14:35:12 +02:00
gpio-pcf857x.c gpio: pcf857x: Fix missing first interrupt 2021-02-18 15:52:44 +01:00
gpio-pch.c gpio: pch: Add a blank line between declaration and code 2020-07-21 19:12:57 +03:00
gpio-pci-idio-16.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-pcie-idio-24.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-pisosr.c gpio: pisosr: Simplify with dev_err_probe() 2020-08-28 20:15:51 +02:00
gpio-pl061.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-pmic-eic-sprd.c gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip 2023-10-06 13:18:14 +02:00
gpio-pxa.c gpio: pxa: disable pinctrl calls for MMP_GPIO 2023-10-10 21:59:09 +02:00
gpio-raspberrypi-exp.c gpio: raspberrypi-exp: Release firmware handle on unbind 2021-03-22 17:59:51 +01:00
gpio-rc5t583.c
gpio-rcar.c gpio updates for v5.15 2021-09-07 12:27:27 -07:00
gpio-rda.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-rdc321x.c
gpio-realtek-otto.c gpio: realtek-otto: fix GPIO line IRQ offset 2021-11-18 19:17:04 +01:00
gpio-reg.c
gpio-regmap.c gpio: regmap: move drvdata to config data 2021-06-07 15:39:19 +02:00
gpio-rockchip.c gpio: rockchip: fix OF node leak in probe() 2024-09-12 11:07:52 +02:00
gpio-sa1100.c
gpio-sama5d2-piobu.c gpio: gpio-sama5d2-piobu: Demote all kerneldoc headers to basic comment blocks 2020-07-08 09:24:07 +02:00
gpio-sch.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-sch311x.c
gpio-sifive.c gpio: sifive: add missing check for platform_get_irq 2023-06-28 10:29:50 +02:00
gpio-siox.c gpio: siox: explicitly support only threaded irqs 2020-09-09 12:59:15 +02:00
gpio-sl28cpld.c gpio: sl28cpld: convert comma to semicolon 2021-02-15 11:43:26 +01:00
gpio-sodaville.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-spear-spics.c gpio: spear-spics: remove platform_set_drvdata() + cleanup probe 2021-05-25 16:14:34 +02:00
gpio-sprd.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-sta2x11.c gpio: sta2x11: remove platform_set_drvdata() + cleanup probe 2021-05-25 16:15:21 +02:00
gpio-stmpe.c gpio: stmpe: fully use convert probe to device-managed 2021-05-21 14:45:21 +02:00
gpio-stp-xway.c gpio: stp-xway: automatically drive GPHY leds on ar10 and grx390 2020-08-18 21:32:28 +02:00
gpio-syscon.c gpio: gpio-syscon: Fix formatting issues which confuse kerneldoc 2020-07-08 09:24:08 +02:00
gpio-tb10x.c gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() 2023-10-06 13:18:09 +02:00
gpio-tc3589x.c gpio: tc3589x: emove platform_set_drvdata() + cleanup probe 2021-05-24 20:57:27 +02:00
gpio-tegra.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-tegra186.c gpio: tegra186: Fix chip_data type confusion 2022-03-02 11:48:10 +01:00
gpio-thunderx.c
gpio-timberdale.c gpio: timberdale: Fix potential deadlock on &tgpio->lock 2023-10-25 11:58:59 +02:00
gpio-tpic2810.c
gpio-tps6586x.c gpio: tps6586x: remove platform_set_drvdata() + cleanup probe 2021-05-24 20:56:19 +02:00
gpio-tps65086.c
gpio-tps65218.c gpio: tps65218: remove platform_set_drvdata() + cleanup probe 2021-05-24 20:58:23 +02:00
gpio-tps65910.c gpio: tps65910: remove platform_set_drvdata() + cleanup probe 2021-05-25 16:17:11 +02:00
gpio-tps65912.c gpio: tps65912: remove platform_set_drvdata() + cleanup probe 2021-05-24 20:58:46 +02:00
gpio-tps68470.c gpio: tps68470: Make tps68470_gpio_output() always set the initial value 2023-08-03 10:22:26 +02:00
gpio-tqmx86.c gpio: tqmx86: store IRQ trigger type and unmask status separately 2024-07-05 09:14:16 +02:00
gpio-ts4800.c
gpio-ts4900.c gpio: ts4900: Do not set DAT and OE together 2022-03-16 14:23:39 +01:00
gpio-ts5500.c
gpio-twl4030.c
gpio-twl6040.c
gpio-ucb1400.c
gpio-uniphier.c gpio: uniphier: Fix void functions to remove return value 2021-09-22 11:19:29 +02:00
gpio-vf610.c gpio: vf610: set value before the direction to avoid a glitch 2023-10-25 11:59:03 +02:00
gpio-viperboard.c gpio: viperboard: remove platform_set_drvdata() call in probe 2021-08-31 11:29:28 +02:00
gpio-virtio.c gpio: virtio: remove timeout 2021-12-29 12:28:43 +01:00
gpio-visconti.c gpio: visconti: Fix fwnode of GPIO IRQ 2022-05-12 12:30:10 +02:00
gpio-vr41xx.c MIPS: Remove repetitive increase irq_err_count 2022-06-29 09:03:24 +02:00
gpio-vx855.c gpio: vx855: convert comma to semicolon 2021-02-15 11:43:29 +01:00
gpio-wcd934x.c gpio: wcd934x: Fix shift-out-of-bounds error 2021-05-27 09:51:35 +02:00
gpio-wcove.c gpio: wcove: Use -ENOTSUPP consistently 2024-05-17 11:50:55 +02:00
gpio-winbond.c gpio: winbond: Fix error code in winbond_gpio_get() 2022-06-29 09:03:26 +02:00
gpio-wm831x.c gpio: wm831x: remove platform_set_drvdata() + cleanup probe 2021-05-25 16:20:58 +02:00
gpio-wm8350.c gpio: wm8350: remove platform_set_drvdata() + cleanup probe 2021-05-25 16:21:28 +02:00
gpio-wm8994.c gpio: wm8994: remove platform_set_drvdata() + cleanup probe 2021-05-25 16:21:14 +02:00
gpio-ws16c48.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-xgene-sb.c gpio: xgene-sb: Drop extra check to call acpi_gpiochip_request_interrupts() 2020-05-18 09:16:31 +02:00
gpio-xgene.c gpio: xgene: simplify probe, return devm_gpiochip_add_data() directly 2021-05-23 20:30:26 +02:00
gpio-xgs-iproc.c gpio: xgs-iproc: fix parsing of ngpios property 2021-10-25 10:10:37 +02:00
gpio-xilinx.c gpio: gpio-xilinx: Fix integer overflow 2022-07-29 17:25:23 +02:00
gpio-xlp.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpio-xra1403.c gpio: xra1403: remove unneeded spi_set_drvdata() 2020-11-30 17:36:36 +01:00
gpio-xtensa.c
gpio-zevio.c
gpio-zynq.c gpio: Bulk conversion to generic_handle_domain_irq() 2021-08-12 11:39:38 +01:00
gpiolib-acpi.c gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 2024-02-23 08:54:32 +01:00
gpiolib-acpi.h gpiolib: Introduce acpi_gpio_dev_init() and call it from core 2021-03-26 14:56:18 +01:00
gpiolib-cdev.c gpiolib: cdev: Fix use after free in lineinfo_changed_notify 2025-01-23 17:16:02 +01:00
gpiolib-cdev.h gpiolib: fix sysfs when cdev is not selected 2020-11-05 15:35:40 +01:00
gpiolib-devres.c gpiolib: constify passed device_node pointer 2021-08-05 21:21:58 +02:00
gpiolib-legacy.c
gpiolib-of.c gpiolib: of: add polarity quirk for TSC2005 2024-07-18 13:07:32 +02:00
gpiolib-of.h gpiolib: Bind gpio_device to a driver to enable fw_devlink=on by default 2021-01-27 16:04:10 +01:00
gpiolib-sysfs.c gpiolib: sysfs: Fix error handling on failed export 2023-12-13 18:36:47 +01:00
gpiolib-sysfs.h gpiolib: move gpiolib-sysfs function declarations into their own header 2020-07-12 10:22:00 +02:00
gpiolib.c gpio: prevent potential speculation leaks in gpio_device_get_desc() 2024-10-17 15:10:41 +02:00
gpiolib.h gpiolib: protect the GPIO device against being dropped while in use by user-space 2022-12-31 13:14:31 +01:00
Kconfig gpio: tqmx86: fix typo in Kconfig label 2024-07-05 09:14:16 +02:00
Makefile Merge branch 'ib-rockchip' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl into gpio/for-next 2021-08-23 10:04:05 +02:00
TODO gpio: intel-mid: Remove driver for deprecated platform 2021-02-15 11:43:32 +01:00