Re: [PATCH 1/2] gpio: cdev: fix missed label sanitizing in debounce_setup()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kent Gibson <warthog618@gmail.com>
To: Bartosz Golaszewski <brgl@bgdev.pl>
Cc: linux-kernel@vger.kernel.org, linux-gpio@vger.kernel.org,
	linus.walleij@linaro.org, stable@vger.kernel.org
Subject: Re: [PATCH 1/2] gpio: cdev: fix missed label sanitizing in debounce_setup()
Date: Thu, 4 Apr 2024 18:59:12 +0800	[thread overview]
Message-ID: <20240404105912.GA94230@rigel> (raw)
In-Reply-To: <CAMRc=Mf0DPN1-npNPQA=3ivQd-PMhf_ZAa6eSFjmQ26Y8_Gv=g@mail.gmail.com>

On Thu, Apr 04, 2024 at 10:20:29AM +0200, Bartosz Golaszewski wrote:
> On Wed, Apr 3, 2024 at 3:15 PM Kent Gibson <warthog618@gmail.com> wrote:
> >
> > When adding sanitization of the label, the path through
> > edge_detector_setup() that leads to debounce_setup() was overlooked.
> > A request taking this path does not allocate a new label and the
> > request label is freed twice when the request is released, resulting
> > in memory corruption.
> >
> > Add label sanitization to debounce_setup().
> >
> > Cc: stable@vger.kernel.org
> > Fixes: b34490879baa ("gpio: cdev: sanitize the label before requesting the interrupt")
> > Signed-off-by: Kent Gibson <warthog618@gmail.com>
> > ---
> >  drivers/gpio/gpiolib-cdev.c | 31 +++++++++++++++++++------------
> >  1 file changed, 19 insertions(+), 12 deletions(-)
> >
> > diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
> > index fa9635610251..f4c2da2041e5 100644
> > --- a/drivers/gpio/gpiolib-cdev.c
> > +++ b/drivers/gpio/gpiolib-cdev.c
> > @@ -728,6 +728,16 @@ static u32 line_event_id(int level)
> >                        GPIO_V2_LINE_EVENT_FALLING_EDGE;
> >  }
> >
> > +static inline char *make_irq_label(const char *orig)
> > +{
> > +       return kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
> > +}
> > +
> > +static inline void free_irq_label(const char *label)
> > +{
> > +       kfree(label);
> > +}
> > +
> >  #ifdef CONFIG_HTE
> >
> >  static enum hte_return process_hw_ts_thread(void *p)
> > @@ -1015,6 +1025,7 @@ static int debounce_setup(struct line *line, unsigned int debounce_period_us)
> >  {
> >         unsigned long irqflags;
> >         int ret, level, irq;
> > +       char *label;
> >
> >         /* try hardware */
> >         ret = gpiod_set_debounce(line->desc, debounce_period_us);
> > @@ -1037,11 +1048,17 @@ static int debounce_setup(struct line *line, unsigned int debounce_period_us)
> >                         if (irq < 0)
> >                                 return -ENXIO;
> >
> > +                       label = make_irq_label(line->req->label);
>
> Now that I look at the actual patch, I don't really like it. We
> introduce a bug just to fix it a commit later. Such things have been
> frowned upon in the past.
>
> Let me shuffle the code a bit, I'll try to make it a bit more correct.
>

The debounce_setup() oversight bug is the more severe, so it makes more
sense to me to fix it first.  But then I my preferred solution would be
to pull the original patch and submit a corrected patch that merges all
three, so no bugs, but I assume that isn't an option.

Cheers,
Kent.

next prev parent reply	other threads:[~2024-04-04 10:59 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-03 13:15 [PATCH 0/2] gpio: cdev: label sanitization fixes Kent Gibson
2024-04-03 13:15 ` [PATCH 1/2] gpio: cdev: fix missed label sanitizing in debounce_setup() Kent Gibson
2024-04-04  8:20   ` Bartosz Golaszewski
2024-04-04 10:59     ` Kent Gibson [this message]
2024-04-04 12:20       ` Bartosz Golaszewski
2024-04-03 13:15 ` [PATCH 2/2] gpio: cdev: check for NULL labels when sanitizing them for irqs Kent Gibson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240404105912.GA94230@rigel \
    --to=warthog618@gmail.com \
    --cc=brgl@bgdev.pl \
    --cc=linus.walleij@linaro.org \
    --cc=linux-gpio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.