From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Julien Stephan <jstephan@baylibre.com>,
Nuno Sa <nuno.sa@analog.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Sasha Levin <sashal@kernel.org>,
jic23@kernel.org, linux-iio@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 38/61] driver: iio: add missing checks on iio_info's callback access
Date: Wed, 31 Jul 2024 20:25:56 -0400 [thread overview]
Message-ID: <20240801002803.3935985-38-sashal@kernel.org> (raw)
In-Reply-To: <20240801002803.3935985-1-sashal@kernel.org>
From: Julien Stephan <jstephan@baylibre.com>
[ Upstream commit c4ec8dedca961db056ec85cb7ca8c9f7e2e92252 ]
Some callbacks from iio_info structure are accessed without any check, so
if a driver doesn't implement them trying to access the corresponding
sysfs entries produce a kernel oops such as:
[ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute
[...]
[ 2203.783416] Call trace:
[ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48
[ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120
[ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4
[ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0
[ 2203.802236] vfs_read from ksys_read+0xa4/0xd4
[ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54
[ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0)
[ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000
[ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000
[ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0
[ 2203.830363] Code: bad PC value
[ 2203.832695] ---[ end trace 0000000000000000 ]---
Reviewed-by: Nuno Sa <nuno.sa@analog.com>
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Link: https://lore.kernel.org/r/20240530-iio-core-fix-segfault-v3-1-8b7cd2a03773@baylibre.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/industrialio-core.c | 7 ++++++-
drivers/iio/industrialio-event.c | 9 +++++++++
drivers/iio/inkern.c | 32 ++++++++++++++++++++++----------
3 files changed, 37 insertions(+), 11 deletions(-)
diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index 135a86fc94531..162845543efe0 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -767,9 +767,11 @@ static ssize_t iio_read_channel_info(struct device *dev,
INDIO_MAX_RAW_ELEMENTS,
vals, &val_len,
this_attr->address);
- else
+ else if (indio_dev->info->read_raw)
ret = indio_dev->info->read_raw(indio_dev, this_attr->c,
&vals[0], &vals[1], this_attr->address);
+ else
+ return -EINVAL;
if (ret < 0)
return ret;
@@ -851,6 +853,9 @@ static ssize_t iio_read_channel_info_avail(struct device *dev,
int length;
int type;
+ if (!indio_dev->info->read_avail)
+ return -EINVAL;
+
ret = indio_dev->info->read_avail(indio_dev, this_attr->c,
&vals, &type, &length,
this_attr->address);
diff --git a/drivers/iio/industrialio-event.c b/drivers/iio/industrialio-event.c
index 727e2ef66aa4b..14658b41c9bc6 100644
--- a/drivers/iio/industrialio-event.c
+++ b/drivers/iio/industrialio-event.c
@@ -283,6 +283,9 @@ static ssize_t iio_ev_state_store(struct device *dev,
if (ret < 0)
return ret;
+ if (!indio_dev->info->write_event_config)
+ return -EINVAL;
+
ret = indio_dev->info->write_event_config(indio_dev,
this_attr->c, iio_ev_attr_type(this_attr),
iio_ev_attr_dir(this_attr), val);
@@ -298,6 +301,9 @@ static ssize_t iio_ev_state_show(struct device *dev,
struct iio_dev_attr *this_attr = to_iio_dev_attr(attr);
int val;
+ if (!indio_dev->info->read_event_config)
+ return -EINVAL;
+
val = indio_dev->info->read_event_config(indio_dev,
this_attr->c, iio_ev_attr_type(this_attr),
iio_ev_attr_dir(this_attr));
@@ -316,6 +322,9 @@ static ssize_t iio_ev_value_show(struct device *dev,
int val, val2, val_arr[2];
int ret;
+ if (!indio_dev->info->read_event_value)
+ return -EINVAL;
+
ret = indio_dev->info->read_event_value(indio_dev,
this_attr->c, iio_ev_attr_type(this_attr),
iio_ev_attr_dir(this_attr), iio_ev_attr_info(this_attr),
diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
index 872fd5c241476..bd854e92c6f8c 100644
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -561,6 +561,7 @@ EXPORT_SYMBOL_GPL(devm_iio_channel_get_all);
static int iio_channel_read(struct iio_channel *chan, int *val, int *val2,
enum iio_chan_info_enum info)
{
+ const struct iio_info *iio_info = chan->indio_dev->info;
int unused;
int vals[INDIO_MAX_RAW_ELEMENTS];
int ret;
@@ -572,15 +573,18 @@ static int iio_channel_read(struct iio_channel *chan, int *val, int *val2,
if (!iio_channel_has_info(chan->channel, info))
return -EINVAL;
- if (chan->indio_dev->info->read_raw_multi) {
- ret = chan->indio_dev->info->read_raw_multi(chan->indio_dev,
- chan->channel, INDIO_MAX_RAW_ELEMENTS,
- vals, &val_len, info);
+ if (iio_info->read_raw_multi) {
+ ret = iio_info->read_raw_multi(chan->indio_dev,
+ chan->channel,
+ INDIO_MAX_RAW_ELEMENTS,
+ vals, &val_len, info);
*val = vals[0];
*val2 = vals[1];
+ } else if (iio_info->read_raw) {
+ ret = iio_info->read_raw(chan->indio_dev,
+ chan->channel, val, val2, info);
} else {
- ret = chan->indio_dev->info->read_raw(chan->indio_dev,
- chan->channel, val, val2, info);
+ return -EINVAL;
}
return ret;
@@ -800,11 +804,15 @@ static int iio_channel_read_avail(struct iio_channel *chan,
const int **vals, int *type, int *length,
enum iio_chan_info_enum info)
{
+ const struct iio_info *iio_info = chan->indio_dev->info;
+
if (!iio_channel_has_available(chan->channel, info))
return -EINVAL;
- return chan->indio_dev->info->read_avail(chan->indio_dev, chan->channel,
- vals, type, length, info);
+ if (iio_info->read_avail)
+ return iio_info->read_avail(chan->indio_dev, chan->channel,
+ vals, type, length, info);
+ return -EINVAL;
}
int iio_read_avail_channel_attribute(struct iio_channel *chan,
@@ -935,8 +943,12 @@ EXPORT_SYMBOL_GPL(iio_get_channel_type);
static int iio_channel_write(struct iio_channel *chan, int val, int val2,
enum iio_chan_info_enum info)
{
- return chan->indio_dev->info->write_raw(chan->indio_dev,
- chan->channel, val, val2, info);
+ const struct iio_info *iio_info = chan->indio_dev->info;
+
+ if (iio_info->write_raw)
+ return iio_info->write_raw(chan->indio_dev,
+ chan->channel, val, val2, info);
+ return -EINVAL;
}
int iio_write_channel_attribute(struct iio_channel *chan, int val, int val2,
--
2.43.0
next prev parent reply other threads:[~2024-08-01 0:30 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 0:25 [PATCH AUTOSEL 6.1 01/61] drm/amd/display: Assign linear_pitch_alignment even for VM Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 02/61] drm/amdgpu: fix overflowed array index read warning Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 03/61] drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 04/61] drm/amd/pm: fix warning using uninitialized value of max_vid_step Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 05/61] drm/amd/pm: Fix negative array index read Sasha Levin
2024-08-27 12:29 ` Pavel Machek
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 06/61] drm/amd/pm: fix the Out-of-bounds read warning Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 07/61] drm/amd/display: Check gpio_id before used as array index Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 08/61] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 09/61] drm/amd/display: Add array index check for hdcp ddc access Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 10/61] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 11/61] drm/amd/display: Check msg_id before processing transcation Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 12/61] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 13/61] drm/amd/display: Spinlock before reading event Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 14/61] drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 15/61] drm/amd/amdgpu: Check tbo resource pointer Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 16/61] drm/amdgpu: Fix out-of-bounds write warning Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 17/61] drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 18/61] drm/amdgpu: fix ucode out-of-bounds read warning Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 19/61] drm/amdgpu: fix mc_data " Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 20/61] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 21/61] wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem() Sasha Levin
2024-08-27 12:27 ` Pavel Machek
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 22/61] drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 23/61] drm/amdgpu: fix dereference after null check Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 24/61] drm/amdgpu: fix the waring dereferencing hive Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 25/61] drm/amdgpu: the warning dereferencing obj for nbio_v7_4 Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 26/61] drm/amdgpu: update type of buf size to u32 for eeprom functions Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 27/61] wifi: iwlwifi: fw: avoid bad FW config on RXQ DMA failure Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 28/61] cpufreq: scmi: Avoid overflow of target_freq in fast switch Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 29/61] bpf, net: Use DEV_STAT_INC() Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 30/61] PCI: al: Check IORESOURCE_BUS existence during probe Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 31/61] hwspinlock: Introduce hwspin_lock_bust() Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 32/61] gpiolib: cdev: Add INIT_KFIFO() for linereq events Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 33/61] pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 34/61] smack: tcp: ipv4, fix incorrect labeling Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 35/61] drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 36/61] hwmon: (k10temp) Check return value of amd_smn_read() Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 37/61] wifi: cfg80211: make hash table duplicates more survivable Sasha Levin
2024-08-01 0:25 ` Sasha Levin [this message]
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 39/61] drm/amd/display: added NULL check at start of dc_validate_stream Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 40/61] drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 41/61] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 42/61] ALSA: vmaster: Return error for invalid input values Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 43/61] ALSA: control: Apply sanity check of input values for user elements Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 44/61] ELF: fix kernel.randomize_va_space double read Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 45/61] x86/kmsan: Fix hook for unaligned accesses Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 46/61] udf: Avoid excessive partition lengths Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 47/61] riscv: mm: Take memory hotplug read-lock during kernel page table dump Sasha Levin
2024-08-01 0:26 ` Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 48/61] usb: uas: set host status byte on data completion error Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 49/61] drm/amd/display: Check HDCP returned status Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 50/61] drm/amd/display: Check denominator pbn_div before used Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 51/61] phy: zynqmp: Take the phy mutex in xlate Sasha Levin
2024-08-01 0:26 ` Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 52/61] cgroup: Protect css->cgroup write under css_set_lock Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 53/61] um: line: always fill *error_out in setup_one_line() Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 54/61] devres: Initialize an uninitialized struct member Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 55/61] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Sasha Levin
2024-08-01 0:26 ` Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 56/61] hwmon: (lm95234) Fix underflows seen when writing limit attributes Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 57/61] hwmon: (nct6775-core) " Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 58/61] hwmon: (w83627ehf) " Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 59/61] libbpf: Add NULL checks to bpf_object__{prev_map,next_map} Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 60/61] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 61/61] i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Sasha Levin
2024-08-01 0:26 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801002803.3935985-38-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=jic23@kernel.org \
--cc=jstephan@baylibre.com \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nuno.sa@analog.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.