From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kent Gibson <warthog618@gmail.com>,
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>,
Sasha Levin <sashal@kernel.org>,
brgl@bgdev.pl, linus.walleij@linaro.org,
linux-gpio@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 21/38] gpiolib: cdev: Add INIT_KFIFO() for linereq events
Date: Wed, 31 Jul 2024 20:35:27 -0400 [thread overview]
Message-ID: <20240801003643.3938534-21-sashal@kernel.org> (raw)
In-Reply-To: <20240801003643.3938534-1-sashal@kernel.org>
From: Kent Gibson <warthog618@gmail.com>
[ Upstream commit 35d848e7a1cbba2649ed98cf58e0cdc7ee560c7a ]
The initialisation of the linereq events kfifo relies on the struct being
zeroed and a subsequent call to kfifo_alloc(). The call to kfifo_alloc()
is deferred until edge detection is first enabled for the linereq. If the
kfifo is inadvertently accessed before the call to kfifo_alloc(), as was
the case in a recently discovered bug, it behaves as a FIFO of size 1 with
an element size of 0, so writes and reads to the kfifo appear successful
but copy no actual data.
As a defensive measure, initialise the kfifo with INIT_KFIFO() when the
events kfifo is constructed. This initialises the kfifo element size
and zeroes its data pointer, so any inadvertant access prior to the
kfifo_alloc() call will trigger an oops.
Signed-off-by: Kent Gibson <warthog618@gmail.com>
Link: https://lore.kernel.org/r/20240529131953.195777-2-warthog618@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 95861916deffb..05ed8fd40cbfc 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -1354,6 +1354,7 @@ static int linereq_create(struct gpio_device *gdev, void __user *ip)
mutex_init(&lr->config_mutex);
init_waitqueue_head(&lr->wait);
+ INIT_KFIFO(lr->events);
lr->event_buffer_size = ulr.event_buffer_size;
if (lr->event_buffer_size == 0)
lr->event_buffer_size = ulr.num_lines * 16;
--
2.43.0
next prev parent reply other threads:[~2024-08-01 0:38 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 0:35 [PATCH AUTOSEL 5.10 01/38] drm/amdgpu: fix overflowed array index read warning Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 02/38] drm/amd/pm: fix warning using uninitialized value of max_vid_step Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 03/38] drm/amd/pm: fix the Out-of-bounds read warning Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 04/38] drm/amdgpu: fix uninitialized scalar variable warning Sasha Levin
2024-08-22 11:00 ` Pavel Machek
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 05/38] drm/amd/display: Check gpio_id before used as array index Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 06/38] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 07/38] drm/amd/display: Add array index check for hdcp ddc access Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 08/38] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 09/38] drm/amd/display: Check msg_id before processing transcation Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 10/38] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 11/38] drm/amdgpu: Fix out-of-bounds write warning Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 12/38] drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 13/38] drm/amdgpu: fix ucode out-of-bounds read warning Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 14/38] drm/amdgpu: fix mc_data " Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 15/38] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 16/38] drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 17/38] drm/amdgpu: the warning dereferencing obj for nbio_v7_4 Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 18/38] bpf, net: Use DEV_STAT_INC() Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 19/38] PCI: al: Check IORESOURCE_BUS existence during probe Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 20/38] hwspinlock: Introduce hwspin_lock_bust() Sasha Levin
2024-08-27 12:25 ` Pavel Machek
2024-08-01 0:35 ` Sasha Levin [this message]
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 22/38] smack: tcp: ipv4, fix incorrect labeling Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 23/38] wifi: cfg80211: make hash table duplicates more survivable Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 24/38] drm/amd/display: added NULL check at start of dc_validate_stream Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 25/38] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 26/38] ALSA: vmaster: Return error for invalid input values Sasha Levin
2024-08-27 12:26 ` Pavel Machek
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 27/38] ELF: fix kernel.randomize_va_space double read Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 28/38] udf: Avoid excessive partition lengths Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 29/38] riscv: mm: Take memory hotplug read-lock during kernel page table dump Sasha Levin
2024-08-01 0:35 ` Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 30/38] usb: uas: set host status byte on data completion error Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 31/38] cgroup: Protect css->cgroup write under css_set_lock Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 32/38] um: line: always fill *error_out in setup_one_line() Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 33/38] devres: Initialize an uninitialized struct member Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 34/38] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Sasha Levin
2024-08-01 0:35 ` Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 35/38] hwmon: (lm95234) Fix underflows seen when writing limit attributes Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 36/38] hwmon: (w83627ehf) " Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 37/38] libbpf: Add NULL checks to bpf_object__{prev_map,next_map} Sasha Levin
2024-08-01 0:35 ` [PATCH AUTOSEL 5.10 38/38] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801003643.3938534-21-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bartosz.golaszewski@linaro.org \
--cc=brgl@bgdev.pl \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=warthog618@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.