[6.17 REGRESSION FIX] gpiolib: acpi: Fix using random stack memory during GPIO lookups

public inbox for linux-acpi@vger.kernel.org
 help / color / mirror / Atom feed

* [6.17 REGRESSION FIX] gpiolib: acpi: Fix using random stack memory during GPIO lookups
@ 2025-09-12 22:18 Hans de Goede
  2025-09-14 13:24 ` Andy Shevchenko
  0 siblings, 1 reply; 4+ messages in thread
From: Hans de Goede @ 2025-09-12 22:18 UTC (permalink / raw)
  To: Mika Westerberg, Andy Shevchenko, Bartosz Golaszewski,
	Linus Walleij
  Cc: Hans de Goede, linux-gpio, linux-acpi

Before commit 8b4f52ef7a41 ("gpiolib: acpi: Deduplicate some code in
__acpi_find_gpio()") and the follow-up fix commit 7c010d463372 ("gpiolib:
acpi: Make sure we fill struct acpi_gpio_info"). The struct acpi_gpio_info
used during lookups was part of struct acpi_gpio_lookup which gets
memset() to 0 before use.

And then after a successful lookup, acpi_gpio_resource_lookup() would
copy the content of the zeroed acpi_gpio_lookup.info to the on
stack struct acpi_gpio_info in __acpi_find_gpio(), overwriting any
uninitialized memory contents there.

But now instead a pointer to the on stack struct acpi_gpio_info in
__acpi_find_gpio() is passed around, but that struct is never
initialized.

This passing around of the uninitialized struct breaks index based
lookups of GpioInt GPIOs because info->quirks now contains some random
on stack data which may contain ACPI_GPIO_QUIRK_ONLY_GPIOIO.

Initialize the on stack struct acpi_gpio_info to 0 to fix this.

Fixes: 8b4f52ef7a41 ("gpiolib: acpi: Deduplicate some code in __acpi_find_gpio()")
Fixes: 7c010d463372 ("gpiolib: acpi: Make sure we fill struct acpi_gpio_info")
Signed-off-by: Hans de Goede <hansg@kernel.org>
---
 drivers/gpio/gpiolib-acpi-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpio/gpiolib-acpi-core.c b/drivers/gpio/gpiolib-acpi-core.c
index 12b24a717e43..1cc5d0702ee1 100644
--- a/drivers/gpio/gpiolib-acpi-core.c
+++ b/drivers/gpio/gpiolib-acpi-core.c
@@ -942,7 +942,7 @@ struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode,
 {
 	struct acpi_device *adev = to_acpi_device_node(fwnode);
 	bool can_fallback = acpi_can_fallback_to_crs(adev, con_id);
-	struct acpi_gpio_info info;
+	struct acpi_gpio_info info = { };
 	struct gpio_desc *desc;

 	desc = __acpi_find_gpio(fwnode, con_id, idx, can_fallback, &info);
-- 
2.51.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [6.17 REGRESSION FIX] gpiolib: acpi: Fix using random stack memory during GPIO lookups
  2025-09-12 22:18 [6.17 REGRESSION FIX] gpiolib: acpi: Fix using random stack memory during GPIO lookups Hans de Goede
@ 2025-09-14 13:24 ` Andy Shevchenko
  2025-09-14 17:52   ` Hans de Goede
  0 siblings, 1 reply; 4+ messages in thread
From: Andy Shevchenko @ 2025-09-14 13:24 UTC (permalink / raw)
  To: Hans de Goede
  Cc: Mika Westerberg, Andy Shevchenko, Bartosz Golaszewski,
	Linus Walleij, linux-gpio, linux-acpi

On Sat, Sep 13, 2025 at 1:19 AM Hans de Goede <hansg@kernel.org> wrote:
>
> Before commit 8b4f52ef7a41 ("gpiolib: acpi: Deduplicate some code in
> __acpi_find_gpio()") and the follow-up fix commit 7c010d463372 ("gpiolib:
> acpi: Make sure we fill struct acpi_gpio_info"). The struct acpi_gpio_info
> used during lookups was part of struct acpi_gpio_lookup which gets
> memset() to 0 before use.
>
> And then after a successful lookup, acpi_gpio_resource_lookup() would
> copy the content of the zeroed acpi_gpio_lookup.info to the on
> stack struct acpi_gpio_info in __acpi_find_gpio(), overwriting any
> uninitialized memory contents there.
>
> But now instead a pointer to the on stack struct acpi_gpio_info in
> __acpi_find_gpio() is passed around, but that struct is never
> initialized.
>
> This passing around of the uninitialized struct breaks index based
> lookups of GpioInt GPIOs because info->quirks now contains some random
> on stack data which may contain ACPI_GPIO_QUIRK_ONLY_GPIOIO.
>
> Initialize the on stack struct acpi_gpio_info to 0 to fix this.

Ah, very good catch! I missed that field that can have garbage as we
don't file it. I'll take it on Monday and prepare a PR next week.

-- 
With Best Regards,
Andy Shevchenko

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [6.17 REGRESSION FIX] gpiolib: acpi: Fix using random stack memory during GPIO lookups
  2025-09-14 13:24 ` Andy Shevchenko
@ 2025-09-14 17:52   ` Hans de Goede
  2025-09-15  6:28     ` Andy Shevchenko
  0 siblings, 1 reply; 4+ messages in thread
From: Hans de Goede @ 2025-09-14 17:52 UTC (permalink / raw)
  To: Andy Shevchenko, Sébastien Szymanski
  Cc: Mika Westerberg, Andy Shevchenko, Bartosz Golaszewski,
	Linus Walleij, linux-gpio, linux-acpi

Hi Andy,

On 14-Sep-25 3:24 PM, Andy Shevchenko wrote:
> On Sat, Sep 13, 2025 at 1:19 AM Hans de Goede <hansg@kernel.org> wrote:
>>
>> Before commit 8b4f52ef7a41 ("gpiolib: acpi: Deduplicate some code in
>> __acpi_find_gpio()") and the follow-up fix commit 7c010d463372 ("gpiolib:
>> acpi: Make sure we fill struct acpi_gpio_info"). The struct acpi_gpio_info
>> used during lookups was part of struct acpi_gpio_lookup which gets
>> memset() to 0 before use.
>>
>> And then after a successful lookup, acpi_gpio_resource_lookup() would
>> copy the content of the zeroed acpi_gpio_lookup.info to the on
>> stack struct acpi_gpio_info in __acpi_find_gpio(), overwriting any
>> uninitialized memory contents there.
>>
>> But now instead a pointer to the on stack struct acpi_gpio_info in
>> __acpi_find_gpio() is passed around, but that struct is never
>> initialized.
>>
>> This passing around of the uninitialized struct breaks index based
>> lookups of GpioInt GPIOs because info->quirks now contains some random
>> on stack data which may contain ACPI_GPIO_QUIRK_ONLY_GPIOIO.
>>
>> Initialize the on stack struct acpi_gpio_info to 0 to fix this.
> 
> Ah, very good catch! I missed that field that can have garbage as we
> don't file it. I'll take it on Monday and prepare a PR next week.

Thank you, but please take the more complete fix from Sébastien
available here:

https://lore.kernel.org/linux-gpio/20250912-gpiolib-acpi-fix-v1-1-1a41acbffadf@armadeus.com/

That also initializes a second case of an uninitialized
struct acpi_gpio_info on the stack.

Regards,

Hans




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [6.17 REGRESSION FIX] gpiolib: acpi: Fix using random stack memory during GPIO lookups
  2025-09-14 17:52   ` Hans de Goede
@ 2025-09-15  6:28     ` Andy Shevchenko
  0 siblings, 0 replies; 4+ messages in thread
From: Andy Shevchenko @ 2025-09-15  6:28 UTC (permalink / raw)
  To: Hans de Goede
  Cc: Andy Shevchenko, Sébastien Szymanski, Mika Westerberg,
	Andy Shevchenko, Bartosz Golaszewski, Linus Walleij, linux-gpio,
	linux-acpi

On Sun, Sep 14, 2025 at 07:52:48PM +0200, Hans de Goede wrote:
> On 14-Sep-25 3:24 PM, Andy Shevchenko wrote:
> > On Sat, Sep 13, 2025 at 1:19 AM Hans de Goede <hansg@kernel.org> wrote:
> >>
> >> Before commit 8b4f52ef7a41 ("gpiolib: acpi: Deduplicate some code in
> >> __acpi_find_gpio()") and the follow-up fix commit 7c010d463372 ("gpiolib:
> >> acpi: Make sure we fill struct acpi_gpio_info"). The struct acpi_gpio_info
> >> used during lookups was part of struct acpi_gpio_lookup which gets
> >> memset() to 0 before use.
> >>
> >> And then after a successful lookup, acpi_gpio_resource_lookup() would
> >> copy the content of the zeroed acpi_gpio_lookup.info to the on
> >> stack struct acpi_gpio_info in __acpi_find_gpio(), overwriting any
> >> uninitialized memory contents there.
> >>
> >> But now instead a pointer to the on stack struct acpi_gpio_info in
> >> __acpi_find_gpio() is passed around, but that struct is never
> >> initialized.
> >>
> >> This passing around of the uninitialized struct breaks index based
> >> lookups of GpioInt GPIOs because info->quirks now contains some random
> >> on stack data which may contain ACPI_GPIO_QUIRK_ONLY_GPIOIO.
> >>
> >> Initialize the on stack struct acpi_gpio_info to 0 to fix this.
> > 
> > Ah, very good catch! I missed that field that can have garbage as we
> > don't file it. I'll take it on Monday and prepare a PR next week.
> 
> Thank you, but please take the more complete fix from Sébastien
> available here:
> 
> https://lore.kernel.org/linux-gpio/20250912-gpiolib-acpi-fix-v1-1-1a41acbffadf@armadeus.com/
> 
> That also initializes a second case of an uninitialized
> struct acpi_gpio_info on the stack.

Sure, thanks for the heads up!

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-09-15  6:28 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-12 22:18 [6.17 REGRESSION FIX] gpiolib: acpi: Fix using random stack memory during GPIO lookups Hans de Goede
2025-09-14 13:24 ` Andy Shevchenko
2025-09-14 17:52   ` Hans de Goede
2025-09-15  6:28     ` Andy Shevchenko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox