[PATCH 0/2] gpio: fix NULL-pointer dereferences introduced in GPIO chip setter conversion

[PATCH 0/2] gpio: fix NULL-pointer dereferences introduced in GPIO chip setter conversion

[Bartosz Golaszewski]

I should have paid more attention when doing the GPIO chip setter
conversions that there are instances where the setters are accessed
directly using the function pointers in struct gpio_chip.

This is not optimal and I am making a mental note to track all such
use-cases and use the appropriate wrapper instead. For now: let's just
fix the issue in gpio-mmio and its users as well as one other converted
driver that suffers from it.

Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
Bartosz Golaszewski (2):
      gpio: npcm-sgpio: don't use legacy GPIO chip setters
      gpio: mmio: don't use legacy GPIO chip setters

 drivers/gpio/gpio-74xx-mmio.c  | 2 +-
 drivers/gpio/gpio-en7523.c     | 2 +-
 drivers/gpio/gpio-mmio.c       | 6 +++---
 drivers/gpio/gpio-npcm-sgpio.c | 4 +---
 4 files changed, 6 insertions(+), 8 deletions(-)
---
base-commit: 7b20980ffc11514d8849811857d915001236bcfa
change-id: 20250618-gpio-mmio-fix-setter-ddd4dd7a03eb

Best regards,
-- 
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

[PATCH 1/2] gpio: npcm-sgpio: don't use legacy GPIO chip setters

[Bartosz Golaszewski]

From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

We've converted this driver to using the new GPIO line value setters but
missed the instance where the legacy callback is accessed directly using
the function pointer. This will lead to a NULL-pointer dereference as
this pointer is no longer populated. Fix it.

Fixes: 0e1a8930c941 ("gpio: npcm-sgpio: use new GPIO line value setter callbacks")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
 drivers/gpio/gpio-npcm-sgpio.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/gpio/gpio-npcm-sgpio.c b/drivers/gpio/gpio-npcm-sgpio.c
index b3953d1ae8af45f4bce9b799434547cd8770d9df..25b203a89e380366e6a1dcd51775f6b1997a1d30 100644
--- a/drivers/gpio/gpio-npcm-sgpio.c
+++ b/drivers/gpio/gpio-npcm-sgpio.c
@@ -211,9 +211,7 @@ static int npcm_sgpio_dir_in(struct gpio_chip *gc, unsigned int offset)
 
 static int npcm_sgpio_dir_out(struct gpio_chip *gc, unsigned int offset, int val)
 {
-	gc->set(gc, offset, val);
-
-	return 0;
+	return gc->set_rv(gc, offset, val);
 }
 
 static int npcm_sgpio_get_direction(struct gpio_chip *gc, unsigned int offset)

-- 
2.48.1

[PATCH 2/2] gpio: mmio: don't use legacy GPIO chip setters

[Bartosz Golaszewski]

From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

We've converted this driver to using the new GPIO line value setters but
missed the instances where the legacy callback is accessed directly using
the function pointer. This will lead to a NULL-pointer dereference as
this pointer is no longer populated. The issue needs fixing locally as
well as in the already converted previously users of gpio-mmio.

Fixes: b908d35d0003 ("gpio: mmio: use new GPIO line value setter callbacks")
Reported-by: Klara Modin <klarasmodin@gmail.com>
Closes: https://lore.kernel.org/all/2rw2sncevdiyirpdovotztlg77apcq2btzytuv5jnm55aqhlne@swtts3hl53tw/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
 drivers/gpio/gpio-74xx-mmio.c | 2 +-
 drivers/gpio/gpio-en7523.c    | 2 +-
 drivers/gpio/gpio-mmio.c      | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/gpio/gpio-74xx-mmio.c b/drivers/gpio/gpio-74xx-mmio.c
index c7ac5a9ffb1fd1cc9439e3320d54574bf0cebbf6..3ba21add3a1c669171578ceaf9cc1728c060d401 100644
--- a/drivers/gpio/gpio-74xx-mmio.c
+++ b/drivers/gpio/gpio-74xx-mmio.c
@@ -100,7 +100,7 @@ static int mmio_74xx_dir_out(struct gpio_chip *gc, unsigned int gpio, int val)
 	struct mmio_74xx_gpio_priv *priv = gpiochip_get_data(gc);
 
 	if (priv->flags & MMIO_74XX_DIR_OUT) {
-		gc->set(gc, gpio, val);
+		gc->set_rv(gc, gpio, val);
 		return 0;
 	}
 
diff --git a/drivers/gpio/gpio-en7523.c b/drivers/gpio/gpio-en7523.c
index 69834db2c1cf26be379c0deca38dda889202f706..c08069d0d1045e9df4a76cad4600bf25d4e3a7c5 100644
--- a/drivers/gpio/gpio-en7523.c
+++ b/drivers/gpio/gpio-en7523.c
@@ -50,7 +50,7 @@ static int airoha_dir_set(struct gpio_chip *gc, unsigned int gpio,
 	iowrite32(dir, ctrl->dir[gpio / 16]);
 
 	if (out)
-		gc->set(gc, gpio, val);
+		gc->set_rv(gc, gpio, val);
 
 	iowrite32(output, ctrl->output);
 
diff --git a/drivers/gpio/gpio-mmio.c b/drivers/gpio/gpio-mmio.c
index 9169eccadb238efe944d494054b1e009f16eee7f..57622f45d33e0695f97c7e0fa40e64f9fd5df1e0 100644
--- a/drivers/gpio/gpio-mmio.c
+++ b/drivers/gpio/gpio-mmio.c
@@ -362,7 +362,7 @@ static int bgpio_dir_out_err(struct gpio_chip *gc, unsigned int gpio,
 static int bgpio_simple_dir_out(struct gpio_chip *gc, unsigned int gpio,
 				int val)
 {
-	gc->set(gc, gpio, val);
+	gc->set_rv(gc, gpio, val);
 
 	return bgpio_dir_return(gc, gpio, true);
 }
@@ -427,14 +427,14 @@ static int bgpio_dir_out_dir_first(struct gpio_chip *gc, unsigned int gpio,
 				   int val)
 {
 	bgpio_dir_out(gc, gpio, val);
-	gc->set(gc, gpio, val);
+	gc->set_rv(gc, gpio, val);
 	return bgpio_dir_return(gc, gpio, true);
 }
 
 static int bgpio_dir_out_val_first(struct gpio_chip *gc, unsigned int gpio,
 				   int val)
 {
-	gc->set(gc, gpio, val);
+	gc->set_rv(gc, gpio, val);
 	bgpio_dir_out(gc, gpio, val);
 	return bgpio_dir_return(gc, gpio, true);
 }

-- 
2.48.1

Re: [PATCH 2/2] gpio: mmio: don't use legacy GPIO chip setters

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 807 bytes --]

On Wed, Jun 18, 2025 at 03:02:07PM +0200, Bartosz Golaszewski wrote:
> From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> 
> We've converted this driver to using the new GPIO line value setters but
> missed the instances where the legacy callback is accessed directly using
> the function pointer. This will lead to a NULL-pointer dereference as
> this pointer is no longer populated. The issue needs fixing locally as
> well as in the already converted previously users of gpio-mmio.

Tested-by: Mark Brown <broonie@kernel.org>

This fixes boot breakage in -next on at least the i.MX6 platforms I
have, I'm also seeing similar issues on a bunch of i.MX8 systems which
look to be due to the same issue but didn't verify them yet.  I'll let
you know if it looks like something else.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH 2/2] gpio: mmio: don't use legacy GPIO chip setters

[Marek Szyprowski]

On 18.06.2025 15:02, Bartosz Golaszewski wrote:
> From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
>
> We've converted this driver to using the new GPIO line value setters but
> missed the instances where the legacy callback is accessed directly using
> the function pointer. This will lead to a NULL-pointer dereference as
> this pointer is no longer populated. The issue needs fixing locally as
> well as in the already converted previously users of gpio-mmio.
>
> Fixes: b908d35d0003 ("gpio: mmio: use new GPIO line value setter callbacks")
> Reported-by: Klara Modin <klarasmodin@gmail.com>
> Closes: https://lore.kernel.org/all/2rw2sncevdiyirpdovotztlg77apcq2btzytuv5jnm55aqhlne@swtts3hl53tw/
> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>

This fixes the NULL pointer dereference issue observed on RaspberryPi5 
and BananaPiF3 boards with today's linux-next.

> ---
>   drivers/gpio/gpio-74xx-mmio.c | 2 +-
>   drivers/gpio/gpio-en7523.c    | 2 +-
>   drivers/gpio/gpio-mmio.c      | 6 +++---
>   3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpio/gpio-74xx-mmio.c b/drivers/gpio/gpio-74xx-mmio.c
> index c7ac5a9ffb1fd1cc9439e3320d54574bf0cebbf6..3ba21add3a1c669171578ceaf9cc1728c060d401 100644
> --- a/drivers/gpio/gpio-74xx-mmio.c
> +++ b/drivers/gpio/gpio-74xx-mmio.c
> @@ -100,7 +100,7 @@ static int mmio_74xx_dir_out(struct gpio_chip *gc, unsigned int gpio, int val)
>   	struct mmio_74xx_gpio_priv *priv = gpiochip_get_data(gc);
>   
>   	if (priv->flags & MMIO_74XX_DIR_OUT) {
> -		gc->set(gc, gpio, val);
> +		gc->set_rv(gc, gpio, val);
>   		return 0;
>   	}
>   
> diff --git a/drivers/gpio/gpio-en7523.c b/drivers/gpio/gpio-en7523.c
> index 69834db2c1cf26be379c0deca38dda889202f706..c08069d0d1045e9df4a76cad4600bf25d4e3a7c5 100644
> --- a/drivers/gpio/gpio-en7523.c
> +++ b/drivers/gpio/gpio-en7523.c
> @@ -50,7 +50,7 @@ static int airoha_dir_set(struct gpio_chip *gc, unsigned int gpio,
>   	iowrite32(dir, ctrl->dir[gpio / 16]);
>   
>   	if (out)
> -		gc->set(gc, gpio, val);
> +		gc->set_rv(gc, gpio, val);
>   
>   	iowrite32(output, ctrl->output);
>   
> diff --git a/drivers/gpio/gpio-mmio.c b/drivers/gpio/gpio-mmio.c
> index 9169eccadb238efe944d494054b1e009f16eee7f..57622f45d33e0695f97c7e0fa40e64f9fd5df1e0 100644
> --- a/drivers/gpio/gpio-mmio.c
> +++ b/drivers/gpio/gpio-mmio.c
> @@ -362,7 +362,7 @@ static int bgpio_dir_out_err(struct gpio_chip *gc, unsigned int gpio,
>   static int bgpio_simple_dir_out(struct gpio_chip *gc, unsigned int gpio,
>   				int val)
>   {
> -	gc->set(gc, gpio, val);
> +	gc->set_rv(gc, gpio, val);
>   
>   	return bgpio_dir_return(gc, gpio, true);
>   }
> @@ -427,14 +427,14 @@ static int bgpio_dir_out_dir_first(struct gpio_chip *gc, unsigned int gpio,
>   				   int val)
>   {
>   	bgpio_dir_out(gc, gpio, val);
> -	gc->set(gc, gpio, val);
> +	gc->set_rv(gc, gpio, val);
>   	return bgpio_dir_return(gc, gpio, true);
>   }
>   
>   static int bgpio_dir_out_val_first(struct gpio_chip *gc, unsigned int gpio,
>   				   int val)
>   {
> -	gc->set(gc, gpio, val);
> +	gc->set_rv(gc, gpio, val);
>   	bgpio_dir_out(gc, gpio, val);
>   	return bgpio_dir_return(gc, gpio, true);
>   }
>
Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

Re: [PATCH 2/2] gpio: mmio: don't use legacy GPIO chip setters

[Klara Modin]

On 2025-06-18 15:02:07 +0200, Bartosz Golaszewski wrote:
> From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> 
> We've converted this driver to using the new GPIO line value setters but
> missed the instances where the legacy callback is accessed directly using
> the function pointer. This will lead to a NULL-pointer dereference as
> this pointer is no longer populated. The issue needs fixing locally as
> well as in the already converted previously users of gpio-mmio.
> 
> Fixes: b908d35d0003 ("gpio: mmio: use new GPIO line value setter callbacks")
> Reported-by: Klara Modin <klarasmodin@gmail.com>
> Closes: https://lore.kernel.org/all/2rw2sncevdiyirpdovotztlg77apcq2btzytuv5jnm55aqhlne@swtts3hl53tw/
> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> ---
>  drivers/gpio/gpio-74xx-mmio.c | 2 +-
>  drivers/gpio/gpio-en7523.c    | 2 +-
>  drivers/gpio/gpio-mmio.c      | 6 +++---
>  3 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/gpio/gpio-74xx-mmio.c b/drivers/gpio/gpio-74xx-mmio.c
> index c7ac5a9ffb1fd1cc9439e3320d54574bf0cebbf6..3ba21add3a1c669171578ceaf9cc1728c060d401 100644
> --- a/drivers/gpio/gpio-74xx-mmio.c
> +++ b/drivers/gpio/gpio-74xx-mmio.c
> @@ -100,7 +100,7 @@ static int mmio_74xx_dir_out(struct gpio_chip *gc, unsigned int gpio, int val)
>  	struct mmio_74xx_gpio_priv *priv = gpiochip_get_data(gc);
>  
>  	if (priv->flags & MMIO_74XX_DIR_OUT) {
> -		gc->set(gc, gpio, val);
> +		gc->set_rv(gc, gpio, val);
>  		return 0;
>  	}
>  
> diff --git a/drivers/gpio/gpio-en7523.c b/drivers/gpio/gpio-en7523.c
> index 69834db2c1cf26be379c0deca38dda889202f706..c08069d0d1045e9df4a76cad4600bf25d4e3a7c5 100644
> --- a/drivers/gpio/gpio-en7523.c
> +++ b/drivers/gpio/gpio-en7523.c
> @@ -50,7 +50,7 @@ static int airoha_dir_set(struct gpio_chip *gc, unsigned int gpio,
>  	iowrite32(dir, ctrl->dir[gpio / 16]);
>  
>  	if (out)
> -		gc->set(gc, gpio, val);
> +		gc->set_rv(gc, gpio, val);
>  
>  	iowrite32(output, ctrl->output);
>  
> diff --git a/drivers/gpio/gpio-mmio.c b/drivers/gpio/gpio-mmio.c
> index 9169eccadb238efe944d494054b1e009f16eee7f..57622f45d33e0695f97c7e0fa40e64f9fd5df1e0 100644
> --- a/drivers/gpio/gpio-mmio.c
> +++ b/drivers/gpio/gpio-mmio.c
> @@ -362,7 +362,7 @@ static int bgpio_dir_out_err(struct gpio_chip *gc, unsigned int gpio,
>  static int bgpio_simple_dir_out(struct gpio_chip *gc, unsigned int gpio,
>  				int val)
>  {
> -	gc->set(gc, gpio, val);
> +	gc->set_rv(gc, gpio, val);
>  
>  	return bgpio_dir_return(gc, gpio, true);
>  }
> @@ -427,14 +427,14 @@ static int bgpio_dir_out_dir_first(struct gpio_chip *gc, unsigned int gpio,
>  				   int val)
>  {
>  	bgpio_dir_out(gc, gpio, val);
> -	gc->set(gc, gpio, val);
> +	gc->set_rv(gc, gpio, val);
>  	return bgpio_dir_return(gc, gpio, true);
>  }
>  
>  static int bgpio_dir_out_val_first(struct gpio_chip *gc, unsigned int gpio,
>  				   int val)
>  {
> -	gc->set(gc, gpio, val);
> +	gc->set_rv(gc, gpio, val);
>  	bgpio_dir_out(gc, gpio, val);
>  	return bgpio_dir_return(gc, gpio, true);
>  }
> 
> -- 
> 2.48.1
> 

This also fixes the null pointer dereference for me on the Banana Pi
BPI-F3 from my report.

Thanks,
Tested-by: Klara Modin <klarasmodin@gmail.com>

Re: [PATCH 0/2] gpio: fix NULL-pointer dereferences introduced in GPIO chip setter conversion

[Bartosz Golaszewski]

From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>


On Wed, 18 Jun 2025 15:02:05 +0200, Bartosz Golaszewski wrote:
> I should have paid more attention when doing the GPIO chip setter
> conversions that there are instances where the setters are accessed
> directly using the function pointers in struct gpio_chip.
> 
> This is not optimal and I am making a mental note to track all such
> use-cases and use the appropriate wrapper instead. For now: let's just
> fix the issue in gpio-mmio and its users as well as one other converted
> driver that suffers from it.
> 
> [...]

Applied, thanks!

[1/2] gpio: npcm-sgpio: don't use legacy GPIO chip setters
      https://git.kernel.org/brgl/linux/c/1fd7d210952938e8ef6d87287e056e25a2fc0547
[2/2] gpio: mmio: don't use legacy GPIO chip setters
      https://git.kernel.org/brgl/linux/c/cbb887a76b788d8e9646fdd785f43745a3a662bb

Best regards,
-- 
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>