[PATCH] pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms

[PATCH] pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms

[Nícolas F. R. A. Prado]

Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple
addresses") introduced an access to the 'soc' field of struct
mtk_pinctrl in mtk_eint_do_init() and for that an include of
pinctrl-mtk-common-v2.h.

However, pinctrl drivers relying on the v1 common driver include
pinctrl-mtk-common.h instead, which provides another definition of
struct mtk_pinctrl that does not contain an 'soc' field.

Since mtk_eint_do_init() can be called both by v1 and v2 drivers, it
will now try to dereference an invalid pointer when called on v1
platforms. This has been observed on Genio 350 EVK (MT8365), which
crashes very early in boot (the kernel trace can only be seen with
earlycon).

In order to fix this, given that this if code block is only relevant for
platforms with multiple EINT bases, and the previous if block already
handles the single base case, add an else statement so this if condition
will never even be evaluated on platforms with a single EINT base, which
covers all v1 platforms following commit fe412e3a6c97 ("pinctrl:
mediatek: common-v1: Fix EINT breakage on older controllers").

Fixes: 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses")
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
---
 drivers/pinctrl/mediatek/mtk-eint.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c
index 16af6a47028e67bb53db4041a37ebbbb8b9a1e43..9114e0cd9def1bc65558c67317abe67ba63ef1f6 100644
--- a/drivers/pinctrl/mediatek/mtk-eint.c
+++ b/drivers/pinctrl/mediatek/mtk-eint.c
@@ -531,9 +531,7 @@ int mtk_eint_do_init(struct mtk_eint *eint)
 			eint->pins[i].index = i;
 			eint->pins[i].debounce = (i < eint->hw->db_cnt) ? 1 : 0;
 		}
-	}
-
-	if (hw && hw->soc && hw->soc->eint_pin) {
+	} else if (hw && hw->soc && hw->soc->eint_pin) {
 		eint->pins = hw->soc->eint_pin;
 		for (i = 0; i < eint->hw->ap_num; i++) {
 			inst = eint->pins[i].instance;

---
base-commit: 8566fc3b96539e3235909d6bdda198e1282beaed
change-id: 20250519-genio-350-eint-null-ptr-deref-fix-1a163aa9ad84

Best regards,
-- 
Nícolas F. R. A. Prado <nfraprado@collabora.com>

Re: [PATCH] pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms

[AngeloGioacchino Del Regno]

Il 19/05/25 21:38, Nícolas F. R. A. Prado ha scritto:
> Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple
> addresses") introduced an access to the 'soc' field of struct
> mtk_pinctrl in mtk_eint_do_init() and for that an include of
> pinctrl-mtk-common-v2.h.
> 
> However, pinctrl drivers relying on the v1 common driver include
> pinctrl-mtk-common.h instead, which provides another definition of
> struct mtk_pinctrl that does not contain an 'soc' field.
> 
> Since mtk_eint_do_init() can be called both by v1 and v2 drivers, it
> will now try to dereference an invalid pointer when called on v1
> platforms. This has been observed on Genio 350 EVK (MT8365), which
> crashes very early in boot (the kernel trace can only be seen with
> earlycon).
> 
> In order to fix this, given that this if code block is only relevant for
> platforms with multiple EINT bases, and the previous if block already
> handles the single base case, add an else statement so this if condition
> will never even be evaluated on platforms with a single EINT base, which
> covers all v1 platforms following commit fe412e3a6c97 ("pinctrl:
> mediatek: common-v1: Fix EINT breakage on older controllers").
> 
> Fixes: 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses")
> Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>

I say that this is going to backfire next time.

I would rather propose, instead....

int mtk_eint_do_init(struct mtk_eint *eint, const struct mtk_eint_pin *eint_pin)
{
	...

	[if (or) else if] (eint_pin) {
		eint->pins = eint_pin;
		... etc
	}
}

...so that we avoid having this issue about referencing two different structures
called with the same name (which is bad from the principle anyway), and no more
mistakes around that in the future.

This also means that we can remove the inclusion of pinctrl-mtk-common-v2.h from
the mtk-eint.c file, as that's the right thing to do: eint should be standalone
and should not depend on ambiguous definitions from pinctrl-mtk-common(-v2).h.

Cheers,
Angelo

> ---
>   drivers/pinctrl/mediatek/mtk-eint.c | 4 +---
>   1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c
> index 16af6a47028e67bb53db4041a37ebbbb8b9a1e43..9114e0cd9def1bc65558c67317abe67ba63ef1f6 100644
> --- a/drivers/pinctrl/mediatek/mtk-eint.c
> +++ b/drivers/pinctrl/mediatek/mtk-eint.c
> @@ -531,9 +531,7 @@ int mtk_eint_do_init(struct mtk_eint *eint)
>   			eint->pins[i].index = i;
>   			eint->pins[i].debounce = (i < eint->hw->db_cnt) ? 1 : 0;
>   		}
> -	}
> -
> -	if (hw && hw->soc && hw->soc->eint_pin) {
> +	} else if (hw && hw->soc && hw->soc->eint_pin) {
>   		eint->pins = hw->soc->eint_pin;
>   		for (i = 0; i < eint->hw->ap_num; i++) {
>   			inst = eint->pins[i].instance;
> 
> ---
> base-commit: 8566fc3b96539e3235909d6bdda198e1282beaed
> change-id: 20250519-genio-350-eint-null-ptr-deref-fix-1a163aa9ad84
> 
> Best regards,