From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kent Gibson <warthog618@gmail.com>,
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>,
Sasha Levin <sashal@kernel.org>,
brgl@bgdev.pl, linus.walleij@linaro.org,
linux-gpio@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 32/61] gpiolib: cdev: Add INIT_KFIFO() for linereq events
Date: Wed, 31 Jul 2024 20:25:50 -0400 [thread overview]
Message-ID: <20240801002803.3935985-32-sashal@kernel.org> (raw)
In-Reply-To: <20240801002803.3935985-1-sashal@kernel.org>
From: Kent Gibson <warthog618@gmail.com>
[ Upstream commit 35d848e7a1cbba2649ed98cf58e0cdc7ee560c7a ]
The initialisation of the linereq events kfifo relies on the struct being
zeroed and a subsequent call to kfifo_alloc(). The call to kfifo_alloc()
is deferred until edge detection is first enabled for the linereq. If the
kfifo is inadvertently accessed before the call to kfifo_alloc(), as was
the case in a recently discovered bug, it behaves as a FIFO of size 1 with
an element size of 0, so writes and reads to the kfifo appear successful
but copy no actual data.
As a defensive measure, initialise the kfifo with INIT_KFIFO() when the
events kfifo is constructed. This initialises the kfifo element size
and zeroes its data pointer, so any inadvertant access prior to the
kfifo_alloc() call will trigger an oops.
Signed-off-by: Kent Gibson <warthog618@gmail.com>
Link: https://lore.kernel.org/r/20240529131953.195777-2-warthog618@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index be51bd00d2fd2..d50b910080654 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -1812,6 +1812,7 @@ static int linereq_create(struct gpio_device *gdev, void __user *ip)
mutex_init(&lr->config_mutex);
init_waitqueue_head(&lr->wait);
+ INIT_KFIFO(lr->events);
lr->event_buffer_size = ulr.event_buffer_size;
if (lr->event_buffer_size == 0)
lr->event_buffer_size = ulr.num_lines * 16;
--
2.43.0
next prev parent reply other threads:[~2024-08-01 0:30 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 0:25 [PATCH AUTOSEL 6.1 01/61] drm/amd/display: Assign linear_pitch_alignment even for VM Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 02/61] drm/amdgpu: fix overflowed array index read warning Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 03/61] drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 04/61] drm/amd/pm: fix warning using uninitialized value of max_vid_step Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 05/61] drm/amd/pm: Fix negative array index read Sasha Levin
2024-08-27 12:29 ` Pavel Machek
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 06/61] drm/amd/pm: fix the Out-of-bounds read warning Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 07/61] drm/amd/display: Check gpio_id before used as array index Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 08/61] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 09/61] drm/amd/display: Add array index check for hdcp ddc access Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 10/61] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 11/61] drm/amd/display: Check msg_id before processing transcation Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 12/61] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 13/61] drm/amd/display: Spinlock before reading event Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 14/61] drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 15/61] drm/amd/amdgpu: Check tbo resource pointer Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 16/61] drm/amdgpu: Fix out-of-bounds write warning Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 17/61] drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 18/61] drm/amdgpu: fix ucode out-of-bounds read warning Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 19/61] drm/amdgpu: fix mc_data " Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 20/61] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 21/61] wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem() Sasha Levin
2024-08-27 12:27 ` Pavel Machek
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 22/61] drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 23/61] drm/amdgpu: fix dereference after null check Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 24/61] drm/amdgpu: fix the waring dereferencing hive Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 25/61] drm/amdgpu: the warning dereferencing obj for nbio_v7_4 Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 26/61] drm/amdgpu: update type of buf size to u32 for eeprom functions Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 27/61] wifi: iwlwifi: fw: avoid bad FW config on RXQ DMA failure Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 28/61] cpufreq: scmi: Avoid overflow of target_freq in fast switch Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 29/61] bpf, net: Use DEV_STAT_INC() Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 30/61] PCI: al: Check IORESOURCE_BUS existence during probe Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 31/61] hwspinlock: Introduce hwspin_lock_bust() Sasha Levin
2024-08-01 0:25 ` Sasha Levin [this message]
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 33/61] pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 34/61] smack: tcp: ipv4, fix incorrect labeling Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 35/61] drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 36/61] hwmon: (k10temp) Check return value of amd_smn_read() Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 37/61] wifi: cfg80211: make hash table duplicates more survivable Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 38/61] driver: iio: add missing checks on iio_info's callback access Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 39/61] drm/amd/display: added NULL check at start of dc_validate_stream Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 40/61] drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX Sasha Levin
2024-08-01 0:25 ` [PATCH AUTOSEL 6.1 41/61] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 42/61] ALSA: vmaster: Return error for invalid input values Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 43/61] ALSA: control: Apply sanity check of input values for user elements Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 44/61] ELF: fix kernel.randomize_va_space double read Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 45/61] x86/kmsan: Fix hook for unaligned accesses Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 46/61] udf: Avoid excessive partition lengths Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 47/61] riscv: mm: Take memory hotplug read-lock during kernel page table dump Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 48/61] usb: uas: set host status byte on data completion error Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 49/61] drm/amd/display: Check HDCP returned status Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 50/61] drm/amd/display: Check denominator pbn_div before used Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 51/61] phy: zynqmp: Take the phy mutex in xlate Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 52/61] cgroup: Protect css->cgroup write under css_set_lock Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 53/61] um: line: always fill *error_out in setup_one_line() Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 54/61] devres: Initialize an uninitialized struct member Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 55/61] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 56/61] hwmon: (lm95234) Fix underflows seen when writing limit attributes Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 57/61] hwmon: (nct6775-core) " Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 58/61] hwmon: (w83627ehf) " Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 59/61] libbpf: Add NULL checks to bpf_object__{prev_map,next_map} Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 60/61] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Sasha Levin
2024-08-01 0:26 ` [PATCH AUTOSEL 6.1 61/61] i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801002803.3935985-32-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bartosz.golaszewski@linaro.org \
--cc=brgl@bgdev.pl \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=warthog618@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox