[PATCH v2 1/2] gpio: sim: dispose of irq mappings before destroying the irq_sim domain

[PATCH v2 1/2] gpio: sim: dispose of irq mappings before destroying the irq_sim domain

[Bartosz Golaszewski]

From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

If a GPIO simulator device is unbound with interrupts still requested,
we will hit a use-after-free issue in __irq_domain_deactivate_irq(). The
owner of the irq domain must dispose of all mappings before destroying
the domain object.

Fixes: cb8c474e79be ("gpio: sim: new testing module")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
v1 -> v2:
- drop the return value check of irq_find_mapping()

 drivers/gpio/gpio-sim.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c
index f1f6f1c32987..8fb11a5395eb 100644
--- a/drivers/gpio/gpio-sim.c
+++ b/drivers/gpio/gpio-sim.c
@@ -291,6 +291,15 @@ static void gpio_sim_mutex_destroy(void *data)
 	mutex_destroy(lock);
 }
 
+static void gpio_sim_dispose_mappings(void *data)
+{
+	struct gpio_sim_chip *chip = data;
+	unsigned int i;
+
+	for (i = 0; i < chip->gc.ngpio; i++)
+		irq_dispose_mapping(irq_find_mapping(chip->irq_sim, i));
+}
+
 static void gpio_sim_sysfs_remove(void *data)
 {
 	struct gpio_sim_chip *chip = data;
@@ -406,6 +415,10 @@ static int gpio_sim_add_bank(struct fwnode_handle *swnode, struct device *dev)
 	if (IS_ERR(chip->irq_sim))
 		return PTR_ERR(chip->irq_sim);
 
+	ret = devm_add_action_or_reset(dev, gpio_sim_dispose_mappings, chip);
+	if (ret)
+		return ret;
+
 	mutex_init(&chip->lock);
 	ret = devm_add_action_or_reset(dev, gpio_sim_mutex_destroy,
 				       &chip->lock);
-- 
2.39.2

[PATCH v2 2/2] gpio: sim: pass the GPIO device's software node to irq domain

[Bartosz Golaszewski]

From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

Associate the swnode of the GPIO device's (which is the interrupt
controller here) with the irq domain. Otherwise the interrupt-controller
device attribute is a no-op.

Fixes: cb8c474e79be ("gpio: sim: new testing module")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
---
v1 -> v2:
- tweak the commit message

 drivers/gpio/gpio-sim.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c
index 8fb11a5395eb..533d81572579 100644
--- a/drivers/gpio/gpio-sim.c
+++ b/drivers/gpio/gpio-sim.c
@@ -411,7 +411,7 @@ static int gpio_sim_add_bank(struct fwnode_handle *swnode, struct device *dev)
 	if (!chip->pull_map)
 		return -ENOMEM;
 
-	chip->irq_sim = devm_irq_domain_create_sim(dev, NULL, num_lines);
+	chip->irq_sim = devm_irq_domain_create_sim(dev, swnode, num_lines);
 	if (IS_ERR(chip->irq_sim))
 		return PTR_ERR(chip->irq_sim);
 
-- 
2.39.2

Re: [PATCH v2 1/2] gpio: sim: dispose of irq mappings before destroying the irq_sim domain

[Andy Shevchenko]

On Tue, Aug 22, 2023 at 09:29:42PM +0200, Bartosz Golaszewski wrote:
> From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> 
> If a GPIO simulator device is unbound with interrupts still requested,
> we will hit a use-after-free issue in __irq_domain_deactivate_irq(). The
> owner of the irq domain must dispose of all mappings before destroying
> the domain object.

Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

> Fixes: cb8c474e79be ("gpio: sim: new testing module")
> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
> ---
> v1 -> v2:
> - drop the return value check of irq_find_mapping()
> 
>  drivers/gpio/gpio-sim.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c
> index f1f6f1c32987..8fb11a5395eb 100644
> --- a/drivers/gpio/gpio-sim.c
> +++ b/drivers/gpio/gpio-sim.c
> @@ -291,6 +291,15 @@ static void gpio_sim_mutex_destroy(void *data)
>  	mutex_destroy(lock);
>  }
>  
> +static void gpio_sim_dispose_mappings(void *data)
> +{
> +	struct gpio_sim_chip *chip = data;
> +	unsigned int i;
> +
> +	for (i = 0; i < chip->gc.ngpio; i++)
> +		irq_dispose_mapping(irq_find_mapping(chip->irq_sim, i));
> +}
> +
>  static void gpio_sim_sysfs_remove(void *data)
>  {
>  	struct gpio_sim_chip *chip = data;
> @@ -406,6 +415,10 @@ static int gpio_sim_add_bank(struct fwnode_handle *swnode, struct device *dev)
>  	if (IS_ERR(chip->irq_sim))
>  		return PTR_ERR(chip->irq_sim);
>  
> +	ret = devm_add_action_or_reset(dev, gpio_sim_dispose_mappings, chip);
> +	if (ret)
> +		return ret;
> +
>  	mutex_init(&chip->lock);
>  	ret = devm_add_action_or_reset(dev, gpio_sim_mutex_destroy,
>  				       &chip->lock);
> -- 
> 2.39.2
> 

-- 
With Best Regards,
Andy Shevchenko