[PATCH] How to reproduce this issue

[PATCH] How to reproduce this issue

[Yanjiang Jin]

On my HXT Semiconductor REP-2 board, I can use a LTP case "read_all"
to reproduce it as below:

/opt/ltp/runltp -f fs -s read_all_sys

or

read_all -d /sys -q -r 10

Or just simply visit the sys node "QCOM8002's pinconf-groups":

"cat /sys/kernel/debug/pinctrl/QCOM8002\:00/pinconf-groups"


Yanjiang Jin (1):
  pinctrl: core: make sure strcmp() doesn't get a null parameter

 drivers/pinctrl/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
1.8.3.1




This email is intended only for the named addressee. It may contain information that is confidential/private, legally privileged, or copyright-protected, and you should handle it accordingly. If you are not the intended recipient, you do not have legal rights to retain, copy, or distribute this email or its contents, and should promptly delete the email and all electronic copies in your system; do not retain copies in any media. If you have received this email in error, please notify the sender promptly. Thank you.

[PATCH] pinctrl: core: make sure strcmp() doesn't get a null parameter

[Yanjiang Jin]

Some drivers, for example, QCOM's qdf2xxx, set groups[gpio].name only
when gpio is valid, and leave invalid gpio names as null.
If we want to access the sys node "pinconf-groups",
pinctrl_get_group_selector() -> get_group_name() may return a null
pointer if group_selector is invalid, then the below Kernel panic
would happen since strcmp() uses this null pointer to do comparison.

 Unable to handle kernel NULL pointer dereference at ss 00000000
el:Internal error: Oops: 9600000[ 143.080279]
SMP
 CPU: 19 PID: 2493 Comm: read_all Tainted: G O
.aarch64 #1
 Hardware name: HXT Semiconductor HXT REP-2 System
 PC is at strcmp+0x18/0x154
 LR is at pinctrl_get_group_selector+0x6c/0xe8
 Process read_all (pid: 2493, stack limit =
 Call trace:
 Exception stack
  strcmp+0x18/0x154
  pin_config_group_get+0x64/0xd8
  pinconf_generic_dump_one+0xd8/0x1c0
  pinconf_generic_dump_pins+0x94/0xc8
  pinconf_groups_show+0xb4/0x104
  seq_read+0x178/0x464
  full_proxy_read+0x6c/0xac
  __vfs_read+0x58/0x178
  vfs_read+0x94/0x164
  SyS_read+0x60/0xc0
  __sys_trace_return+0x0/0x4
 --[ end trace]--
 Kernel panic - not syncing: Fatal exception

Signed-off-by: Yanjiang Jin <yanjiang.jin@hxt-semitech.com>
---
 drivers/pinctrl/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
index a3dd777..c6ff4d5 100644
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -627,7 +627,7 @@ static int pinctrl_generic_group_name_to_selector(struct pinctrl_dev *pctldev,
        while (selector < ngroups) {
                const char *gname = ops->get_group_name(pctldev, selector);

-               if (!strcmp(function, gname))
+               if (gname && !strcmp(function, gname))
                        return selector;

                selector++;
@@ -743,7 +743,7 @@ int pinctrl_get_group_selector(struct pinctrl_dev *pctldev,
        while (group_selector < ngroups) {
                const char *gname = pctlops->get_group_name(pctldev,
                                                            group_selector);
-               if (!strcmp(gname, pin_group)) {
+               if (gname && !strcmp(gname, pin_group)) {
                        dev_dbg(pctldev->dev,
                                "found group selector %u for %s\n",
                                group_selector,
--
1.8.3.1




This email is intended only for the named addressee. It may contain information that is confidential/private, legally privileged, or copyright-protected, and you should handle it accordingly. If you are not the intended recipient, you do not have legal rights to retain, copy, or distribute this email or its contents, and should promptly delete the email and all electronic copies in your system; do not retain copies in any media. If you have received this email in error, please notify the sender promptly. Thank you.

Re: [PATCH] pinctrl: core: make sure strcmp() doesn't get a null parameter

[Linus Walleij]

On Sat, Sep 29, 2018 at 11:07 AM Yanjiang Jin
<yanjiang.jin@hxt-semitech.com> wrote:

> Some drivers, for example, QCOM's qdf2xxx, set groups[gpio].name only
> when gpio is valid, and leave invalid gpio names as null.
> If we want to access the sys node "pinconf-groups",
> pinctrl_get_group_selector() -> get_group_name() may return a null
> pointer if group_selector is invalid, then the below Kernel panic
> would happen since strcmp() uses this null pointer to do comparison.
>
>  Unable to handle kernel NULL pointer dereference at ss 00000000
> el:Internal error: Oops: 9600000[ 143.080279]
> SMP
>  CPU: 19 PID: 2493 Comm: read_all Tainted: G O
> .aarch64 #1
>  Hardware name: HXT Semiconductor HXT REP-2 System
>  PC is at strcmp+0x18/0x154
>  LR is at pinctrl_get_group_selector+0x6c/0xe8
>  Process read_all (pid: 2493, stack limit =
>  Call trace:
>  Exception stack
>   strcmp+0x18/0x154
>   pin_config_group_get+0x64/0xd8
>   pinconf_generic_dump_one+0xd8/0x1c0
>   pinconf_generic_dump_pins+0x94/0xc8
>   pinconf_groups_show+0xb4/0x104
>   seq_read+0x178/0x464
>   full_proxy_read+0x6c/0xac
>   __vfs_read+0x58/0x178
>   vfs_read+0x94/0x164
>   SyS_read+0x60/0xc0
>   __sys_trace_return+0x0/0x4
>  --[ end trace]--
>  Kernel panic - not syncing: Fatal exception
>
> Signed-off-by: Yanjiang Jin <yanjiang.jin@hxt-semitech.com>

Good catch!

Patch applied.

Yours,
Linus Walleij