* [PATCH] gpio: null pointer dereference in error handling in gpiolib.c
@ 2013-08-30 5:10 Frank Rowand
2013-08-30 7:29 ` Linus Walleij
0 siblings, 1 reply; 2+ messages in thread
From: Frank Rowand @ 2013-08-30 5:10 UTC (permalink / raw)
To: linus.walleij; +Cc: grant.likely, linux-gpio, linux-kernel, tim.bird
Avoid calling desc_to_gpio() if desc->chip is NULL, as this will
cause a kernel panic.
In the code above the calls, there is a test for !chip, which
comes to the 'fail' label if true. In this case, the code
panics, since desc_to_gpio() uses desc->chip to look up the
gpio number.
An RFC patch that explained the cause of one example of panic when
desc->chip is NULL and fixed that example
(http://lkml.indiana.edu/hypermail/linux/kernel/1308.3/01473.html)
was accepted. This patch fixes the remaining locations which have
the same problem.
Signed-off-by: Frank Rowand <frank.rowand@sonymobile.com>
---
drivers/gpio/gpiolib.c | 33 24 + 9 - 0 !
1 file changed, 24 insertions(+), 9 deletions(-)
Index: b/drivers/gpio/gpiolib.c
===================================================================
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1676,9 +1676,14 @@ lose:
return status;
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
@@ -1745,9 +1750,14 @@ lose:
return status;
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
@@ -1795,9 +1805,14 @@ static int gpiod_set_debounce(struct gpi
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] gpio: null pointer dereference in error handling in gpiolib.c
2013-08-30 5:10 [PATCH] gpio: null pointer dereference in error handling in gpiolib.c Frank Rowand
@ 2013-08-30 7:29 ` Linus Walleij
0 siblings, 0 replies; 2+ messages in thread
From: Linus Walleij @ 2013-08-30 7:29 UTC (permalink / raw)
To: frowand.list; +Cc: Grant Likely, linux-gpio, linux-kernel, Bird, Tim
On Fri, Aug 30, 2013 at 7:10 AM, Frank Rowand
<frank.rowand@sonymobile.com> wrote:
> Avoid calling desc_to_gpio() if desc->chip is NULL, as this will
> cause a kernel panic.
>
> In the code above the calls, there is a test for !chip, which
> comes to the 'fail' label if true. In this case, the code
> panics, since desc_to_gpio() uses desc->chip to look up the
> gpio number.
>
> An RFC patch that explained the cause of one example of panic when
> desc->chip is NULL and fixed that example
> (http://lkml.indiana.edu/hypermail/linux/kernel/1308.3/01473.html)
> was accepted. This patch fixes the remaining locations which have
> the same problem.
>
> Signed-off-by: Frank Rowand <frank.rowand@sonymobile.com>
Hm it appears Alexandre has another idea on how it should be
fixed, but he was in a hurry and didn't provide a proper patch.
Let me cook something up so we can see of we can get
this right.
Yours,
Linus Walleij
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-08-30 7:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-08-30 5:10 [PATCH] gpio: null pointer dereference in error handling in gpiolib.c Frank Rowand
2013-08-30 7:29 ` Linus Walleij
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).