From 95ae9979bfe3174c2ee8d64409c44532f2881907 Mon Sep 17 00:00:00 2001 From: Kent Gibson Date: Tue, 6 Jun 2023 20:00:34 +0800 Subject: gpio: sim: fix memory corruption when adding named lines and unnamed hogs When constructing the sim, gpio-sim constructs an array of named lines, sized based on the largest offset of any named line, and then initializes that array with the names of all lines, including unnamed hogs with higher offsets. In doing so it writes NULLs beyond the extent of the array. Add a check that only named lines are used to initialize the array. Fixes: cb8c474e79be ("gpio: sim: new testing module") Signed-off-by: Kent Gibson Signed-off-by: Bartosz Golaszewski --- drivers/gpio/gpio-sim.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'drivers/gpio/gpio-sim.c') diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c index a1c8702f362c..fab67a5785d7 100644 --- a/drivers/gpio/gpio-sim.c +++ b/drivers/gpio/gpio-sim.c @@ -721,8 +721,10 @@ static char **gpio_sim_make_line_names(struct gpio_sim_bank *bank, if (!line_names) return ERR_PTR(-ENOMEM); - list_for_each_entry(line, &bank->line_list, siblings) - line_names[line->offset] = line->name; + list_for_each_entry(line, &bank->line_list, siblings) { + if (line->name && (line->offset <= max_offset)) + line_names[line->offset] = line->name; + } return line_names; } -- cgit v1.2.3 From d7459efc9276a715fe9def401bc30045aeb9668a Mon Sep 17 00:00:00 2001 From: Kent Gibson Date: Wed, 7 Jun 2023 14:50:04 +0800 Subject: gpio: sim: quietly ignore configured lines outside the bank The user-space policy of the gpio-sim is that configuration for lines with offsets outside the bounds of the corresponding bank is ignored, but gpio-sim is still using that configuration when constructing the sim. In the case of named lines this results in temporarily allocating space for names that are not used, and for hogs results in errors being logged when the gpio-sim attempts to register the out of range hog with gpiolib: gpiochip_machine_hog: unable to get GPIO desc: -22 Add checks to filter out any line configuration outside the bounds of the bank when constructing the sim. Signed-off-by: Kent Gibson Signed-off-by: Bartosz Golaszewski --- drivers/gpio/gpio-sim.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'drivers/gpio/gpio-sim.c') diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c index fab67a5785d7..8b49b0abacd5 100644 --- a/drivers/gpio/gpio-sim.c +++ b/drivers/gpio/gpio-sim.c @@ -696,6 +696,9 @@ static char **gpio_sim_make_line_names(struct gpio_sim_bank *bank, char **line_names; list_for_each_entry(line, &bank->line_list, siblings) { + if (line->offset >= bank->num_lines) + continue; + if (line->name) { if (line->offset > max_offset) max_offset = line->offset; @@ -722,6 +725,9 @@ static char **gpio_sim_make_line_names(struct gpio_sim_bank *bank, return ERR_PTR(-ENOMEM); list_for_each_entry(line, &bank->line_list, siblings) { + if (line->offset >= bank->num_lines) + continue; + if (line->name && (line->offset <= max_offset)) line_names[line->offset] = line->name; } @@ -756,6 +762,9 @@ static int gpio_sim_add_hogs(struct gpio_sim_device *dev) list_for_each_entry(bank, &dev->bank_list, siblings) { list_for_each_entry(line, &bank->line_list, siblings) { + if (line->offset >= bank->num_lines) + continue; + if (line->hog) num_hogs++; } @@ -771,6 +780,9 @@ static int gpio_sim_add_hogs(struct gpio_sim_device *dev) list_for_each_entry(bank, &dev->bank_list, siblings) { list_for_each_entry(line, &bank->line_list, siblings) { + if (line->offset >= bank->num_lines) + continue; + if (!line->hog) continue; -- cgit v1.2.3