From patchwork Mon Oct 8 16:32:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Boyd X-Patchwork-Id: 980662 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-gpio-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="cxFsYV6x"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42TQrW502Gz9s55 for ; Tue, 9 Oct 2018 03:32:43 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726715AbeJHXov (ORCPT ); Mon, 8 Oct 2018 19:44:51 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:45951 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726393AbeJHXov (ORCPT ); Mon, 8 Oct 2018 19:44:51 -0400 Received: by mail-pf1-f194.google.com with SMTP id u12-v6so5484263pfn.12 for ; Mon, 08 Oct 2018 09:32:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=GTz03gJ4IksrgBFA4JhWjw4cmCeDwayh/ZV0XygJyaU=; b=cxFsYV6xbuwE+ROejy34kzEr54TlDXRTGzSwG63rUIlEQkG1YYWX9hPWswrcl72rFu McokXcuI7EsCEzXDIWqywl6U75wDdyhaQ+ZU+hsvhP2FnHGbMzLdeeLvpWLPXS575bCd 04YliSHDwlTKFSHVhCph3tb0g/JgHtkj6MKEY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GTz03gJ4IksrgBFA4JhWjw4cmCeDwayh/ZV0XygJyaU=; b=M0iNyaCx0QRjKAs3fmEBjvLpuCZyELLs/jyJgIxi3gVAdw2lzNVftxOkf8DJPYyoxB CjO6yvshn5pfo3+xMeRulnKta/lbIokzSKfT0Id49FO4d1xklhTeP8cFFwg3EHwRpPma 2j4WEvHzfousfLviQleU4D4y8Tj1TOjjLpxJyofJiFJZki4tXT/ne3LimQRYqixysz6j +Fk14R102douBzHWgVpaNAi02BS1jnuJvLgJbsNz4VqLE7Bqev8L8q0QJA2qIhyUOAfL wr1oeue1EZaf8LzaVPHSKWWyr3RHKnzF1DWtca2fZubVmfndRccyFp/Xng/vgLahnHaF N7tA== X-Gm-Message-State: ABuFfoh/4dCLqqztjmWhP6SFalpyiIgaMCSrHM4tnywZNeraYuKabIJO mNO1l6xX76xoq/U+VYhwStqKQQ== X-Google-Smtp-Source: ACcGV6161Px6A+JN/dYTorPm9bzokF8WzIU/bD5yk6c3xqHcNy4sI6yM+BJ2d04ecUwN+/Xuk6XNyw== X-Received: by 2002:a62:4b09:: with SMTP id y9-v6mr25861149pfa.93.1539016338755; Mon, 08 Oct 2018 09:32:18 -0700 (PDT) Received: from smtp.gmail.com ([2620:15c:202:1:fed3:9637:a13a:6c15]) by smtp.gmail.com with ESMTPSA id 3-v6sm29832077pga.12.2018.10.08.09.32.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Oct 2018 09:32:17 -0700 (PDT) From: Stephen Boyd To: Linus Walleij Cc: linux-kernel@vger.kernel.org, linux-gpio@vger.kernel.org, Evan Green , Thierry Reding , Grygorii Strashko Subject: [PATCH 1/4] gpio: Assign gpio_irq_chip::parents to non-stack pointer Date: Mon, 8 Oct 2018 09:32:13 -0700 Message-Id: <20181008163216.97436-2-swboyd@chromium.org> X-Mailer: git-send-email 2.19.0.605.g01d371f741-goog In-Reply-To: <20181008163216.97436-1-swboyd@chromium.org> References: <20181008163216.97436-1-swboyd@chromium.org> MIME-Version: 1.0 Sender: linux-gpio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-gpio@vger.kernel.org gpiochip_set_cascaded_irqchip() is passed 'parent_irq' as an argument and then the address of that argument is assigned to the gpio chips gpio_irq_chip 'parents' pointer shortly thereafter. This can't ever work, because we've just assigned some stack address to a pointer that we plan to dereference later in gpiochip_irq_map(). I ran into this issue with the KASAN report below when gpiochip_irq_map() tried to setup the parent irq with a total junk pointer for the 'parents' array. BUG: KASAN: stack-out-of-bounds in gpiochip_irq_map+0x228/0x248 Read of size 4 at addr ffffffc0dde472e0 by task swapper/0/1 CPU: 7 PID: 1 Comm: swapper/0 Not tainted 4.14.72 #34 Call trace: [] dump_backtrace+0x0/0x718 [] show_stack+0x20/0x2c [] __dump_stack+0x20/0x28 [] dump_stack+0x80/0xbc [] print_address_description+0x70/0x238 [] kasan_report+0x1cc/0x260 [] __asan_report_load4_noabort+0x2c/0x38 [] gpiochip_irq_map+0x228/0x248 [] irq_domain_associate+0x114/0x2ec [] irq_create_mapping+0x120/0x234 [] irq_create_fwspec_mapping+0x4c8/0x88c [] irq_create_of_mapping+0x180/0x210 [] of_irq_get+0x138/0x198 [] spi_drv_probe+0x94/0x178 [] driver_probe_device+0x51c/0x824 [] __device_attach_driver+0x148/0x20c [] bus_for_each_drv+0x120/0x188 [] __device_attach+0x19c/0x2dc [] device_initial_probe+0x20/0x2c [] bus_probe_device+0x80/0x154 [] device_add+0x9b8/0xbdc [] spi_add_device+0x1b8/0x380 [] spi_register_controller+0x111c/0x1378 [] spi_geni_probe+0x4dc/0x6f8 [] platform_drv_probe+0xdc/0x130 [] driver_probe_device+0x51c/0x824 [] __driver_attach+0x100/0x194 [] bus_for_each_dev+0x104/0x16c [] driver_attach+0x48/0x54 [] bus_add_driver+0x274/0x498 [] driver_register+0x1ac/0x230 [] __platform_driver_register+0xcc/0xdc [] spi_geni_driver_init+0x1c/0x24 [] do_one_initcall+0x240/0x3dc [] kernel_init_freeable+0x378/0x468 [] kernel_init+0x14/0x110 [] ret_from_fork+0x10/0x18 The buggy address belongs to the page: page:ffffffbf037791c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: ffffffbf037791e0 ffffffbf037791e0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffc0dde47180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0dde47200: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 >ffffffc0dde47280: f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 ^ ffffffc0dde47300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0dde47380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Let's leave around one unsigned int in the gpio_irq_chip struct for the single parent irq case and repoint the 'parents' array at it. This way code is left mostly intact to setup parents and we waste an extra few bytes per structure of which there should be only a handful in a system. Cc: Evan Green Cc: Thierry Reding Cc: Grygorii Strashko Fixes: e0d897289813 ("gpio: Implement tighter IRQ chip integration") Signed-off-by: Stephen Boyd --- drivers/gpio/gpiolib.c | 3 ++- include/linux/gpio/driver.h | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 86c147b3f4af..d9d823e3761b 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -1684,7 +1684,8 @@ static void gpiochip_set_cascaded_irqchip(struct gpio_chip *gpiochip, irq_set_chained_handler_and_data(parent_irq, parent_handler, gpiochip); - gpiochip->irq.parents = &parent_irq; + gpiochip->irq.parent_irq = parent_irq; + gpiochip->irq.parents = &gpiochip->irq.parent_irq; gpiochip->irq.num_parents = 1; } diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h index f6b95734073f..31e47b1d264e 100644 --- a/include/linux/gpio/driver.h +++ b/include/linux/gpio/driver.h @@ -100,6 +100,11 @@ struct gpio_irq_chip { */ unsigned int num_parents; + /** + * private: For use by gpiochip_set_cascaded_irqchip() + */ + unsigned int parent_irq; + /** * @parents: *