linux/drivers/gpio
Stephen Boyd 3e779a2e7f gpio: Assign gpio_irq_chip::parents to non-stack pointer
gpiochip_set_cascaded_irqchip() is passed 'parent_irq' as an argument
and then the address of that argument is assigned to the gpio chips
gpio_irq_chip 'parents' pointer shortly thereafter. This can't ever
work, because we've just assigned some stack address to a pointer that
we plan to dereference later in gpiochip_irq_map(). I ran into this
issue with the KASAN report below when gpiochip_irq_map() tried to setup
the parent irq with a total junk pointer for the 'parents' array.

BUG: KASAN: stack-out-of-bounds in gpiochip_irq_map+0x228/0x248
Read of size 4 at addr ffffffc0dde472e0 by task swapper/0/1

CPU: 7 PID: 1 Comm: swapper/0 Not tainted 4.14.72 #34
Call trace:
[<ffffff9008093638>] dump_backtrace+0x0/0x718
[<ffffff9008093da4>] show_stack+0x20/0x2c
[<ffffff90096b9224>] __dump_stack+0x20/0x28
[<ffffff90096b91c8>] dump_stack+0x80/0xbc
[<ffffff900845a350>] print_address_description+0x70/0x238
[<ffffff900845a8e4>] kasan_report+0x1cc/0x260
[<ffffff900845aa14>] __asan_report_load4_noabort+0x2c/0x38
[<ffffff900897e098>] gpiochip_irq_map+0x228/0x248
[<ffffff900820cc08>] irq_domain_associate+0x114/0x2ec
[<ffffff900820d13c>] irq_create_mapping+0x120/0x234
[<ffffff900820da78>] irq_create_fwspec_mapping+0x4c8/0x88c
[<ffffff900820e2d8>] irq_create_of_mapping+0x180/0x210
[<ffffff900917114c>] of_irq_get+0x138/0x198
[<ffffff9008dc70ac>] spi_drv_probe+0x94/0x178
[<ffffff9008ca5168>] driver_probe_device+0x51c/0x824
[<ffffff9008ca6538>] __device_attach_driver+0x148/0x20c
[<ffffff9008ca14cc>] bus_for_each_drv+0x120/0x188
[<ffffff9008ca570c>] __device_attach+0x19c/0x2dc
[<ffffff9008ca586c>] device_initial_probe+0x20/0x2c
[<ffffff9008ca18bc>] bus_probe_device+0x80/0x154
[<ffffff9008c9b9b4>] device_add+0x9b8/0xbdc
[<ffffff9008dc7640>] spi_add_device+0x1b8/0x380
[<ffffff9008dcbaf0>] spi_register_controller+0x111c/0x1378
[<ffffff9008dd6b10>] spi_geni_probe+0x4dc/0x6f8
[<ffffff9008cab058>] platform_drv_probe+0xdc/0x130
[<ffffff9008ca5168>] driver_probe_device+0x51c/0x824
[<ffffff9008ca59cc>] __driver_attach+0x100/0x194
[<ffffff9008ca0ea8>] bus_for_each_dev+0x104/0x16c
[<ffffff9008ca58c0>] driver_attach+0x48/0x54
[<ffffff9008ca1edc>] bus_add_driver+0x274/0x498
[<ffffff9008ca8448>] driver_register+0x1ac/0x230
[<ffffff9008caaf6c>] __platform_driver_register+0xcc/0xdc
[<ffffff9009c4b33c>] spi_geni_driver_init+0x1c/0x24
[<ffffff9008084cb8>] do_one_initcall+0x240/0x3dc
[<ffffff9009c017d0>] kernel_init_freeable+0x378/0x468
[<ffffff90096e8240>] kernel_init+0x14/0x110
[<ffffff9008086fcc>] ret_from_fork+0x10/0x18

The buggy address belongs to the page:
page:ffffffbf037791c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffffbf037791e0 ffffffbf037791e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffffffc0dde47180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0dde47200: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2
>ffffffc0dde47280: f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
                                                       ^
 ffffffc0dde47300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffc0dde47380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Let's leave around one unsigned int in the gpio_irq_chip struct for the
single parent irq case and repoint the 'parents' array at it. This way
code is left mostly intact to setup parents and we waste an extra few
bytes per structure of which there should be only a handful in a system.

Cc: Evan Green <evgreen@chromium.org>
Cc: Thierry Reding <treding@nvidia.com>
Cc: Grygorii Strashko <grygorii.strashko@ti.com>
Fixes: e0d8972898 ("gpio: Implement tighter IRQ chip integration")
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2018-10-10 14:03:27 +02:00
..
Kconfig - New Drivers 2018-08-20 15:38:44 -07:00
Makefile - New Drivers 2018-08-20 15:38:44 -07:00
devres.c gpio: Export devm_gpiod_get_from_of_node() for consumers 2018-01-12 11:05:24 +01:00
gpio-74x164.c The is the bulk of GPIO changes for the v4.16 kernel cycle. 2018-01-31 12:25:27 -08:00
gpio-74xx-mmio.c gpio: 74xx-mmio: Use of_device_get_match_data() 2018-05-16 14:35:24 +02:00
gpio-104-dio-48e.c gpio: 104-dio-48e: make array 'ports' static, shrinks object size 2018-05-16 14:35:24 +02:00
gpio-104-idi-48.c gpio: make several const arrays static, shrinks object size 2018-05-16 14:35:24 +02:00
gpio-104-idio-16.c gpio: 104-idio-16: Implement get_multiple callback 2018-03-26 10:10:18 +02:00
gpio-adnp.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
gpio-adp5520.c gpio: adp5520: Include proper header 2018-01-13 22:12:07 +01:00
gpio-adp5588.c gpio: adp5588: Fix sleep-in-atomic-context bug 2018-08-29 10:54:38 +02:00
gpio-altera-a10sr.c gpio: altera-a10sr: constify gpio_chip structure 2017-08-14 15:01:12 +02:00
gpio-altera.c gpio: altera: Include GPIO driver header 2018-01-13 22:18:34 +01:00
gpio-amd8111.c gpio: amd8111: Include proper header 2018-01-13 22:22:49 +01:00
gpio-amdpt.c
gpio-arizona.c gpio: arizona: Include proper header 2018-01-13 22:47:48 +01:00
gpio-aspeed.c gpio: aspeed: fix compile testing warning 2018-07-13 09:05:06 +02:00
gpio-ath79.c gpio: fix meaningless return expression 2018-07-29 23:34:54 +02:00
gpio-bcm-kona.c gpio: bcm-kona: Don't shadow error code of gpiochip_lock_as_irq() 2018-08-06 23:46:55 +02:00
gpio-bd9571mwv.c gpio: Add ROHM BD9571MWV-M PMIC GPIO driver 2017-04-28 09:47:46 +02:00
gpio-brcmstb.c The is the bulk of GPIO changes for the v4.16 kernel cycle. 2018-01-31 12:25:27 -08:00
gpio-bt8xx.c gpio: bt8xx: Include proper header 2018-01-13 22:56:52 +01:00
gpio-clps711x.c gpio: clps711x: Remove board support 2016-06-08 10:49:58 +02:00
gpio-crystalcove.c gpio: crystalcove: Include proper header 2018-01-14 01:48:48 +01:00
gpio-cs5535.c gpio: cs5535: Include proper header 2018-01-14 01:56:24 +01:00
gpio-da9052.c gpio: da905x: Include proper header 2018-01-14 02:00:10 +01:00
gpio-da9055.c gpio: da905x: Include proper header 2018-01-14 02:00:10 +01:00
gpio-davinci.c gpio: davinci: Do not assume continuous IRQ numbering 2018-06-18 07:55:30 +02:00
gpio-dln2.c gpio: dln2: Include proper header 2018-03-19 01:50:07 +01:00
gpio-dwapb.c gpio: dwapb: Fix error handling in dwapb_gpio_probe() 2018-08-29 14:04:04 +02:00
gpio-eic-sprd.c gpio: eic: Add edge trigger emulation for EIC 2018-05-16 14:35:24 +02:00
gpio-em.c gpio: em: Don't shadow error code of gpiochip_lock_as_irq() 2018-08-06 23:46:55 +02:00
gpio-ep93xx.c pinctrl / gpio: Introduce .set_config() callback for GPIO chips 2017-01-26 15:27:37 +01:00
gpio-exar.c gpio: exar: Use correct property prefix and document bindings 2017-08-01 13:43:55 +02:00
gpio-f7188x.c gpio: f7188x: Add a missing break 2017-04-28 10:09:16 +02:00
gpio-ftgpio010.c gpio: ftgpio010: Drop of_gpio.h include 2018-03-19 01:50:24 +01:00
gpio-ge.c gpio: ge: Fix build warning 2018-05-16 14:35:24 +02:00
gpio-gpio-mm.c gpio: make several const arrays static, shrinks object size 2018-05-16 14:35:24 +02:00
gpio-grgpio.c gpio: grgpio: Include the right header 2018-03-19 01:50:28 +01:00
gpio-hlwd.c gpio: Add GPIO driver for Nintendo Wii 2018-02-22 13:54:35 +01:00
gpio-htc-egpio.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
gpio-ich.c gpio: ich: Use BIT() macro 2018-03-19 01:50:29 +01:00
gpio-ingenic.c gpio: ingenic: Use of_device_get_match_data() 2018-05-16 14:35:24 +02:00
gpio-intel-mid.c gpio-intel-mid: Delete an error message 2018-02-22 15:29:05 +01:00
gpio-iop.c gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE 2017-12-02 22:42:21 +01:00
gpio-it87.c gpio: it87: Add support for IT8613 2018-08-10 23:19:17 +02:00
gpio-janz-ttl.c gpio: janz-ttl: Use BIT() macro 2018-03-19 01:50:30 +01:00
gpio-kempld.c gpio: kempld: Include the right header 2018-03-19 01:50:31 +01:00
gpio-ks8695.c gpio: ks8695: Include the right header 2018-03-19 01:50:31 +01:00
gpio-loongson.c gpio: loongson: Use BIT() macros 2018-05-16 14:35:24 +02:00
gpio-loongson1.c gpio: loongson1: fix bgpio usage 2017-10-25 11:25:38 +02:00
gpio-lp873x.c gpio: lp873x: Include the right header 2018-05-16 14:35:24 +02:00
gpio-lp3943.c gpio: lp3943: Include the right header 2018-05-16 14:35:24 +02:00
gpio-lp87565.c gpio: lp87565: Set proper output level and direction for direction_output 2017-07-31 15:26:57 +02:00
gpio-lpc18xx.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-lpc32xx.c gpio: lpc32xx: Include the right header 2018-05-16 14:35:24 +02:00
gpio-lynxpoint.c gpio: lynxpoint: Include the right header 2018-05-16 14:35:24 +02:00
gpio-madera.c gpio: madera: Support Cirrus Logic Madera class codecs 2018-06-05 11:15:30 +01:00
gpio-max730x.c gpio: max730x: Include the right header 2018-05-16 14:35:24 +02:00
gpio-max732x.c gpio: max732x: add error handling for i2c_new_dummy 2018-06-18 07:55:30 +02:00
gpio-max3191x.c gpio: Remove VLA from MAX3191X driver 2018-03-27 15:18:06 +02:00
gpio-max7300.c
gpio-max7301.c
gpio-max77620.c gpio: max77620: Make regmap_irq_chip const 2017-08-14 16:06:24 +02:00
gpio-mb86s7x.c gpio: mb86s70: Revert "Return error if requesting an already assigned gpio" 2017-10-31 13:13:34 +01:00
gpio-mc9s08dz60.c gpio: mc9s08dz60: Include the right header 2018-05-16 14:35:24 +02:00
gpio-mc33880.c gpio: mc33880: Include the right header 2018-05-16 14:35:24 +02:00
gpio-menz127.c gpio: Fix wrong rounding in gpio-menz127 2018-06-18 07:55:30 +02:00
gpio-merrifield.c gpio: merrifield: Delete an error message 2018-02-22 15:25:40 +01:00
gpio-ml-ioh.c gpio: ml-ioh: Fix buffer underwrite on probe error path 2018-07-29 23:13:09 +02:00
gpio-mm-lantiq.c gpio: mm-lantiq: Include the right header 2018-05-16 14:35:24 +02:00
gpio-mmio.c gpio: mmio: Fix up inverted direction registers 2018-08-10 23:19:17 +02:00
gpio-mockup.c gpio: mockup: use the SPDX identifier and remove license boilerplate 2018-05-16 14:35:24 +02:00
gpio-mpc8xxx.c gpio: mpc8xxx: Do not reverse bits using bgpio 2017-10-25 11:25:40 +02:00
gpio-mpc5200.c
gpio-msic.c gpio: msic: Include the right header 2018-05-16 14:35:24 +02:00
gpio-mt7621.c gpio: mt7621: Edit to preferred syntax 2018-07-09 13:51:57 +02:00
gpio-mvebu.c gpio: mvebu: Use the proper APIs 2018-05-16 14:35:24 +02:00
gpio-mxc.c gpio: mxc: add power management support 2018-07-29 22:23:17 +02:00
gpio-mxs.c gpio: mxs: Fit writel() into a single line 2018-07-29 23:21:07 +02:00
gpio-octeon.c gpio: octeon: Include the right header 2018-05-24 14:22:04 +02:00
gpio-omap.c gpio: omap: Add get/set_multiple() callbacks 2018-08-06 23:46:55 +02:00
gpio-palmas.c gpio: palmas: Include the right header 2018-05-24 14:25:13 +02:00
gpio-pca953x.c gpio: pca953x: suppress interrupts warning when not applicable 2018-07-02 16:00:49 +02:00
gpio-pcf857x.c gpio: pcf857x: Include the right header 2018-05-24 17:09:41 +02:00
gpio-pch.c gpio: pch: Include the right header 2018-05-24 17:09:41 +02:00
gpio-pci-idio-16.c gpio: pci-idio-16: Fix port memory offset for get_multiple callback 2018-04-27 00:55:16 +02:00
gpio-pcie-idio-24.c gpio: pcie-idio-24: Fix off-by-one error in get_multiple loop 2018-04-30 10:48:08 +02:00
gpio-pisosr.c gpio-pisosr: add support for get_multiple 2018-07-29 21:55:33 +02:00
gpio-pl061.c gpio: pl061: Include the right header 2018-05-24 17:09:41 +02:00
gpio-pmic-eic-sprd.c gpio: pmic_eic: Add edge trigger emulation for PMIC EIC 2018-05-16 14:35:24 +02:00
gpio-pxa.c gpio: pxa: remove set but not used variable 'gpio_offset' 2018-08-02 23:32:29 +02:00
gpio-raspberrypi-exp.c gpio: raspberrypi-exp: Driver for RPi3 GPIO expander via mailbox service 2018-02-22 13:49:59 +01:00
gpio-rc5t583.c gpio: rc5t583: Include the right header 2018-07-02 16:00:49 +02:00
gpio-rcar.c gpio: rcar: Implement .get_direction() callback 2018-07-13 10:55:26 +02:00
gpio-rdc321x.c gpio: rdc321x: Include the right header 2018-07-02 16:00:49 +02:00
gpio-reg.c gpio: gpio-reg: fix build 2017-12-22 15:24:31 +01:00
gpio-sa1100.c gpio: sa1100: Include the right header 2018-07-02 16:00:49 +02:00
gpio-sch.c gpio: sch: Implement .get_direction() 2018-07-02 16:00:49 +02:00
gpio-sch311x.c gpio: sch311x: Replace unsigned char with u8 2018-07-02 16:00:49 +02:00
gpio-sodaville.c gpio: sodaville: use resource management for irqs 2017-03-15 11:16:36 +01:00
gpio-spear-spics.c gpio: spear-spics: Include the right header 2018-07-02 16:00:49 +02:00
gpio-sprd.c gpio: Add GPIO driver for Spreadtrum SC9860 platform 2018-03-02 11:00:43 +01:00
gpio-sta2x11.c gpio: sta2x11: Inline regs macro 2018-07-02 16:00:49 +02:00
gpio-stmpe.c gpio: stmpe: Include the right header 2018-07-02 16:00:49 +02:00
gpio-stp-xway.c gpio: stp-xway: Include the right header 2018-07-02 16:00:49 +02:00
gpio-syscon.c gpio: syscon: rockchip: add GRF GPIO support for rk3328 2018-08-06 23:46:55 +02:00
gpio-tb10x.c gpio: tb10x: Use the right include 2018-08-10 23:04:27 +02:00
gpio-tc3589x.c gpio: Move irqdomain into struct gpio_irq_chip 2017-11-08 14:06:21 +01:00
gpio-tegra.c This is the bulk of GPIO changes for the v4.19 kernel cycle: 2018-08-15 21:35:38 -07:00
gpio-tegra186.c gpio: tegra186: Add support for Tegra194 2018-07-02 16:01:02 +02:00
gpio-thunderx.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
gpio-timberdale.c gpio: timberdale: Include the right header 2018-08-10 23:04:27 +02:00
gpio-tpic2810.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-tps6586x.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-tps65086.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-tps65218.c pinctrl / gpio: Introduce .set_config() callback for GPIO chips 2017-01-26 15:27:37 +01:00
gpio-tps65910.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-tps65912.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-tps68470.c gpio: tps68470: Update to SPDX license identifier 2018-02-23 15:26:42 +01:00
gpio-ts4800.c gpio: ts4800: Fix module autoload 2016-10-21 14:55:07 +02:00
gpio-ts4900.c gpio: ts4900: Use of_device_get_match_data() 2018-05-16 14:35:24 +02:00
gpio-ts5500.c
gpio-twl4030.c mfd: twl: Move header file out of I2C realm 2017-09-04 14:41:02 +01:00
gpio-twl6040.c gpio: twl6040: remove unneeded forward declaration 2017-08-23 10:20:16 +02:00
gpio-ucb1400.c
gpio-uniphier.c This is the bulk of GPIO changes for the v4.19 kernel cycle: 2018-08-15 21:35:38 -07:00
gpio-vf610.c gpio: vf610: Use of_device_get_match_data() 2018-05-16 14:35:24 +02:00
gpio-viperboard.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-vr41xx.c gpio: vr41xx: Bail out on gpiochip_lock_as_irq() error 2018-08-06 23:46:55 +02:00
gpio-vx855.c pinctrl / gpio: Introduce .set_config() callback for GPIO chips 2017-01-26 15:27:37 +01:00
gpio-wcove.c gpio: Move irqdomain into struct gpio_irq_chip 2017-11-08 14:06:21 +01:00
gpio-winbond.c gpio: winbond: Add driver 2018-01-09 14:51:00 +01:00
gpio-wm831x.c gpio-wm831x: Use seq_putc() in wm831x_gpio_dbg_show() 2018-02-12 09:36:06 +01:00
gpio-wm8350.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-wm8994.c pinctrl / gpio: Introduce .set_config() callback for GPIO chips 2017-01-26 15:27:37 +01:00
gpio-ws16c48.c gpio: ws16c48: Implement get_multiple callback 2018-03-26 10:28:19 +02:00
gpio-xgene-sb.c gpio: xgene-sb: Don't shadow error code of gpiochip_lock_as_irq() 2018-08-06 23:46:55 +02:00
gpio-xgene.c gpio: xgene: mark PM functions as __maybe_unused 2017-03-06 14:35:22 +01:00
gpio-xilinx.c gpio: xilinx: Use the right include 2018-08-10 23:19:17 +02:00
gpio-xlp.c gpio: xlp: Use of_device_get_match_data() 2018-05-16 14:35:24 +02:00
gpio-xra1403.c gpio: xra1403: Switch to a fixed upper bound for registers 2018-04-27 01:06:21 +02:00
gpio-xtensa.c
gpio-zevio.c gpio: zevio: make gpio_chip const 2017-08-23 09:21:54 +02:00
gpio-zx.c gpio: Move irqdomain into struct gpio_irq_chip 2017-11-08 14:06:21 +01:00
gpio-zynq.c gpio: zynq: Setup chip->base based on alias ID 2018-05-23 11:43:03 +02:00
gpiolib-acpi.c gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall 2018-08-29 13:32:00 +02:00
gpiolib-devprop.c gpio: fix "gpio-line-names" property retrieval 2017-12-22 15:24:31 +01:00
gpiolib-legacy.c Revert "gpiolib: Split GPIO flags parsing and GPIO configuration" 2016-07-04 16:51:29 +02:00
gpiolib-of.c gpio: Fix crash due to registration race 2018-08-31 11:30:45 +02:00
gpiolib-sysfs.c gpio: sysfs: avoid using kstrtol() in 'value' attribute write 2017-12-20 10:34:58 +01:00
gpiolib.c gpio: Assign gpio_irq_chip::parents to non-stack pointer 2018-10-10 14:03:27 +02:00
gpiolib.h gpiolib: Mark gpio_suffixes array with __maybe_unused 2018-07-13 09:00:08 +02:00