linux/drivers/gpio
Lars-Peter Clausen 953b956a2e gpio: GPIO_GET_LINE{HANDLE,EVENT}_IOCTL: Fix file descriptor leak
When allocating a new line handle or event a file is allocated that it is
associated to. The file is attached to a file descriptor of the current
process and the file descriptor is returned to userspace using
copy_to_user(). If this copy operation fails the line handle or event
allocation is aborted, all acquired resources are freed and an error is
returned.

But the file struct is not freed and left attached to the userspace
application and even though the file descriptor number was not copied it is
trivial to guess. If a userspace application performs a IOCTL on such a
left over file descriptor it will trigger a use-after-free and if the file
descriptor is closed (latest when the application exits) a double-free is
triggered.

anon_inode_getfd() performs 3 tasks, allocate a file struct, allocate a
file descriptor for the current process and install the file struct in the
file descriptor. As soon as the file struct is installed in the file
descriptor it is accessible by userspace (even if the IOCTL itself hasn't
completed yet), this means uninstalling the fd on the error path is not an
option, since userspace might already got a reference to the file.

Instead anon_inode_getfd() needs to be broken into its individual steps.
The allocation of the file struct and file descriptor is done first, then
the copy_to_user() is executed and only if it succeeds the file is
installed.

Since the file struct is reference counted it can not be just freed, but
its reference needs to be dropped, which will also call the release()
callback, which will free the state attached to the file. So in this case
the normal error cleanup path should not be taken.

Cc: stable@vger.kernel.org
Fixes: d932cd4918 ("gpio: free handles in fringe cases")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2016-10-31 21:23:44 +01:00
..
Kconfig gpio: mockup: add sysfs dependency 2016-10-20 14:14:11 +02:00
Makefile Merge branch 'ib-move-htc-egpio' into devel 2016-09-28 09:30:21 -07:00
devres.c gpio: Propagate all errors in devm_get_gpiod_from_child() 2016-02-25 10:04:25 +01:00
gpio-74x164.c gpio: 74x164: Use spi_write() helper instead of open coding 2016-06-23 11:07:12 +02:00
gpio-74xx-mmio.c gpio: 74xx-mmio: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:19:42 +05:30
gpio-104-dio-48e.c gpio: 104-dio-48e: Fix control port offset computation off-by-one error 2016-06-08 10:08:12 +02:00
gpio-104-idi-48.c gpio: 104-idi-48: Fix missing spin_lock_init for ack_lock 2016-06-13 14:48:10 +02:00
gpio-104-idio-16.c gpio: 104-idio-16: Utilize the ISA bus driver 2016-05-02 09:32:04 -07:00
gpio-adnp.c gpio: adnp: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:19:46 +05:30
gpio-adp5520.c gpio: adp5520: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:34:06 +05:30
gpio-adp5588.c gpio: adp5588: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:34:24 +05:30
gpio-altera.c gpio: altera: fix implicit assumption module.h is present 2016-09-15 14:00:47 +02:00
gpio-amd8111.c gpio: amd8111: Use devm_request_region 2016-02-16 00:19:52 +01:00
gpio-amdpt.c gpio: amdpt: Add a new ACPI HID 2016-03-30 10:38:51 +02:00
gpio-arizona.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-aspeed.c gpio: aspeed: remove redundant return value check 2016-09-23 15:11:09 +02:00
gpio-ath79.c gpio: ath79: Fix module autoload 2016-10-24 00:23:05 +02:00
gpio-axp209.c gpio: axp209: Implement get_direction 2016-09-23 15:13:04 +02:00
gpio-bcm-kona.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-brcmstb.c gpio: brcmstb: Return proper error if bank width is invalid 2016-04-15 10:09:48 +02:00
gpio-bt8xx.c gpio: bt8xx: use gpiochip data pointer 2016-01-05 11:21:03 +01:00
gpio-clps711x.c gpio: clps711x: Remove board support 2016-06-08 10:49:58 +02:00
gpio-crystalcove.c gpio: crystalcove: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:27 +05:30
gpio-cs5535.c gpio: cs5535: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:28 +05:30
gpio-da9052.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-da9055.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-davinci.c Merge branch 'devel' into for-next 2016-02-22 13:47:49 +01:00
gpio-dln2.c gpio: dln2: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:30 +05:30
gpio-dwapb.c gpio: dwapb: add missing fwnode_handle_put() in dwapb_gpio_get_pdata() 2016-07-22 15:30:42 +02:00
gpio-em.c gpio: em: use gpiochip data pointer 2016-01-05 11:21:05 +01:00
gpio-ep93xx.c gpio: ep93xx: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:30 +05:30
gpio-etraxfs.c gpio: generic: factor into gpio_chip struct 2016-01-05 11:21:00 +01:00
gpio-f7188x.c gpio: f7188x: use gpiochip_get_data instead of container_of 2016-09-18 13:35:06 +02:00
gpio-ge.c gpio: ge: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:31 +05:30
gpio-gpio-mm.c gpio: Add GPIO support for the Diamond Systems GPIO-MM 2016-08-11 13:37:25 +02:00
gpio-grgpio.c gpio: generic: factor into gpio_chip struct 2016-01-05 11:21:00 +01:00
gpio-htc-egpio.c mfd/gpio: Move HTC GPIO driver to GPIO subsystem 2016-09-28 09:28:34 -07:00
gpio-ich.c gpio: ich: Use devm_request_region 2016-02-16 00:19:53 +01:00
gpio-intel-mid.c gpio: intel-mid: Sort header block alphabetically 2016-07-22 15:30:40 +02:00
gpio-iop.c gpio: iop: Use generic GPIO MMIO functions for driver 2016-09-12 15:28:18 +02:00
gpio-it87.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-janz-ttl.c gpio: janz-ttl: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:33 +05:30
gpio-kempld.c gpio: kempld: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:34 +05:30
gpio-ks8695.c gpio: ks8695: remove irq_to_gpio function 2016-02-19 00:20:30 +01:00
gpio-loongson.c gpio: convert remaining users to gpiochip_add_data() 2016-01-05 11:21:20 +01:00
gpio-loongson1.c gpio: loongson1: remove redundant return value check 2016-09-23 15:10:00 +02:00
gpio-lp873x.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-lp3943.c Revert "gpio: lp3943: Drop pin_used and lp3943_gpio_request/lp3943_gpio_free" 2016-03-09 22:00:27 +07:00
gpio-lpc18xx.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-lpc32xx.c gpio: lpc32xx: remove unused platform data file 2016-09-12 14:23:37 +02:00
gpio-lynxpoint.c gpio: lynxpoint: avoid potential warning on error path 2016-06-23 11:07:14 +02:00
gpio-max730x.c gpio: max730x: set gpiochip data pointer before using it 2016-08-10 15:40:44 +02:00
gpio-max732x.c gpio: max732x: use gpiochip data pointer 2016-01-05 11:21:07 +01:00
gpio-max7300.c gpio: Drop owner assignment from i2c_driver 2015-11-30 09:31:00 +01:00
gpio-max7301.c spi: Drop owner assignment from spi_drivers 2015-10-28 10:30:17 +09:00
gpio-max77620.c gpio: max77620: get gpio value based on direction 2016-07-04 11:39:38 +02:00
gpio-mb86s7x.c gpio: mb86s7x: make explicitly non-modular 2016-03-31 15:00:28 +02:00
gpio-mc9s08dz60.c gpio: mc9s08dz60: make explicitly non-modular 2016-03-31 15:02:09 +02:00
gpio-mc33880.c gpio: mc33880: use gpiochip data pointer 2016-01-05 11:21:07 +01:00
gpio-mcp23s08.c gpio: mcp23s08: make driver depend on OF_GPIO 2016-09-08 00:42:57 +02:00
gpio-menz127.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-merrifield.c gpio: merrifield: Protect irq_ack() and gpio_set() by lock 2016-07-22 15:30:42 +02:00
gpio-ml-ioh.c gpio: ml-ioh: use gpiochip data pointer 2016-01-05 11:21:08 +01:00
gpio-mm-lantiq.c gpio: mm-lantiq: Do not use gpiochip_get_data() in ltq_mm_save_regs() 2016-01-13 10:21:06 +01:00
gpio-mmio.c gpio: mmio: add brcm,bcm6345 support 2016-08-11 16:17:05 +02:00
gpio-mockup.c gpio/mockup: add virtual gpio device 2016-09-26 11:47:14 -07:00
gpio-moxart.c gpio: moxart: make explicitly non-modular 2016-03-31 15:03:13 +02:00
gpio-mpc8xxx.c gpio: mpc8xxx: Correct irq handler function 2016-10-24 02:20:40 +02:00
gpio-mpc5200.c gpio: Include linux/gpio.h instead of asm/gpio.h 2016-02-16 00:20:03 +01:00
gpio-msic.c gpio: msic: drop unused MODULE_ tags from non-modular code 2016-08-23 11:22:09 +02:00
gpio-mvebu.c gpio: mvebu: make explicitly non-modular 2016-03-31 15:05:44 +02:00
gpio-mxc.c This is the bulk of GPIO changes for the v4.9 series: 2016-10-05 11:49:09 -07:00
gpio-mxs.c gpio: mxs: Unmap region obtained by of_iomap 2016-10-20 14:14:11 +02:00
gpio-octeon.c gpio: octeon: Constify octeon_gpio_match table 2016-03-30 10:38:51 +02:00
gpio-omap.c gpio: omap: fix irq triggering in smart-idle wakeup mode 2016-04-26 15:56:47 +02:00
gpio-palmas.c gpio: palmas: fix implicit assumption module.h is present 2016-09-15 13:57:43 +02:00
gpio-pca953x.c gpio: pca953x: add a comment explaining the need for a lockdep subclass 2016-10-11 23:17:08 +02:00
gpio-pcf857x.c gpio: pcf857x: restore the initial line state of all pcf lines 2016-06-07 09:35:16 +02:00
gpio-pch.c gpio: pch: Optimize pch_gpio_get() 2016-01-05 15:46:34 +01:00
gpio-pisosr.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-pl061.c gpio: pl061: implement .get_direction() 2016-04-28 14:36:37 +02:00
gpio-pxa.c gpio: pxa: fix legacy non pinctrl aware builds 2016-04-08 10:10:08 +02:00
gpio-rc5t583.c gpio: rc5t583: make explicitly non-modular 2016-04-05 17:02:35 +02:00
gpio-rcar.c gpio: rcar: Add r8a7796 (R-Car M3-W) support 2016-09-08 01:15:46 +02:00
gpio-rdc321x.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-sa1100.c gpio: sa1100: fix irq probing for ucb1x00 2016-09-08 00:42:57 +02:00
gpio-sch.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-sch311x.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-sodaville.c gpio: sodaville: make it explicitly non-modular 2016-05-11 13:46:49 +02:00
gpio-spear-spics.c gpio: spear-spics: drop unused MODULE_ tags from non-modular code 2016-08-23 11:23:41 +02:00
gpio-sta2x11.c gpio: sta2x11: make explicitly non-modular 2016-03-31 15:07:40 +02:00
gpio-stmpe.c gpio: stmpe: || vs && typo 2016-10-20 14:14:11 +02:00
gpio-stp-xway.c gpio: stp-xway: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:43 +05:30
gpio-sx150x.c gpio: sx150x: fix implicit assumption module.h is present 2016-09-15 13:59:02 +02:00
gpio-syscon.c gpio: syscon: Change the compatibility string 2016-06-08 10:48:17 +02:00
gpio-tb10x.c gpio: tb10x: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:44 +05:30
gpio-tc3589x.c gpio: tc3589x: fix up complaints on unsigned 2016-09-19 10:14:29 +02:00
gpio-tegra.c gpio: tegra: Make lockdep class file-scoped 2016-06-22 17:58:07 +02:00
gpio-timberdale.c gpio: timberdale: make it explicitly non-modular 2016-05-11 13:49:11 +02:00
gpio-tpic2810.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-tps6586x.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-tps65086.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-tps65218.c gpio: tps65218: use devm_gpiochip_add_data() for gpio registration 2016-09-18 13:18:13 +02:00
gpio-tps65910.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-tps65912.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-ts4800.c gpio: ts4800: Fix module autoload 2016-10-21 14:55:07 +02:00
gpio-ts4900.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-ts5500.c gpio: ts5500: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:49 +05:30
gpio-twl4030.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-twl6040.c gpio: twl6040: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:50 +05:30
gpio-tz1090-pdc.c gpio: tz1090-pdc: use gpiochip data pointer 2016-01-05 11:21:16 +01:00
gpio-tz1090.c gpio: tz1090: use gpiochip data pointer 2016-01-05 11:21:16 +01:00
gpio-ucb1400.c gpio: ucb1400: Use devm_gpiochip_add_data() for gpio registration 2016-02-23 20:35:50 +05:30
gpio-vf610.c gpio: vf610: drop unused MODULE_ tags from non-modular code 2016-08-23 11:24:40 +02:00
gpio-viperboard.c gpio: remove redundant owner assignments of drivers 2016-06-07 09:35:16 +02:00
gpio-vr41xx.c gpio: convert remaining users to gpiochip_add_data() 2016-01-05 11:21:20 +01:00
gpio-vx855.c gpio: vx855: use the new open drain callback 2016-04-14 14:03:28 +02:00
gpio-wcove.c gpio: wcove: fix implicit assumption module.h is present 2016-09-15 14:03:33 +02:00
gpio-wm831x.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-wm8350.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-wm8994.c gpio: constify gpio_chip structures 2016-09-13 10:35:56 +02:00
gpio-ws16c48.c gpio: ws16c48: Utilize the ISA bus driver 2016-05-02 09:32:04 -07:00
gpio-xgene-sb.c gpio: xgene-sb: Use irq_domain_free_irqs_common() 2016-03-31 10:22:53 +02:00
gpio-xgene.c This is the bulk of GPIO changes for kernel cycle v4.7: 2016-05-17 17:39:42 -07:00
gpio-xilinx.c gpio: xilinx: Add support to set multiple GPIO at once 2016-06-08 10:33:45 +02:00
gpio-xlp.c gpio: Add ACPI support for XLP GPIO controller 2016-06-08 10:54:13 +02:00
gpio-xtensa.c gpio: convert remaining users to gpiochip_add_data() 2016-01-05 11:21:20 +01:00
gpio-zevio.c gpio: zevio: make it explicitly non-modular 2016-05-11 13:50:01 +02:00
gpio-zx.c gpio: zx: make explicitly non-modular 2016-03-31 15:10:25 +02:00
gpio-zynq.c gpio: Added zynq specific check for special pins on bank zero 2016-09-23 15:26:20 +02:00
gpiolib-acpi.c gpio / ACPI: fix returned error from acpi_dev_gpio_irq_get() 2016-10-20 14:15:01 +02:00
gpiolib-legacy.c Revert "gpiolib: Split GPIO flags parsing and GPIO configuration" 2016-07-04 16:51:29 +02:00
gpiolib-of.c This is the bulk of GPIO changes for the v4.9 series: 2016-10-05 11:49:09 -07:00
gpiolib-sysfs.c gpio: fix documentation for gpiod_unexport 2016-09-12 14:53:33 +02:00
gpiolib.c gpio: GPIO_GET_LINE{HANDLE,EVENT}_IOCTL: Fix file descriptor leak 2016-10-31 21:23:44 +01:00
gpiolib.h gpio: add missing static inline 2016-10-03 23:38:11 +02:00