Re: [PATCH v6.1-v5.10] gpiolib: cdev: Fix use after free in lineinfo_changed_notify

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 18 Jan 2025 14:40:53 -0500

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 02f6b0e1ec7e0e7d059dddc893645816552039da

WARNING: Author mismatch between patch and upstream commit:
Backport author: hsimeliere.opensource@xxxxxxxxxxx
Commit author: Zhongqiu Han<quic_zhonhan@xxxxxxxxxxx>

Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 95ca7c90eaf5)
6.1.y | Not found

Note: The patch differs from the upstream commit:
---
1:  02f6b0e1ec7e0 ! 1:  55e55db29a40e gpiolib: cdev: Fix use after free in lineinfo_changed_notify
    @@ Metadata
      ## Commit message ##
         gpiolib: cdev: Fix use after free in lineinfo_changed_notify

    +    [ Upstream commit 02f6b0e1ec7e0e7d059dddc893645816552039da ]
    +
         The use-after-free issue occurs as follows: when the GPIO chip device file
         is being closed by invoking gpio_chrdev_release(), watched_lines is freed
         by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier
    @@ Commit message
         Signed-off-by: Zhongqiu Han <quic_zhonhan@xxxxxxxxxxx>
         Link: https://lore.kernel.org/r/20240505141156.2944912-1-quic_zhonhan@xxxxxxxxxxx
         Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx>
    +    Signed-off-by: Bruno VERNAY <bruno.vernay@xxxxxx>
    +    Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@xxxxxxxxxxx>

      ## drivers/gpio/gpiolib-cdev.c ##
     @@ drivers/gpio/gpiolib-cdev.c: static int gpio_chrdev_release(struct inode *inode, struct file *file)
    @@ drivers/gpio/gpiolib-cdev.c: static int gpio_chrdev_release(struct inode *inode,
      	struct gpio_device *gdev = cdev->gdev;

     -	bitmap_free(cdev->watched_lines);
    - 	blocking_notifier_chain_unregister(&gdev->device_notifier,
    - 					   &cdev->device_unregistered_nb);
    - 	blocking_notifier_chain_unregister(&gdev->line_state_notifier,
    + 	blocking_notifier_chain_unregister(&gdev->notifier,
      					   &cdev->lineinfo_changed_nb);
     +	bitmap_free(cdev->watched_lines);
    - 	gpio_device_put(gdev);
    + 	put_device(&gdev->dev);
      	kfree(cdev);

---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |
| stable/linux-5.10.y       |  Success    |  Success   |