Commit c7ab6654 authored by Julien Stephan's avatar Julien Stephan Committed by Cui GaoSheng
Browse files

driver: iio: add missing checks on iio_info's callback access 

stable inclusion
from stable-v6.6.50
commit 72f022ebb9deac28663fa4c04ba315ed5d6654d1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV1X
CVE: CVE-2024-46715

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=72f022ebb9deac28663fa4c04ba315ed5d6654d1



--------------------------------

[ Upstream commit c4ec8dedca961db056ec85cb7ca8c9f7e2e92252 ]

Some callbacks from iio_info structure are accessed without any check, so
if a driver doesn't implement them trying to access the corresponding
sysfs entries produce a kernel oops such as:

[ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute
[...]
[ 2203.783416] Call trace:
[ 2203.783429]  iio_read_channel_info_avail from dev_attr_show+0x18/0x48
[ 2203.789807]  dev_attr_show from sysfs_kf_seq_show+0x90/0x120
[ 2203.794181]  sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4
[ 2203.798555]  seq_read_iter from vfs_read+0x238/0x2a0
[ 2203.802236]  vfs_read from ksys_read+0xa4/0xd4
[ 2203.805385]  ksys_read from ret_fast_syscall+0x0/0x54
[ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0)
[ 2203.812880] dfa0:                   00000003 b6f10f80 00000003 b6eab000 00020000 00000000
[ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000
[ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0
[ 2203.830363] Code: bad PC value
[ 2203.832695] ---[ end trace 0000000000000000 ]---

Reviewed-by: default avatarNuno Sa <nuno.sa@analog.com>
Signed-off-by: default avatarJulien Stephan <jstephan@baylibre.com>
Link: https://lore.kernel.org/r/20240530-iio-core-fix-segfault-v3-1-8b7cd2a03773@baylibre.com


Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarCui GaoSheng <cuigaosheng1@huawei.com>
parent cc3dc797

drivers/iio/industrialio-core.c

+6 −1
Original line number Diff line number Diff line
@@ -752,9 +752,11 @@ static ssize_t iio_read_channel_info(struct device *dev, 
							INDIO_MAX_RAW_ELEMENTS,

							vals, &val_len,

							this_attr->address);

	else

	else if (indio_dev->info->read_raw)

		ret = indio_dev->info->read_raw(indio_dev, this_attr->c,

				    &vals[0], &vals[1], this_attr->address);

	else

		return -EINVAL;



	if (ret < 0)

		return ret;
@@ -836,6 +838,9 @@ static ssize_t iio_read_channel_info_avail(struct device *dev, 
	int length;

	int type;



	if (!indio_dev->info->read_avail)

		return -EINVAL;



	ret = indio_dev->info->read_avail(indio_dev, this_attr->c,

					  &vals, &type, &length,

					  this_attr->address);

drivers/iio/industrialio-event.c

+9 −0
Original line number Diff line number Diff line
@@ -285,6 +285,9 @@ static ssize_t iio_ev_state_store(struct device *dev, 
	if (ret < 0)

		return ret;



	if (!indio_dev->info->write_event_config)

		return -EINVAL;



	ret = indio_dev->info->write_event_config(indio_dev,

		this_attr->c, iio_ev_attr_type(this_attr),

		iio_ev_attr_dir(this_attr), val);
@@ -300,6 +303,9 @@ static ssize_t iio_ev_state_show(struct device *dev, 
	struct iio_dev_attr *this_attr = to_iio_dev_attr(attr);

	int val;



	if (!indio_dev->info->read_event_config)

		return -EINVAL;



	val = indio_dev->info->read_event_config(indio_dev,

		this_attr->c, iio_ev_attr_type(this_attr),

		iio_ev_attr_dir(this_attr));
@@ -318,6 +324,9 @@ static ssize_t iio_ev_value_show(struct device *dev, 
	int val, val2, val_arr[2];

	int ret;



	if (!indio_dev->info->read_event_value)

		return -EINVAL;



	ret = indio_dev->info->read_event_value(indio_dev,

		this_attr->c, iio_ev_attr_type(this_attr),

		iio_ev_attr_dir(this_attr), iio_ev_attr_info(this_attr),

drivers/iio/inkern.c

+22 −10
Original line number Diff line number Diff line
@@ -562,6 +562,7 @@ EXPORT_SYMBOL_GPL(devm_iio_channel_get_all); 
static int iio_channel_read(struct iio_channel *chan, int *val, int *val2,

			    enum iio_chan_info_enum info)

{

	const struct iio_info *iio_info = chan->indio_dev->info;

	int unused;

	int vals[INDIO_MAX_RAW_ELEMENTS];

	int ret;
@@ -573,15 +574,18 @@ static int iio_channel_read(struct iio_channel *chan, int *val, int *val2, 
	if (!iio_channel_has_info(chan->channel, info))

		return -EINVAL;



	if (chan->indio_dev->info->read_raw_multi) {

		ret = chan->indio_dev->info->read_raw_multi(chan->indio_dev,

					chan->channel, INDIO_MAX_RAW_ELEMENTS,

	if (iio_info->read_raw_multi) {

		ret = iio_info->read_raw_multi(chan->indio_dev,

					       chan->channel,

					       INDIO_MAX_RAW_ELEMENTS,

					       vals, &val_len, info);

		*val = vals[0];

		*val2 = vals[1];

	} else {

		ret = chan->indio_dev->info->read_raw(chan->indio_dev,

	} else if (iio_info->read_raw) {

		ret = iio_info->read_raw(chan->indio_dev,

					 chan->channel, val, val2, info);

	} else {

		return -EINVAL;

	}



	return ret;
@@ -801,11 +805,15 @@ static int iio_channel_read_avail(struct iio_channel *chan, 
				  const int **vals, int *type, int *length,

				  enum iio_chan_info_enum info)

{

	const struct iio_info *iio_info = chan->indio_dev->info;



	if (!iio_channel_has_available(chan->channel, info))

		return -EINVAL;



	return chan->indio_dev->info->read_avail(chan->indio_dev, chan->channel,

	if (iio_info->read_avail)

		return iio_info->read_avail(chan->indio_dev, chan->channel,

					    vals, type, length, info);

	return -EINVAL;

}



int iio_read_avail_channel_attribute(struct iio_channel *chan,
@@ -995,8 +1003,12 @@ EXPORT_SYMBOL_GPL(iio_get_channel_type); 
static int iio_channel_write(struct iio_channel *chan, int val, int val2,

			     enum iio_chan_info_enum info)

{

	return chan->indio_dev->info->write_raw(chan->indio_dev,

	const struct iio_info *iio_info = chan->indio_dev->info;



	if (iio_info->write_raw)

		return iio_info->write_raw(chan->indio_dev,

					   chan->channel, val, val2, info);

	return -EINVAL;

}



int iio_write_channel_attribute(struct iio_channel *chan, int val, int val2,