Opened 8 years ago

Last modified 4 years ago

#7000 new defect

Segmantation fault when gpioctl set or gpioctl get is used with an invalid gpio

Reported by: joel_jec@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: kernel Version: Trunk
Keywords: Cc:


root@OpenWrt:/# gpioctl set 42
CPU 0 Unable to handle kernel paging request at virtual address 00000020, epc == 801384f4, ra == 801384f0
Cpu 0
$ 0 : 00000000 10008400 00000023 00000001
$ 4 : 80240000 000023b8 00000001 000023b8
$ 8 : 6970200a 00000001 00000400 8029bc5c
$12 : 20626566 00000057 00000800 6f726520
$16 : 00000000 0000002a 00000001 0000002a
$20 : 2000420b 00400618 00400924 00490000
$24 : 00000000 801548ac
$28 : 81540000 81541e58 7fdc2454 801384f0
Hi : 00000000
Lo : 00000095
epc : 801384f4 0x801384f4

Not tainted

ra : 801384f0 0x801384f0
Status: 10008403 KERNEL EXL IE
Cause : 00800008
BadVA : 00000020
PrId : 0002a010 (Broadcom BCM6358)
Modules linked in: uvcvideo fuse v4l2_common videodev v4l1_compat usb_storage hostap uhci_hcd ohci_hcd nf_nat_tftp nf_conntracc
Process gpioctl (pid: 896, threadinfo=81540000, task=81c599d8, tls=00000000)
Stack : 00000002 00000000 00000001 00002395 00000000 0000002a 0000002a 80154a7c

81c2884c 0000002a 00000001 00002358 81838c34 81e8eec0 fffffff7 800a57c8
81c2884c 00000000 00000001 00000002 81834c54 81c2884c 7fffffff 00400618
00400924 00490000 7fdc2454 80097a84 81c286c4 00000000 00000020 81834bd4
00000000 00000000 00000020 81df2940 81e8eec0 fffffff7 00000003 0000002a

Call Trace:[<80154a7c>] 0x80154a7c
[<800a57c8>] 0x800a57c8
[<80097a84>] 0x80097a84
[<800a586c>] 0x800a586c
[<80012210>] 0x80012210

Code: 0c0064ef 02002821 3c048024 <8e060020> 2484989c 0c0064ef 02002821 1600000e 8fbf001c
Disabling lock debugging due to kernel taint
Segmentation fault

The attached patch applied to drivers/gpio/gpiolib prevents this segmentation fault

Best regards

Attachments (1)

gpiolib.patch (895 bytes) - added by anonymous 8 years ago.

Download all attachments as: .zip

Change History (5)

Changed 8 years ago by anonymous

comment:1 Changed 8 years ago by lars

Your patch adds a penalty to each gpio_{set,get}_value call.
The gpiodev driver has a mask of which gpios can be accessed. So the real bug here is that the board setting up the gpiodev driver probably includes gpios to that mask which do not exists.

comment:2 Changed 8 years ago by florian

gpiodev does not check if the specified gpio exceeds the mask it has been configured with, will cook up a patch for this.

comment:3 Changed 8 years ago by joel_ejc@…

I just read ours answers.

In the case of gpioctl, the control must be done in gpiodev but it will not be easy in the case of a) if the number of gpio is larger than 32 (40 for bcm6358) b) if there are several gpiochip drivers with non continuous range of gpio.

On the other hand, it's not neccesary to chechk gain the validity of gpio in chip->{set,get} functions, because is gpio is not valid, chip->{set,get} will not be called

For example in arch/mips/bcm63xx/gpio.c

if (gpio >= chip.ngpio) BUG()

Removing this kind of tests may balance the penalty of proposed test in gpiolib

comment:4 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

as new .

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.