gpio: fix line flag validation in linehandle_create

commit e95fbc130a162ba9ad956311b95aa0da269eea48 upstream.

linehandle_create should not allow both GPIOHANDLE_REQUEST_INPUT
and GPIOHANDLE_REQUEST_OUTPUT to be set.

Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Kent Gibson <warthog618@gmail.com>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 3b0d77b..0ca8f3e 100644 (file)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -426,12 +426,23 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
        struct linehandle_state *lh;
        struct file *file;
        int fd, i, count = 0, ret;
+       u32 lflags;
 
        if (copy_from_user(&handlereq, ip, sizeof(handlereq)))
                return -EFAULT;
        if ((handlereq.lines == 0) || (handlereq.lines > GPIOHANDLES_MAX))
                return -EINVAL;
 
+       lflags = handlereq.flags;
+
+       /*
+        * Do not allow both INPUT & OUTPUT flags to be set as they are
+        * contradictory.
+        */
+       if ((lflags & GPIOHANDLE_REQUEST_INPUT) &&
+           (lflags & GPIOHANDLE_REQUEST_OUTPUT))
+               return -EINVAL;
+
        lh = kzalloc(sizeof(*lh), GFP_KERNEL);
        if (!lh)
                return -ENOMEM;
@@ -452,7 +463,6 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
        /* Request each GPIO */
        for (i = 0; i < handlereq.lines; i++) {
                u32 offset = handlereq.lineoffsets[i];
-               u32 lflags = handlereq.flags;
                struct gpio_desc *desc;
 
                if (offset >= gdev->ngpio) {