From nobody Mon Sep 29 09:57:26 2025 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cZxSQ68r0z69DhF for ; Mon, 29 Sep 2025 09:57:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cZxSQ5k4nz3QkW for ; Mon, 29 Sep 2025 09:57:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759139846; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AfOIPAJCfBLchNDOglgnp2IMYBYbvXFvVgUmZzHuhvI=; b=D+hu2uGRkB4rkc9Wo0dlkr5/deksO2oFNxt2V5hiFzIHvA/flfwi82Ym/QREwzqbsM44hO YyxPUqrZ2MxXCQWZ9wfqRXkpS1cFMyF0MXytz4F8iBvHiJrD50jc4++7tXzTZxny6TpAtx wS9IC1nr21XR6wKwdEBoM8I3oL/sa0D1q0lWCz/EkLipAm7Z0x0r2tZ/6E56ylYQwyp2Z3 ZdUxRyYqMT23WMX0n3e1H2y1aGEm9ckdBMt6p7VQaUwO8BKUS1NHlUAfYWLoj9R5GSQoOV cEAhAeCpa+4CLWQfKcOy5w6nI0IlbJAXrjg1sDZDoe7cdEDefL4/ZVMCDYUpew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759139846; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AfOIPAJCfBLchNDOglgnp2IMYBYbvXFvVgUmZzHuhvI=; b=sje9nXAGojH6/6X3lY9/uxJqHkUw76N5ElkamC7UmYTpkRl86Hobi84VLswBYKlNyGYvYJ iTtAb085R5Buy9hDcmRawVQ1/pjX3M21OO3MnrzZk4J+Tr6U1NIOX92ZB5TvNwmjMoVaqS qYyorojgd638DcJfWPK6TeKnab3q0u8jdCeB6Nw8WyWeVHMAfL/BD3w9Qbz8TjbxeDWKTx c4wQJQMyNQoTQxjF7eDwXY44Ka+p2h4iH8+RMkXpKfkLfvc7W8X91avLf/vhTiT9VX+hy2 u28bvKUftTpypwBZjqnHXZiMkKxi3k+cOOFsyvFuNJWBvFKV/3WDzpgEXepZKA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759139846; a=rsa-sha256; cv=none; b=QX57HK7oL4IoJfbCOSdql0zdBd2pctD6dD1HAkGWOOPbIkfJfBIk6Scv3nuWhiYZfJtBlc e1wbDQMz3cV1qlMXy5bK3uC3lq0tHhvHPOjW/VdHjhECwx9VPs0B2O25VCiO6BVPIbwHne Uxl7Av7Mw9yP8EFZMEhySRzlLa8gJW3H4HQ4lo7GrO74T+3doEGjFvviFbZeZFRsZLTlS+ 3FHTMk6fJzwSHEeDiRQwaYoVOf089Tyy6LlpvYBifE8Sei+P/RRMYuswHD/tJgUd66zKsv lSmgJcApxGLeUbA9xMWbycSlRuTDLncxA5zURNZ5MisDftn2/Z/139hI4ud8kg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cZxSQ5GfYz114w for ; Mon, 29 Sep 2025 09:57:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 58T9vQif017214 for ; Mon, 29 Sep 2025 09:57:26 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 58T9vQhU017213 for bugs@FreeBSD.org; Mon, 29 Sep 2025 09:57:26 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 289120] A time-of-check to time-of-use race exists in gpioc_kqread() of GPIO subsystem Date: Mon, 29 Sep 2025 09:57:26 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: chenqiuji666@gmail.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D289120 --- Comment #5 from Qiu-ji Chen --- (In reply to Ahmad Khalifa from comment #3) Hi Ahmad, While re-auditing /sys/dev/gpio/gpioc.c, we noticed another potential issue= in gpioc_ioctl() under the GPIOCONFIGEVENTS case. There appears to be a Time-of-Check to Time-of-Use (TOCTOU) race condition.= The code relies on the !SLIST_EMPTY(&priv->pins) check to prevent races. The assumption seems to be that if the pin list is empty, there can be no concurrent access, since gpioc_read() would return ENXIO and gpioc_interrupt_handler() cannot be invoked if no pins are configured for interrupts. However, since the ioctl interface allows for concurrency, one thread could pass the !SLIST_EMPTY check, while another concurrent ioctl call using GPIOSETCONFIG enables an interrupt pin. This would create a race between the first thread and a now-possible gpioc_interrupt_handler() or gpioc_read(), potentially leading to a Use-After-Free. We suggest protecting the critical section in this ioctl case by holding the priv->mtx lock. Best regards, Qiu-ji Chen --=20 You are receiving this mail because: You are the assignee for the bug.=