Skip to content

[Deepin-Kernel-SIG] [linux 6.6.y] [Upstream] gpiolib: acpi: Fix potential out-of-boundary left shift#1715

Open
opsiff wants to merge 1 commit into
deepin-community:linux-6.6.yfrom
opsiff:linux-6.6.y-2026-05-14-3
Open

[Deepin-Kernel-SIG] [linux 6.6.y] [Upstream] gpiolib: acpi: Fix potential out-of-boundary left shift#1715
opsiff wants to merge 1 commit into
deepin-community:linux-6.6.yfrom
opsiff:linux-6.6.y-2026-05-14-3

Conversation

@opsiff
Copy link
Copy Markdown
Member

@opsiff opsiff commented May 14, 2026
edited by sourcery-ai Bot
Loading

mainline inclusion
from mainline-v6.19-rc8
commit e64d1cb
category: bugfix
bugzilla: https://atomgit.com/openeuler/kernel/issues/9158

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e64d1cb21a1c6ecd51bc1c94c83f6fc656f7c94d

GPIO Address Space handler gets a pointer to the in or out value. This value is supposed to be at least 64-bit, but it's not limited to be exactly 64-bit. When ACPI tables are being parsed, for the bigger Connection():s ACPICA creates a Buffer instead of regular Integer object. The Buffer exists as long as Namespace holds the certain Connection(). Hence we can access the necessary bits without worrying. On the other hand, the left shift, used in the code, is limited by 31 (on 32-bit platforms) and otherwise considered to be Undefined Behaviour. Also the code uses only the first 64-bit word for the value, and anything bigger than 63 will be also subject to UB. Fix all this by modifying the code to correctly set or clear the respective bit in the bitmap constructed of 64-bit words.

Fixes: 59084c564c41 ("gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler")
Fixes: 2c4d00c ("gpiolib: acpi: Use BIT() macro to increase readability")
Cc: stable@vger.kernel.org
Reviewed-by: Mika Westerberg mika.westerberg@linux.intel.com

Link: https://patch.msgid.link/20260128095918.4157491-1-andriy.shevchenko@linux.intel.com

Summary by Sourcery

Bug Fixes:

  • Correct GPIO ACPI OperationRegion bitmask handling to support multi-word (>64-bit) values without out-of-bounds or undefined left shifts.

@andy-shev @opsiff
gpiolib: acpi: Fix potential out-of-boundary left shift
e5256b0 
mainline inclusion
from mainline-v6.19-rc8
commit e64d1cb
category: bugfix
bugzilla: https://atomgit.com/openeuler/kernel/issues/9158

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e64d1cb21a1c6ecd51bc1c94c83f6fc656f7c94d

--------------------------------

GPIO Address Space handler gets a pointer to the in or out value.
This value is supposed to be at least 64-bit, but it's not limited
to be exactly 64-bit. When ACPI tables are being parsed, for
the bigger Connection():s ACPICA creates a Buffer instead of regular
Integer object. The Buffer exists as long as Namespace holds
the certain Connection(). Hence we can access the necessary bits
without worrying. On the other hand, the left shift, used in
the code, is limited by 31 (on 32-bit platforms) and otherwise
considered to be Undefined Behaviour. Also the code uses only
the first 64-bit word for the value, and anything bigger than 63
will be also subject to UB. Fix all this by modifying the code
to correctly set or clear the respective bit in the bitmap constructed
of 64-bit words.

Fixes: 59084c564c41 ("gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler")
Fixes: 2c4d00c ("gpiolib: acpi: Use BIT() macro to increase readability")
Cc: stable@vger.kernel.org
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20260128095918.4157491-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
@sourcery-ai
Copy link
Copy Markdown

sourcery-ai Bot commented May 14, 2026
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Ports an upstream gpiolib ACPI bugfix to correctly handle GPIO OperationRegions larger than 64 bits by indexing into a 64-bit word array instead of shifting by the absolute pin index, eliminating potential out-of-bounds and undefined left-shift behavior on 32-bit and multi-word values.

File-Level Changes

Change Details Files
Rework ACPI GPIO address space handler bit access to operate on an array of 64-bit words using word and bit indices instead of shifting by the global pin index.
  • Introduce local u16 variables to hold the 64-bit word index and intra-word bit position for each GPIO pin
  • Compute word index and bit shift from the pin index using integer division and modulo by 64
  • On ACPI write, pass the bit value taken from the appropriate word and bit position to gpiod_set_raw_value_cansleep instead of masking a single 64-bit value
  • On ACPI read, set or clear the corresponding bit in the appropriate 64-bit word based on gpiod_get_raw_value_cansleep, rather than left-shifting the result by the pin index into a single u64
 drivers/gpio/gpiolib-acpi.c
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@Avenger-285714
Copy link
Copy Markdown
Member

Avenger-285714 commented May 14, 2026

有CVE编号的话可以在PR里备注一下

/approve

@deepin-ci-robot
Copy link
Copy Markdown

deepin-ci-robot commented May 14, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Avenger-285714

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR backports an upstream stable fix to gpiolib-acpi to avoid undefined behavior when handling GPIO OpRegion bitmasks larger than 64 bits, by switching from single-word shifts to word+bit addressing.

Changes:

  • Compute a 64-bit word index and intra-word bit shift (i / 64, i % 64) for GPIO OpRegion accesses.
  • Update ACPI_READ/ACPI_WRITE paths to set/clear bits in the backing value rather than shifting by an unbounded amount.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread drivers/gpio/gpiolib-acpi.c
shift = i % 64;

if (function == ACPI_WRITE) {
gpiod_set_raw_value_cansleep(desc, value[word] & BIT_ULL(shift));
Comment thread drivers/gpio/gpiolib-acpi.c
Comment on lines +1231 to +1246
/*
* For the cases when OperationRegion() consists of more than
* 64 bits calculate the word and bit shift to use that one to
* access the value.
*/
word = i / 64;
shift = i % 64;

if (function == ACPI_WRITE) {
gpiod_set_raw_value_cansleep(desc, value[word] & BIT_ULL(shift));
} else {
if (gpiod_get_raw_value_cansleep(desc))
value[word] |= BIT_ULL(shift);
else
value[word] &= ~BIT_ULL(shift);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Copilot code review Copilot Copilot left review comments

@chenchongbiao chenchongbiao Awaiting requested review from chenchongbiao

@myml myml Awaiting requested review from myml

@Avenger-285714 Avenger-285714 Awaiting requested review from Avenger-285714

Assignees

No one assigned

Labels

approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@opsiff @Avenger-285714 @deepin-ci-robot @andy-shev