Re: [PATCH v5] gpiolib: acpi: prevent address truncation in OperationRegion handler

Next message: Krzysztof Kozlowski: "Re: [PATCH 1/2] dt-bindings: interconnect: qcom,shikra-epss-l3: Add EPSS L3 DT binding"
Previous message: Svyatoslav Ryhel: "Re: [PATCH v3 08/11] video: backlight: lm3533_bl: Improve linear sysfs logic"
In reply to: Mika Westerberg: "Re: [PATCH v5] gpiolib: acpi: prevent address truncation in OperationRegion handler"
Next in thread: Mika Westerberg: "Re: [PATCH v5] gpiolib: acpi: prevent address truncation in OperationRegion handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Marco Scardovi

Date: Tue Jun 02 2026 - 08:05:28 EST

Hi Mika,

On Tue, Jun 02, 2026 at 01:45:40PM +0200, Mika Westerberg wrote:
> How in practice this can be done given that the GPIO resource has only 2
> bytes for the index?

The 2-byte limitation is in the GPIO resource descriptor representation of the
pin table, not in the ACPI address space handler interface itself.

The acpi_gpio_adr_space_handler() receives the access offset as a 64-bit
acpi_physical_address from ACPICA. This value is generated when AML
accesses a Field within the GPIO OperationRegion, and it is not constrained
by the GPIO resource descriptor's pin_table_length.

This is not GPIO-specific in ACPICA terms: all address space handlers
receive a raw 64-bit address, and any semantic interpretation (such as
treating it as a GPIO pin index) is done by the individual handler.

In the GPIO case, the driver maps this address directly to an index into
agpio->pin_table[]. Without validating the full 64-bit value against
pin_table_length before truncating to u16, an out-of-bounds access can
occur due to wraparound.

The fix ensures the 64-bit address is validated against the table size
before any narrowing conversion, avoiding the wraparound and
rejecting invalid AML accesses.

Marco