swnode_get_gpio_device() can return an error pointer, however
gpio_device_put() is not able to accept error values. Thus using
__free() will result in dereferencing an invalid pointer.
As there is only a single exit point anyway, simply call
gpio_device_put() manually. Whilst modifying the code move
the variable declaration to the top of the function, and move
fwnode_handle_put() until after the error check. Technically
fwnode_handle_put() will handle being passed an error value, but
no need to call it when the code knows it doesn't need to.
Fixes: b7b56e64a345 ("gpio: swnode: replace gpiochip_find() with gpio_device_find_by_label()")
Signed-off-by: Charles Keepax <[email protected]>
---
drivers/gpio/gpiolib-swnode.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/gpio/gpiolib-swnode.c b/drivers/gpio/gpiolib-swnode.c
index fa52bdb1a29a3..de43e0b06a4b1 100644
--- a/drivers/gpio/gpiolib-swnode.c
+++ b/drivers/gpio/gpiolib-swnode.c
@@ -50,6 +50,7 @@ struct gpio_desc *swnode_find_gpio(struct fwnode_handle *fwnode,
{
const struct software_node *swnode;
struct fwnode_reference_args args;
+ struct gpio_device *gdev;
struct gpio_desc *desc;
char propname[32]; /* 32 is max size of property name */
int error;
@@ -71,12 +72,12 @@ struct gpio_desc *swnode_find_gpio(struct fwnode_handle *fwnode,
return ERR_PTR(error);
}
- struct gpio_device *gdev __free(gpio_device_put) =
- swnode_get_gpio_device(args.fwnode);
- fwnode_handle_put(args.fwnode);
+ gdev = swnode_get_gpio_device(args.fwnode);
if (IS_ERR(gdev))
return ERR_CAST(gdev);
+ fwnode_handle_put(args.fwnode);
+
/*
* FIXME: The GPIO device reference is put at return but the descriptor
* is passed on. Find a proper solution.
@@ -87,6 +88,8 @@ struct gpio_desc *swnode_find_gpio(struct fwnode_handle *fwnode,
pr_debug("%s: parsed '%s' property of node '%pfwP[%d]' - status (%d)\n",
__func__, propname, fwnode, idx, PTR_ERR_OR_ZERO(desc));
+ gpio_device_put(gdev);
+
return desc;
}
--
2.39.2
On Mon, Mar 04, 2024 at 05:34:27PM +0100, Bartosz Golaszewski wrote:
> On Mon, Mar 4, 2024 at 5:03 PM Charles Keepax
> <[email protected]> wrote:
> >
> > swnode_get_gpio_device() can return an error pointer, however
> > gpio_device_put() is not able to accept error values. Thus using
> > __free() will result in dereferencing an invalid pointer.
> >
>
> Can you post the steps to reproduce this? Because it should work[1].
Hmm... yeah that does look like it should work, I have had the
patch sitting in my tree for a little while, let me double check
and I will come back/resend if it is actually still needed.
Thanks,
Charles
On Mon, Mar 4, 2024 at 5:03 PM Charles Keepax
<[email protected]> wrote:
>
> swnode_get_gpio_device() can return an error pointer, however
> gpio_device_put() is not able to accept error values. Thus using
> __free() will result in dereferencing an invalid pointer.
>
Can you post the steps to reproduce this? Because it should work[1].
Bart
[1] https://elixir.bootlin.com/linux/latest/source/include/linux/gpio/driver.h#L616
On Mon, Mar 04, 2024 at 04:03:20PM +0000, Charles Keepax wrote:
> swnode_get_gpio_device() can return an error pointer, however
> gpio_device_put() is not able to accept error values. Thus using
> __free() will result in dereferencing an invalid pointer.
>
No, this code works as-is. The gpio_device_put() won't be called
directly, it will be called by a wrapper that checks for error pointers.
The __free() stuff is defined like this:
include/linux/gpio/driver.h
655 DEFINE_FREE(gpio_device_put, struct gpio_device *,
656 if (!IS_ERR_OR_NULL(_T)) gpio_device_put(_T))
So it handles error pointers correctly.
regards,
dan carpenter