Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4420834pxy; Tue, 27 Apr 2021 04:50:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqih7PAI/JHDFKtmLDOmTzFiyk66N685vFbHh0OMGyRr98sVcC4vkGluhGaOx8y9YyaTdq X-Received: by 2002:a17:902:654b:b029:ec:a435:5b5c with SMTP id d11-20020a170902654bb02900eca4355b5cmr24945452pln.42.1619524259142; Tue, 27 Apr 2021 04:50:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619524259; cv=none; d=google.com; s=arc-20160816; b=mpR1Vi0k/cOyHgWQksZowHFtbS0I3B5yv1/+WqnMRlsawam5d50GCdeZlJP4JjkV7z QXGVKgzyF6uMD1lYaei6x2UVTlLs9Fux/CG6YlNDx92Xi4PzZQ0zVKsdU3ox3ehvHgdO 2SehiP0GCzuoW9qkFvt6mlawv0SZvfJRz/7TZI61kkUhYz/KE8PQ/W1anAzsIXf7oJGn wJObUqsrnJV2R7Ttb2claXc8o1e0w2CXikyzthX/jUMCKECXfi1cQ0Gyhjigz+kHZ8OA RFv5+QbddZj9h7kpMFp6wzRxwX3oxkdjz+Wh1JFnFdkrYxNN0TscEr80FBSbOx2emt5M g0zQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=LSYdmx3THyccV7YeXxjpZrJwVjjfjbbiVwbeM4XugIU=; b=iJe7+2I0dGcUAlNDV9TViEQIE3VNjjylLtzR0MpINIbDalj+Agw7Be9mlYZixJ+c/Y GodhX5frmbowO/11QraakqSwxurWgyeOPrgZ1qtYyblNQf7DPBFOCrKH0mNewMYzB2f7 5+qLqmo9ZWqys+l+A1kSNG4lGie/yjVhA+sVEDIvhdC9j4dBiqH2duY0NZb711BT7nbq iK8BpwGx/L5dkuwM8/OQETfm/ixyTGgsrb23UZcP/rtuGJ0W33ixt/gc+ovSbBYPXOLn 9iZg+WyGDshHmNSeUuqnq6ZJNgZ+Z8du1JJGqgiXgKjpAevNOIaJr8YsssdZaSmq4CSK 0sQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 36si21197815pgw.170.2021.04.27.04.50.46; Tue, 27 Apr 2021 04:50:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236083AbhD0Lug (ORCPT + 99 others); Tue, 27 Apr 2021 07:50:36 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:60989 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230365AbhD0Luf (ORCPT ); Tue, 27 Apr 2021 07:50:35 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lbMDu-0001qZ-GF; Tue, 27 Apr 2021 11:49:50 +0000 From: Colin King To: Linus Walleij , Bartosz Golaszewski , Andy Shevchenko , linux-gpio@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH][next][V2] gpio: sim: Fix dereference of free'd pointer config Date: Tue, 27 Apr 2021 12:49:50 +0100 Message-Id: <20210427114950.12739-1-colin.king@canonical.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King The error return of config->id dereferences the kfree'd object config. Fix this by using a temporary variable for the id to avoid this issue. Addresses-Coverity: ("Read from pointer aftyer free") Fixes: a49d14276ac4 ("gpio: sim: allocate IDA numbers earlier") Signed-off-by: Colin Ian King --- V2: Don't make id local to the if statement to improve coding style. Thanks to Bartosz Golaszewski for this improvement suggestion. --- drivers/gpio/gpio-sim.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c index 2e2e6399e453..b21541c0b700 100644 --- a/drivers/gpio/gpio-sim.c +++ b/drivers/gpio/gpio-sim.c @@ -744,20 +744,22 @@ static struct config_item * gpio_sim_config_make_item(struct config_group *group, const char *name) { struct gpio_sim_chip_config *config; + int id; config = kzalloc(sizeof(*config), GFP_KERNEL); if (!config) return ERR_PTR(-ENOMEM); - config->id = ida_alloc(&gpio_sim_ida, GFP_KERNEL); - if (config->id < 0) { + id = ida_alloc(&gpio_sim_ida, GFP_KERNEL); + if (id < 0) { kfree(config); - return ERR_PTR(config->id); + return ERR_PTR(id); } config_item_init_type_name(&config->item, name, &gpio_sim_chip_config_type); config->num_lines = 1; + config->id = id; mutex_init(&config->lock); return &config->item; -- 2.30.2