Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4470018pxy; Tue, 27 Apr 2021 05:59:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwA+lkaM8S6KkAacy5k/PcXioUZMqfnBXfM1wf4A6w9FEmJecNwYgXaJtlCGRoMw2Yx6V5 X-Received: by 2002:a17:902:a9c7:b029:e8:de49:6a76 with SMTP id b7-20020a170902a9c7b02900e8de496a76mr25056151plr.63.1619528373408; Tue, 27 Apr 2021 05:59:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619528373; cv=none; d=google.com; s=arc-20160816; b=G4yeorJpjRuz7OzrQq+lWPnhF+Guqnh71NvT/8XA94qwCNSptcTt1QEu8RmJvKJjj1 1iIIrLsUGTX7D0CI1Q7p+Ef3NYKUI55DJUg2u6RVamQ/p3dp+eCIB0rK4GnMt2BOajbt Vq2Q2d/6xqfFV2bE2xAKyN7Sw3iVLdsbKr3FsABrQwg5cTNvjTvDufs0VlYH6Jq8AcsK tTn28QuW9AutRGvPubK5CfVrU1cpQndn3pZsHw7pyi0nq34xUujBTNDf8tNECEQ/Z+8K bFACtTyjeoG/k18ra9nD5sXAys9ukmg9iZwIug1PhL9jLkPeQZPN2HbBhkYDIihmmPCn 4Itw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=gmJuaevkbgn2ndJzF8GH9nwHXPdttRaOjLRr8vOD/2w=; b=RlGauCFU1yo3yyLvm5CvYesJpO6EJ+/HE0svqRRXPpU4VgSzQiab7lFif+zfM8fNWB C8u2ATbTysHbpZhwvqkrgyE+AJvPDD0iIyuESqG2MHY19/NJrXJfa+CCTvmijsdfxqoq hURujjY0/x33v9JYW8hXwEldo735rjt3w7j0gcRQa15ZUBJJhmQKwVqxWZhLUCJxepPt 2yfD2ahf+xTGHin51GLeTl5VrJFu3CXGLcmvhqWhcaZ2RJH1WJjr8y0dNrxI6gFmRbgf BNeecX26qBo+G3iYvOthgeQrf5fgD/0oyIhaHlnHwFTgzQ0f5fPRgfI0Vi5vQ/fMq06L mVEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@baylibre-com.20150623.gappssmtp.com header.s=20150623 header.b=exegFg1F; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mu11si4609717pjb.11.2021.04.27.05.59.20; Tue, 27 Apr 2021 05:59:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@baylibre-com.20150623.gappssmtp.com header.s=20150623 header.b=exegFg1F; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236375AbhD0M6d (ORCPT + 99 others); Tue, 27 Apr 2021 08:58:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34386 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235795AbhD0M6b (ORCPT ); Tue, 27 Apr 2021 08:58:31 -0400 Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D645C061756 for ; Tue, 27 Apr 2021 05:57:48 -0700 (PDT) Received: by mail-yb1-xb2e.google.com with SMTP id i4so31636272ybe.2 for ; Tue, 27 Apr 2021 05:57:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=baylibre-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gmJuaevkbgn2ndJzF8GH9nwHXPdttRaOjLRr8vOD/2w=; b=exegFg1F+b3+j8jslEiXMQIEqPTycFT4WNxWy+f/2vE5IQot8SKoBEYkCEA56xZFrh +LAmWQflzVQpz8iY64i2EsPcyvJtnX9TMU0RLRRIny6dFeTHPdm+BIOsmwLcGAuI+esa bOxAccV4Inl01Xw6LEKh5702sahVdmu1I6Mr7WcFoLcpmetv3szRmAJhU/66gXs6CuzZ fW6KGauUtgtT9+sJk2PGSb1Wi9FcikOo0TMh3TyPbQeI/vpTOQyL/WpOHSFAuz42DQ2z RTTuT+Y5ReZzTp6VxLQOaVFtcqZEA8XbOWx/qki73oMfWyQEHb9zYkR+IxijAzWYIEsK Q69w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gmJuaevkbgn2ndJzF8GH9nwHXPdttRaOjLRr8vOD/2w=; b=Ye5iJfWU8R/WkxwR9eOxifslnZfs3BE9LNgCa6glDJoiYyObtG9mod6mFkntYQldRX E8E63Q9wxx0iIw2nu0mBMvBYeIvYcAZ5jg0yQs76o3WyqnC7iJYIwihKcHVooMkeIl/6 8PGNAWWKk7BSIG3Ic99C4dcq84a2oB4UeQB/NmnR0azd0Dx9ojVwbkTeKNEO5yNXFhI/ Yb+xEvuUHnk0P+s8plq7gS/v8TH7/q8B0Z7J8F1noHx6CYyKLmO3iKgdiQOzcWgR0eOb hq3FhPLcAPrRqQgQjHIRAJMAnsY1IlO5ATsxSfCcXdJT0UHuLMzKzBo5dVlBmlwG5N6z RR0g== X-Gm-Message-State: AOAM532xTcWZQ1O8ZxGI/LGIindjNi/dgy3lpUHqK7ocm6/am4cAHKgU XKU/CTkTeIOCA/SzVlsQ4B5YbDkYBv+8FQc2aIu8Ig== X-Received: by 2002:a25:c746:: with SMTP id w67mr2779075ybe.312.1619528267893; Tue, 27 Apr 2021 05:57:47 -0700 (PDT) MIME-Version: 1.0 References: <20210427114950.12739-1-colin.king@canonical.com> In-Reply-To: From: Bartosz Golaszewski Date: Tue, 27 Apr 2021 14:57:37 +0200 Message-ID: Subject: Re: [PATCH][next][V2] gpio: sim: Fix dereference of free'd pointer config To: Colin Ian King Cc: Andy Shevchenko , Linus Walleij , "open list:GPIO SUBSYSTEM" , kernel-janitors , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 27, 2021 at 2:20 PM Colin Ian King wrote: > > On 27/04/2021 13:11, Andy Shevchenko wrote: > > On Tue, Apr 27, 2021 at 2:49 PM Colin King wrote: > >> > >> From: Colin Ian King > >> > >> The error return of config->id dereferences the kfree'd object config. > >> Fix this by using a temporary variable for the id to avoid this issue. > > > > Thanks! > > I'm wondering how I missed this... Nevertheless > > > > Reviewed-by: Andy Shevchenko > > > >> Addresses-Coverity: ("Read from pointer aftyer free") > > > > after > > > > Can that be fixed before applying rather me sending a V3? > No need, I'll add it and apply right away. Bartosz > >> Fixes: a49d14276ac4 ("gpio: sim: allocate IDA numbers earlier") > >> Signed-off-by: Colin Ian King > >> --- > >> V2: Don't make id local to the if statement to improve coding style. > >> Thanks to Bartosz Golaszewski for this improvement suggestion. > >> --- > >> drivers/gpio/gpio-sim.c | 8 +++++--- > >> 1 file changed, 5 insertions(+), 3 deletions(-) > >> > >> diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c > >> index 2e2e6399e453..b21541c0b700 100644 > >> --- a/drivers/gpio/gpio-sim.c > >> +++ b/drivers/gpio/gpio-sim.c > >> @@ -744,20 +744,22 @@ static struct config_item * > >> gpio_sim_config_make_item(struct config_group *group, const char *name) > >> { > >> struct gpio_sim_chip_config *config; > >> + int id; > >> > >> config = kzalloc(sizeof(*config), GFP_KERNEL); > >> if (!config) > >> return ERR_PTR(-ENOMEM); > >> > >> - config->id = ida_alloc(&gpio_sim_ida, GFP_KERNEL); > >> - if (config->id < 0) { > >> + id = ida_alloc(&gpio_sim_ida, GFP_KERNEL); > >> + if (id < 0) { > >> kfree(config); > >> - return ERR_PTR(config->id); > >> + return ERR_PTR(id); > >> } > >> > >> config_item_init_type_name(&config->item, name, > >> &gpio_sim_chip_config_type); > >> config->num_lines = 1; > >> + config->id = id; > >> mutex_init(&config->lock); > >> > >> return &config->item; > >> -- > >> 2.30.2 > >> > > > > >