Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp2219067imw; Wed, 6 Jul 2022 02:06:01 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vvqbwSlElj6/nTo5qZxdU3pgjAJN0koZkIn7MehXLTAaSbYHX8YKm9ZEpMal+fWR4VH4do X-Received: by 2002:a17:907:97c9:b0:726:b4f8:f675 with SMTP id js9-20020a17090797c900b00726b4f8f675mr38554783ejc.427.1657098361481; Wed, 06 Jul 2022 02:06:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657098361; cv=none; d=google.com; s=arc-20160816; b=XijSc18cQvXp2MmxIbmDtHIfS7k1mORMLFaFqvxlut6ofMZIMhxUsHHig/LByloP/L LD3GtOgmRrenZoGnSTejqQt2wUa02q1WyPLI1VayRYSQMHffNPrIS/R6kjpiz2MV15nW +NB/6o8p8KTnmdfpCS4dwZue4SxiOaFZFxl5hN7vmbsg1zQojANE0FzVfhG0mkIfjCfv L9I0n7bziKqHgrrNi35BIxrZt81BUpZ3/104EBVvbEQ+ftnX3AdioP5u0n3hMRPM/HLF dEFxGBhvxrt90qyVlFJfESOn0dMcNTL1VaX7Q/FgVhx6xnVRZzyP04Q/muqw/QvFHIjy 2JCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=oWOY57xu2SoD0zR4WSIqSHfux9YG0e74Om7jN92FA/8=; b=rU0mEir2JnMiOKfXk0HutF5hOydbKii+L6ApyXJpHx00ZDjCsYqIikv7XXoCDsd1op DMokeiQ2BzUdNWnGvJ+s0Re6y0xXh42tfbr6GEb30jI86f95rQ3l+6PonrOg9/K/CgK0 bmhkVemXy1vEetsvO8Haukphbmlyty4wj39egW17na9+SE5Q2F8ALjirRBgwGPtLs+4A pEPumGKUKT3gulD/HlwxhKnnNNsAepCjbFCdEItwyGf/faqoqpXqsupd64AwkUclp+TH +W9qpWcVeaGggtiOG4tYSf2wwC6dcf2pXI1yQbZxpDyEhGj2mZHxxWThOQeFBpqLx2Go 24UA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=cdMztD5s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s12-20020a1709064d8c00b006fec459b41esi14195138eju.541.2022.07.06.02.05.36; Wed, 06 Jul 2022 02:06:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=cdMztD5s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232544AbiGFIp6 (ORCPT + 99 others); Wed, 6 Jul 2022 04:45:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58410 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232532AbiGFIp5 (ORCPT ); Wed, 6 Jul 2022 04:45:57 -0400 Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BFF3913DEC; Wed, 6 Jul 2022 01:45:56 -0700 (PDT) Received: by mail-pg1-x52a.google.com with SMTP id bh13so7547843pgb.4; Wed, 06 Jul 2022 01:45:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=oWOY57xu2SoD0zR4WSIqSHfux9YG0e74Om7jN92FA/8=; b=cdMztD5sxSb6SYvpAE8vKXkawS2vwtXDgPj8lmlQEUPZ/2fO6/JvlFZTjky1+u3ySP 6piYv60hghLFJBhZzs7yjDBy4KcOY3MGs0DAZf9C3n9wDrIr6QoML/hWgjabf0iEwlqz lddORsLaJgUldUmi4+ciO6IZtP1aqKEWoV68/KMjkKXBoDihxhQhH1jWaoViqVz8poKQ itzXoOfMiXXSTRayvtSAwsV2jo76KY0RCk8sdAZmhymOHASUUL8ySEaWl4bZNTysNkac sLVghn1a2I65y8lCd7QbZnJA1hTdX33lAHfh0hNJaE+eWti5sJu7aiOINYKtuBuxYhbx betQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=oWOY57xu2SoD0zR4WSIqSHfux9YG0e74Om7jN92FA/8=; b=a15M9I9W+LkWFyzCDuOPJxa2iFcJQv72mpIeXOYFTBZsVbI0EVJCCiqE+RITXN7MD3 cQklngj2l5ZKDf5R0VEzye9BAVASIXGP0QCpTMA+WcaYttMRnVujATJRsoBlUfkPvIjp p/qwQiwyE5D6Ouw2ePmZ4zcvm8wDxQ11AvieIhJfAKiBNFUIEbJZ+B3ncQ8YimxfM3x1 QSPdZ66Z5xz4X6RYr3bB6sLE8Vb4qZqWy0M79YD/oFqsd+ZIY8Rr3d0AkQKetPdwfKhV gZffVtsKRuMQI5wEl+6l3ziF79xTwLXxtCbJOIsl6RW4hKybKHSqYjijSPH4M7IfMhvf Jpeg== X-Gm-Message-State: AJIora92cG25IUSvWQ3uVbeDIaqPBBNZBXh8gD9x5XG64IMZgXojCyRu wY8lHFaOZBCOeLBAyef4M881ixFRRYA= X-Received: by 2002:a65:42cc:0:b0:3a9:f71f:33f9 with SMTP id l12-20020a6542cc000000b003a9f71f33f9mr33373789pgp.391.1657097155878; Wed, 06 Jul 2022 01:45:55 -0700 (PDT) Received: from sol.home.arpa (110-174-58-111.static.tpgi.com.au. [110.174.58.111]) by smtp.gmail.com with ESMTPSA id q4-20020a17090311c400b0016bfaee8244sm1807231plh.14.2022.07.06.01.45.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Jul 2022 01:45:55 -0700 (PDT) From: Kent Gibson To: linux-kernel@vger.kernel.org, linux-gpio@vger.kernel.org, brgl@bgdev.pl, linus.walleij@linaro.org Cc: Kent Gibson Subject: [PATCH] gpiolib: cdev: fix null pointer dereference in linereq_free() Date: Wed, 6 Jul 2022 16:45:07 +0800 Message-Id: <20220706084507.2259415-1-warthog618@gmail.com> X-Mailer: git-send-email 2.37.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch fixes a kernel NULL pointer dereference that is reported by gpio kselftests. linereq_free() can be called as part of the cleanup of a failed request, at which time the desc for a line may not have been determined, so it is unsafe to dereference without a check. Add a check prior to dereferencing the line desc. Fixes: 2068339a6c35 ("gpiolib: cdev: Add hardware timestamp clock type") Signed-off-by: Kent Gibson --- I suspect the edge_detector_stop() and gpiod_free() could also be moved inside the same desc check but, as we are late in the rc cycle, I don't want to push my luck and have kept to the minimum change required to address the bug. drivers/gpio/gpiolib-cdev.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index f5aa5f93342a..0c9a63becfef 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -1460,11 +1460,12 @@ static ssize_t linereq_read(struct file *file, static void linereq_free(struct linereq *lr) { unsigned int i; - bool hte; + bool hte = false; for (i = 0; i < lr->num_lines; i++) { - hte = !!test_bit(FLAG_EVENT_CLOCK_HTE, - &lr->lines[i].desc->flags); + if (lr->lines[i].desc) + hte = !!test_bit(FLAG_EVENT_CLOCK_HTE, + &lr->lines[i].desc->flags); edge_detector_stop(&lr->lines[i], hte); if (lr->lines[i].desc) gpiod_free(lr->lines[i].desc); -- 2.37.0