public inbox for linux-arm-kernel@lists.infradead.org
 help / color / mirror / Atom feed
* [PATCH] pinctrl: sunxi: fix use-after-free in sunxi_pmx_free()
@ 2021-01-19  6:29 Liu Xiang
  2021-01-21 16:40 ` Maxime Ripard
  0 siblings, 1 reply; 5+ messages in thread
From: Liu Xiang @ 2021-01-19  6:29 UTC (permalink / raw)
  To: linux-gpio
  Cc: jernej.skrabec, liuxiang_1999, linus.walleij, linux-kernel,
	mripard, Liu Xiang, wens, linux-arm-kernel

When CONFIG_REGULATOR is not set, sunxi_pmx_request() always return
success. Even a group of pins call sunxi_pmx_request(), the refcount
is only 1. This can cause a use-after-free warning in sunxi_pmx_free().
To solve this problem, go to err path if regulator_get() return NULL
or error.

Signed-off-by: Liu Xiang <liu.xiang@zlingsmart.com>
---
 drivers/pinctrl/sunxi/pinctrl-sunxi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
index dc8d39ae0..d1a8974eb 100644
--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
@@ -777,7 +777,7 @@ static int sunxi_pmx_request(struct pinctrl_dev *pctldev, unsigned offset)
 
 	snprintf(supply, sizeof(supply), "vcc-p%c", 'a' + bank);
 	reg = regulator_get(pctl->dev, supply);
-	if (IS_ERR(reg)) {
+	if (IS_ERR_OR_NULL(reg)) {
 		dev_err(pctl->dev, "Couldn't get bank P%c regulator\n",
 			'A' + bank);
 		return PTR_ERR(reg);
@@ -811,7 +811,7 @@ static int sunxi_pmx_free(struct pinctrl_dev *pctldev, unsigned offset)
 					    PINS_PER_BANK;
 	struct sunxi_pinctrl_regulator *s_reg = &pctl->regulators[bank_offset];
 
-	if (!refcount_dec_and_test(&s_reg->refcount))
+	if (!s_reg->regulator || !refcount_dec_and_test(&s_reg->refcount))
 		return 0;
 
 	regulator_disable(s_reg->regulator);
-- 
2.17.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-26 15:26 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-19  6:29 [PATCH] pinctrl: sunxi: fix use-after-free in sunxi_pmx_free() Liu Xiang
2021-01-21 16:40 ` Maxime Ripard
2021-01-22 22:53   ` Linus Walleij
     [not found]     ` <5c4b7a8c-c549-43ae-8ec6-5ae3ed26d321.liu.xiang@zlingsmart.com>
2021-01-26 15:03       ` Linus Walleij
2021-01-26 15:24         ` Maxime Ripard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox