From: Gregory Fong <gregory.0xf0@gmail.com>
To: linux-gpio@vger.kernel.org
Cc: Gregory Fong <gregory.0xf0@gmail.com>,
Alexandre Courbot <gnurou@gmail.com>,
bcm-kernel-feedback-list@broadcom.com,
Brian Norris <computersforpeace@gmail.com>,
devicetree@vger.kernel.org,
Florian Fainelli <f.fainelli@gmail.com>,
Ian Campbell <ijc+devicetree@hellion.org.uk>,
Kumar Gala <galak@codeaurora.org>,
Linus Walleij <linus.walleij@linaro.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Mark Rutland <mark.rutland@arm.com>,
Pawel Moll <pawel.moll@arm.com>, Rob Herring <robh+dt@kernel.org>,
Russell King <linux@arm.linux.org.uk>
Subject: [PATCH v3 1/4] gpio: brcmstb: fix null ptr dereference in driver remove
Date: Wed, 17 Jun 2015 18:00:40 -0700 [thread overview]
Message-ID: <1434589243-502-2-git-send-email-gregory.0xf0@gmail.com> (raw)
In-Reply-To: <1434589243-502-1-git-send-email-gregory.0xf0@gmail.com>
If a failure occurs during probe, brcmstb_gpio_remove() is called. In
remove, we call platform_get_drvdata(), but at the time of failure in
the probe the driver data hadn't yet been set which leads to a NULL
ptr dereference in the remove's list_for_each. Call
platform_set_drvdata() and set up list head right after allocating the
priv struct to both avoid the null pointer dereference that could
occur today. To guard against potential future changes, check for
null pointer in remove.
Reported-by: Tim Ross <tross@broadcom.com>
Signed-off-by: Gregory Fong <gregory.0xf0@gmail.com>
---
New in v3.
drivers/gpio/gpio-brcmstb.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/gpio/gpio-brcmstb.c b/drivers/gpio/gpio-brcmstb.c
index 7a3cb1f..4630a81 100644
--- a/drivers/gpio/gpio-brcmstb.c
+++ b/drivers/gpio/gpio-brcmstb.c
@@ -87,6 +87,15 @@ static int brcmstb_gpio_remove(struct platform_device *pdev)
struct brcmstb_gpio_bank *bank;
int ret = 0;
+ if (!priv) {
+ dev_err(&pdev->dev, "called %s without drvdata!\n", __func__);
+ return -EFAULT;
+ }
+
+ /*
+ * You can lose return values below, but we report all errors, and it's
+ * more important to actually perform all of the steps.
+ */
list_for_each(pos, &priv->bank_list) {
bank = list_entry(pos, struct brcmstb_gpio_bank, node);
ret = bgpio_remove(&bank->bgc);
@@ -143,6 +152,8 @@ static int brcmstb_gpio_probe(struct platform_device *pdev)
priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
+ platform_set_drvdata(pdev, priv);
+ INIT_LIST_HEAD(&priv->bank_list);
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
reg_base = devm_ioremap_resource(dev, res);
@@ -153,7 +164,6 @@ static int brcmstb_gpio_probe(struct platform_device *pdev)
priv->reg_base = reg_base;
priv->pdev = pdev;
- INIT_LIST_HEAD(&priv->bank_list);
if (brcmstb_gpio_sanity_check_banks(dev, np, res))
return -EINVAL;
@@ -221,8 +231,6 @@ static int brcmstb_gpio_probe(struct platform_device *pdev)
dev_info(dev, "Registered %d banks (GPIO(s): %d-%d)\n",
priv->num_banks, priv->gpio_base, gpio_base - 1);
- platform_set_drvdata(pdev, priv);
-
return 0;
fail:
--
1.9.1
next prev parent reply other threads:[~2015-06-18 1:02 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-18 1:00 [PATCH v3 0/4] GPIO support for BRCMSTB Gregory Fong
2015-06-18 1:00 ` Gregory Fong [this message]
2015-07-13 12:24 ` [PATCH v3 1/4] gpio: brcmstb: fix null ptr dereference in driver remove Linus Walleij
2015-06-18 1:00 ` [PATCH v3 2/4] dt-bindings: brcmstb-gpio: document properties for wakeup Gregory Fong
[not found] ` <1434589243-502-3-git-send-email-gregory.0xf0-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-07-13 12:29 ` Linus Walleij
[not found] ` <CACRpkdY5YH7MwGxA_UFg1bzwojT6XouBErBm86PtL_8RCSej0Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-13 17:35 ` Florian Fainelli
2015-06-18 1:00 ` [PATCH v3 3/4] gpio: brcmstb: Add interrupt and wakeup source support Gregory Fong
2015-07-13 12:58 ` Linus Walleij
[not found] ` <CACRpkdYNGdWHk1kqhFWHziLPy3mZXTcUjYFBCVo5dRCh60bQ_A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-14 2:29 ` Gregory Fong
2015-06-18 1:00 ` [PATCH v3 4/4] gpio: brcmstb: support wakeup from S5 cold boot Gregory Fong
[not found] ` <1434589243-502-5-git-send-email-gregory.0xf0-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-07-13 13:03 ` Linus Walleij
2015-07-14 2:31 ` Gregory Fong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1434589243-502-2-git-send-email-gregory.0xf0@gmail.com \
--to=gregory.0xf0@gmail.com \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=computersforpeace@gmail.com \
--cc=devicetree@vger.kernel.org \
--cc=f.fainelli@gmail.com \
--cc=galak@codeaurora.org \
--cc=gnurou@gmail.com \
--cc=ijc+devicetree@hellion.org.uk \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@arm.linux.org.uk \
--cc=mark.rutland@arm.com \
--cc=pawel.moll@arm.com \
--cc=robh+dt@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).