From: Frank Rowand <frank.rowand@sonymobile.com>
To: linus.walleij@linaro.org
Cc: grant.likely@linaro.org, linux-gpio@vger.kernel.org,
linux-kernel@vger.kernel.org, tim.bird@sonymobile.com
Subject: [PATCH] gpio: null pointer dereference in error handling in gpiolib.c
Date: Thu, 29 Aug 2013 22:10:32 -0700 [thread overview]
Message-ID: <52202948.7010303@sonymobile.com> (raw)
Avoid calling desc_to_gpio() if desc->chip is NULL, as this will
cause a kernel panic.
In the code above the calls, there is a test for !chip, which
comes to the 'fail' label if true. In this case, the code
panics, since desc_to_gpio() uses desc->chip to look up the
gpio number.
An RFC patch that explained the cause of one example of panic when
desc->chip is NULL and fixed that example
(http://lkml.indiana.edu/hypermail/linux/kernel/1308.3/01473.html)
was accepted. This patch fixes the remaining locations which have
the same problem.
Signed-off-by: Frank Rowand <frank.rowand@sonymobile.com>
---
drivers/gpio/gpiolib.c | 33 24 + 9 - 0 !
1 file changed, 24 insertions(+), 9 deletions(-)
Index: b/drivers/gpio/gpiolib.c
===================================================================
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1676,9 +1676,14 @@ lose:
return status;
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
@@ -1745,9 +1750,14 @@ lose:
return status;
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
@@ -1795,9 +1805,14 @@ static int gpiod_set_debounce(struct gpi
fail:
spin_unlock_irqrestore(&gpio_lock, flags);
- if (status)
- pr_debug("%s: gpio-%d status %d\n", __func__,
- desc_to_gpio(desc), status);
+ if (status) {
+ if (desc->chip) {
+ pr_debug("%s: gpio-%d status %d\n", __func__,
+ desc_to_gpio(desc), status);
+ } else {
+ pr_debug("%s: gpio-?? status %d\n", __func__, status);
+ }
+ }
return status;
}
next reply other threads:[~2013-08-30 5:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-30 5:10 Frank Rowand [this message]
2013-08-30 7:29 ` [PATCH] gpio: null pointer dereference in error handling in gpiolib.c Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52202948.7010303@sonymobile.com \
--to=frank.rowand@sonymobile.com \
--cc=frowand.list@gmail.com \
--cc=grant.likely@linaro.org \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tim.bird@sonymobile.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).