From patchwork Thu Mar 29 18:29:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Timur Tabi X-Patchwork-Id: 892918 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-gpio-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=codeaurora.org header.i=@codeaurora.org header.b="PVBQPIMS"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="QxJW02+a"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40BtZ95Y5Xz9s0b for ; Fri, 30 Mar 2018 05:29:21 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753278AbeC2S3T (ORCPT ); Thu, 29 Mar 2018 14:29:19 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:37716 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752980AbeC2S3Q (ORCPT ); Thu, 29 Mar 2018 14:29:16 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id B19CF60C55; Thu, 29 Mar 2018 18:29:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1522348155; bh=0GmFc+ktQUaSaLfKZQEraszBF5MYsQ5jk1zHPFJftSg=; h=From:To:Cc:Subject:Date:From; b=PVBQPIMS3DmBC1lyU4V+GmYKtDNzcpWFe3lzA+GGNAg33hgTHDzD3JCJWgqNw0czw avXt/n87iceyFVlawmpT7K6FcJr+amBVbHjG0cyu4WdPQbPjHl67jVEoT3xW7ku0AN yvKM1g6WS/rkBKqe0M59GIih+jbzJ+RnGK4/6J1Y= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED, T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0 Received: from timur-ubuntu.qualcomm.com (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: timur@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 7C5F7600D0; Thu, 29 Mar 2018 18:29:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1522348154; bh=0GmFc+ktQUaSaLfKZQEraszBF5MYsQ5jk1zHPFJftSg=; h=From:To:Cc:Subject:Date:From; b=QxJW02+anWn78t1zjMqUCJFzDnBlAZlyv9wBKwtgkwjCt+nRRx8F+qnDMhlxT4FJi 3dqjusRppa2onMEnABoi/3X5K/4QqbrKCVV/4Qiy6UfpZkYUMi6cUPAWzF0qdePFfZ gVkQRG2ylA0phXZat1FLEszcTbIYr9QvxlW++f8U= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 7C5F7600D0 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=timur@codeaurora.org From: Timur Tabi To: Linus Walleij , linux-gpio@vger.kernel.org, stable@vger.kernel.org Cc: timur@codeaurora.org Subject: [PATCH] gpioib: do not free unrequested descriptors Date: Thu, 29 Mar 2018 13:29:12 -0500 Message-Id: <1522348152-15024-1-git-send-email-timur@codeaurora.org> X-Mailer: git-send-email 1.9.1 Sender: linux-gpio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-gpio@vger.kernel.org If the main loop in linehandle_create() encounters an error, it unwinds completely by freeing all previously requested GPIO descriptors. However, if the error occurs in the beginning of the loop before that GPIO is requested, then the exit code attempts to free a null descriptor. If extrachecks is enabled, gpiod_free() triggers a WARN_ON. Instead, keep a separate count of legitimate GPIOs so that only those are freed. Cc: stable@vger.kernel.org Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines") Signed-off-by: Timur Tabi --- drivers/gpio/gpiolib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 43aeb07343ec..d07771797707 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -497,7 +497,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) struct gpiohandle_request handlereq; struct linehandle_state *lh; struct file *file; - int fd, i, ret; + int fd, i, count = 0, ret; u32 lflags; if (copy_from_user(&handlereq, ip, sizeof(handlereq))) @@ -558,6 +558,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) if (ret) goto out_free_descs; lh->descs[i] = desc; + count = i; if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW) set_bit(FLAG_ACTIVE_LOW, &desc->flags); @@ -628,7 +629,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip) out_put_unused_fd: put_unused_fd(fd); out_free_descs: - for (; i >= 0; i--) + for (i = 0; i < count; i++) gpiod_free(lh->descs[i]); kfree(lh->label); out_free_lh: