From patchwork Tue Feb 16 10:22:51 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Geert Uytterhoeven X-Patchwork-Id: 583306 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 8002D140273 for ; Tue, 16 Feb 2016 21:23:00 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754662AbcBPKW6 (ORCPT ); Tue, 16 Feb 2016 05:22:58 -0500 Received: from laurent.telenet-ops.be ([195.130.137.89]:42928 "EHLO laurent.telenet-ops.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754551AbcBPKW5 (ORCPT ); Tue, 16 Feb 2016 05:22:57 -0500 Received: from ayla.of.borg ([84.195.106.123]) by laurent.telenet-ops.be with bizsmtp id JyNs1s00L2fm56U01yNsZi; Tue, 16 Feb 2016 11:22:52 +0100 Received: from ramsan.of.borg ([192.168.97.29] helo=ramsan) by ayla.of.borg with esmtp (Exim 4.82) (envelope-from ) id 1aVcmS-0001Ur-4s; Tue, 16 Feb 2016 11:22:52 +0100 Received: from geert by ramsan with local (Exim 4.82) (envelope-from ) id 1aVcmS-00033c-SV; Tue, 16 Feb 2016 11:22:52 +0100 From: Geert Uytterhoeven To: Linus Walleij , Alexandre Courbot Cc: linux-gpio@vger.kernel.org, linux-renesas-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Geert Uytterhoeven Subject: [PATCH -next] gpio: Use kzalloc() to allocate struct gpio_device to fix crash Date: Tue, 16 Feb 2016 11:22:51 +0100 Message-Id: <1455618171-11719-1-git-send-email-geert+renesas@glider.be> X-Mailer: git-send-email 1.9.1 Sender: linux-gpio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-gpio@vger.kernel.org gpiochip_add_data() allocates the struct gpio_device using kmalloc(), which doesn't zero the returned memory. Hence when calling dev_set_name(), it may try to free a bogus old name, causing a crash: Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... Backtrace: [] (kfree) from [] (kfree_const+0x28/0x34) r9:eea77210 r8:ffffffff r7:00000001 r6:eea77008 r5:eea77010 r4:ee13afc0 [] (kfree_const) from [] (kobject_set_name_vargs+0x90/0xa0) [] (kobject_set_name_vargs) from [] (dev_set_name+0x28/0x30) r6:eea77008 r5:eea7721c r4:eea77000 r3:00001743 [] (dev_set_name) from [] (gpiochip_add_data+0xa8/0x5e4) r3:00001743 r2:00000001 r1:c083b195 [] (gpiochip_add_data) from [] (gpio_rcar_probe+0x228/0x344) r10:ee922e9c r9:ee922e00 r8:0000001a r7:eea7721c r6:ee90e010 r5:ee922e80 r4:eea77210 [] (gpio_rcar_probe) from [] (platform_drv_probe+0x58/0xa8) Use kzalloc() instead of kmalloc() to fix this. See also the comment for device_initialize(): All fields in @dev must be initialized by the caller to 0, except for those explicitly set to some other value. The simplest approach is to use kzalloc() to allocate the structure containing @dev. Fixes: ff2b135922992756 ("gpio: make the gpiochip a real device") Signed-off-by: Geert Uytterhoeven --- drivers/gpio/gpiolib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index aa4a60e19339b8b5..dc49ba3fe5acf089 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -435,7 +435,7 @@ int gpiochip_add_data(struct gpio_chip *chip, void *data) * First: allocate and populate the internal stat container, and * set up the struct device. */ - gdev = kmalloc(sizeof(*gdev), GFP_KERNEL); + gdev = kzalloc(sizeof(*gdev), GFP_KERNEL); if (!gdev) return -ENOMEM; gdev->dev.bus = &gpio_bus_type;