| Message ID | 585795d19c13a7136bc4b61307114591af2aea69.1657279521.git.viresh.kumar@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | gpiolib: cdev: Don't access uninitialized descriptor | expand |
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index f5aa5f93342a..d3d1b5aed282 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -1460,11 +1460,13 @@ static ssize_t linereq_read(struct file *file, static void linereq_free(struct linereq *lr) { unsigned int i; - bool hte; + bool hte = false; for (i = 0; i < lr->num_lines; i++) { - hte = !!test_bit(FLAG_EVENT_CLOCK_HTE, - &lr->lines[i].desc->flags); + if (lr->lines[i].desc) { + hte = !!test_bit(FLAG_EVENT_CLOCK_HTE, + &lr->lines[i].desc->flags); + } edge_detector_stop(&lr->lines[i], hte); if (lr->lines[i].desc) gpiod_free(lr->lines[i].desc);
linereq_free() can be called from in the middle of errors, where the descriptor may be NULL for few lines. Don't access uninitialized descriptor pointer as it leads to kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 [...] Call trace: linereq_free+0x54/0xb8 linereq_create+0x424/0x570 gpio_ioctl+0x94/0x640 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x44/0x100 el0_svc_common.constprop.3+0x6c/0xf0 do_el0_svc+0x2c/0xb8 el0_svc+0x20/0x60 el0t_64_sync_handler+0x98/0xc0 el0t_64_sync+0x170/0x174 Fixes: 2068339a6c35 ("gpiolib: cdev: Add hardware timestamp clock type") Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> --- drivers/gpio/gpiolib-cdev.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)