From: Geert Uytterhoeven <geert+renesas@glider.be>
To: Linus Walleij <linus.walleij@linaro.org>,
Alexandre Courbot <gnurou@gmail.com>
Cc: linux-gpio@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
linux-kernel@vger.kernel.org,
Geert Uytterhoeven <geert+renesas@glider.be>
Subject: [PATCH -next] gpio: Use kzalloc() to allocate struct gpio_device to fix crash
Date: Tue, 16 Feb 2016 11:22:51 +0100 [thread overview]
Message-ID: <1455618171-11719-1-git-send-email-geert+renesas@glider.be> (raw)
gpiochip_add_data() allocates the struct gpio_device using kmalloc(),
which doesn't zero the returned memory.
Hence when calling dev_set_name(), it may try to free a bogus old name,
causing a crash:
Unable to handle kernel NULL pointer dereference at virtual address 00000000
...
Backtrace:
[<c01c9258>] (kfree) from [<c01a701c>] (kfree_const+0x28/0x34)
r9:eea77210 r8:ffffffff r7:00000001 r6:eea77008 r5:eea77010 r4:ee13afc0
[<c01a6ff4>] (kfree_const) from [<c02c47cc>] (kobject_set_name_vargs+0x90/0xa0)
[<c02c473c>] (kobject_set_name_vargs) from [<c038b374>] (dev_set_name+0x28/0x30)
r6:eea77008 r5:eea7721c r4:eea77000 r3:00001743
[<c038b350>] (dev_set_name) from [<c02ed200>] (gpiochip_add_data+0xa8/0x5e4)
r3:00001743 r2:00000001 r1:c083b195
[<c02ed158>] (gpiochip_add_data) from [<c02f0890>] (gpio_rcar_probe+0x228/0x344)
r10:ee922e9c r9:ee922e00 r8:0000001a r7:eea7721c r6:ee90e010 r5:ee922e80
r4:eea77210
[<c02f0668>] (gpio_rcar_probe) from [<c0390220>] (platform_drv_probe+0x58/0xa8)
Use kzalloc() instead of kmalloc() to fix this.
See also the comment for device_initialize():
All fields in @dev must be initialized by the caller to 0, except
for those explicitly set to some other value. The simplest
approach is to use kzalloc() to allocate the structure containing
@dev.
Fixes: ff2b135922992756 ("gpio: make the gpiochip a real device")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
drivers/gpio/gpiolib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index aa4a60e19339b8b5..dc49ba3fe5acf089 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -435,7 +435,7 @@ int gpiochip_add_data(struct gpio_chip *chip, void *data)
* First: allocate and populate the internal stat container, and
* set up the struct device.
*/
- gdev = kmalloc(sizeof(*gdev), GFP_KERNEL);
+ gdev = kzalloc(sizeof(*gdev), GFP_KERNEL);
if (!gdev)
return -ENOMEM;
gdev->dev.bus = &gpio_bus_type;
--
1.9.1
next reply other threads:[~2016-02-16 10:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-16 10:22 Geert Uytterhoeven [this message]
2016-02-18 19:47 ` [PATCH -next] gpio: Use kzalloc() to allocate struct gpio_device to fix crash Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1455618171-11719-1-git-send-email-geert+renesas@glider.be \
--to=geert+renesas@glider.be \
--cc=gnurou@gmail.com \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-renesas-soc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.