1. Patchew
  2. linux
  3. View series

[PATCH v2] pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()

Zeng Heng posted 1 patch 2 weeks, 1 day ago
There is a newer version of this series
drivers/pinctrl/devicetree.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
[PATCH v2] pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
Posted by Zeng Heng 2 weeks, 1 day ago 
If we fail to allocate propname buffer, we need to drop the reference
count we just took, otherwise it will lead reference leak. Here the
error exit path is modified to jump to the err label and call
pinctrl_dt_free_maps() which would drop the counter.

In the meantime, if it is found that the property 'pinctrl-0' is not
present, ENODEV is returned and also jump to the err label and call the
free function, in case the Smatch tool complains.

Fixes: 91d5c5060ee2 ("pinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map")
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
---
 drivers/pinctrl/devicetree.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c
index df1efc2e5202..37069e40af2b 100644
--- a/drivers/pinctrl/devicetree.c
+++ b/drivers/pinctrl/devicetree.c
@@ -220,14 +220,17 @@ int pinctrl_dt_to_map(struct pinctrl *p, struct pinctrl_dev *pctldev)
 	for (state = 0; ; state++) {
 		/* Retrieve the pinctrl-* property */
 		propname = kasprintf(GFP_KERNEL, "pinctrl-%d", state);
-		if (!propname)
-			return -ENOMEM;
+		if (!propname) {
+			ret = -ENOMEM;
+			goto err;
+		}
 		prop = of_find_property(np, propname, &size);
 		kfree(propname);
 		if (!prop) {
 			if (state == 0) {
-				of_node_put(np);
-				return -ENODEV;
+				/* Return -ENODEV if the property 'pinctrl-0' is not present. */
+				ret = -ENODEV;
+				goto err;
 			}
 			break;
 		}
-- 
2.25.1
Re: [PATCH v2] pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
Posted by Andy Shevchenko 2 weeks, 1 day ago 
On Thu, Apr 18, 2024 at 07:34:59PM +0800, Zeng Heng wrote:
> If we fail to allocate propname buffer, we need to drop the reference
> count we just took, otherwise it will lead reference leak. Here the
> error exit path is modified to jump to the err label and call
> pinctrl_dt_free_maps() which would drop the counter.
> 
> In the meantime, if it is found that the property 'pinctrl-0' is not
> present, ENODEV is returned and also jump to the err label and call the
> free function, in case the Smatch tool complains.

> ---

You forgot a changelog, but I think this needs to be a followup.

-- 
With Best Regards,
Andy Shevchenko
Re: [PATCH v2] pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
Posted by Zeng Heng 2 weeks, 1 day ago 
在 2024/4/18 19:41, Andy Shevchenko 写道:
> On Thu, Apr 18, 2024 at 07:34:59PM +0800, Zeng Heng wrote:
>> If we fail to allocate propname buffer, we need to drop the reference
>> count we just took, otherwise it will lead reference leak. Here the
>> error exit path is modified to jump to the err label and call
>> pinctrl_dt_free_maps() which would drop the counter.
>>
>> In the meantime, if it is found that the property 'pinctrl-0' is not
>> present, ENODEV is returned and also jump to the err label and call the
>> free function, in case the Smatch tool complains.
>> ---
> You forgot a changelog, but I think this needs to be a followup.

Oops, the resend patch would come soon.


Thanks,

Zeng Heng

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.