From nobody Mon May 25 00:08:42 2026
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com
 [205.220.168.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85D4A3B95F8
	for <linux-kernel@vger.kernel.org>; Wed, 20 May 2026 08:49:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.168.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779266957; cv=none;
 b=dmbPXJHQvXWl2YX9c2ay9JzfJjXctSH0D6CRW/lNFmvok45+/2IoRHxPEwlryh5ZP7tODvZbN8I7lIThJA5rfgkXKPYRLIHw0L1Rhma4xznNMwVMuCoaJx1c+7drDUVtWg+SwzyjPYtrgJk5VdEIFm4wsLn5/NrhGRRo5n7XyWM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779266957; c=relaxed/simple;
	bh=WiCz7g91WpYB6xzS8HpLMaG7aEoTI14G5ZC41wwSH4I=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=i6SSdM21PfA+6gzaVCccw9kDWWykfR2bK8DDAKStrc8x6sdG/jFY2CvKR2cQLuCyiL9riVuMufFYQc2V0zDupr5/a0CNjSAVeRjd49bNYeR6+5i1mEw+LBvd8PmHfKCEbD0x/Bj4JGkz55y73lNZ+z2EZe90qZtwMscQID+eFq4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com;
 spf=pass smtp.mailfrom=oss.qualcomm.com;
 dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b=UCxI3SaB;
 dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b=Qpwy8aGa; arc=none smtp.client-ip=205.220.168.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b="UCxI3SaB";
	dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b="Qpwy8aGa"
Received: from pps.filterd (m0279866.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 64K6rIn1629597
	for <linux-kernel@vger.kernel.org>; Wed, 20 May 2026 08:49:16 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h=
	cc:content-transfer-encoding:date:from:message-id:mime-version
	:subject:to; s=qcppdkim1; bh=iFYSJgra8c5vxgD8K+xt3jU8404bx8CrRy/
	AqEcbe0M=; b=UCxI3SaBvitSrjJOWY7C9Y18LDswRSiFwnwV2QfPp+DpuREsmRr
	oVx67GEN/b1JXqQun+cCaF9A4tyceDbnFABjDVHhRlTYx+G9XiHtofUhygwL1etR
	kH1SyvyQVcZQwI0q0ZmUS9H7bwZqWRsB8p/M0B8KYzxmBoUCA/pc8JafvsbK1RhH
	WkUDSYestDp2gzznuKlBzPXQLvoL6IcnISqc3kq1kSOpGshFEnHMuvxa8bsuzSx1
	rxuvM/4FJTCCxMkx7dNajILNmhQ1uTAVARaYgqLD5+TDDrvnk2nCTHF32ePE2nw0
	zz7DtQoqWFEqcknAqlfPgBSJWXD2/gVwf0g==
Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com
 [209.85.160.197])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4e8t3nuwrv-1
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
	for <linux-kernel@vger.kernel.org>; Wed, 20 May 2026 08:49:15 +0000 (GMT)
Received: by mail-qt1-f197.google.com with SMTP id
 d75a77b69052e-514cbe73d00so147103671cf.1
        for <linux-kernel@vger.kernel.org>;
 Wed, 20 May 2026 01:49:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=oss.qualcomm.com; s=google; t=1779266955; x=1779871755;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=iFYSJgra8c5vxgD8K+xt3jU8404bx8CrRy/AqEcbe0M=;
        b=Qpwy8aGaZ+XZ3eQJwBO9cxU+wWp2BuVaF0dMFkg2bZxFNU0fXZVgSZ1tFeYDC597Ba
         l4UDzt6ZxjkAHA9hDk7rLNRr4gRi8/DXqENcpygBy2Erb6WhC/eYFxxZgCThnTbr/evA
         syKE4snJ5k51PLTjxqCH/mh+ZnYv9OgsNA8CVZqEhCXu43jeT96HMQuUJPvrzmQ1vSSf
         R6oeuvWm4A5e31mAeg3hdv/BP+BTx8cDMFrOXS1xc9caPqG2Br2lE+H5ZKEPHbDvsKlb
         Y+ZObonVmwO8hzlX18aKTSZ43Vz3NkGFk49lWCntIeMjQ3Dik+0VH8T03lEgx4x9dHhv
         x7NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779266955; x=1779871755;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iFYSJgra8c5vxgD8K+xt3jU8404bx8CrRy/AqEcbe0M=;
        b=XHstXLq8MBPq6JQTYiUCdPM/CaNC85EpVBn5aJlmbwnE23BURDDWGGPpF1+HLdbmMw
         ryMMJAkfdiGw3Df9Uj/GrXLoSKI/SEFW5QFNN8sviMy/WMvmfy/oJU5PnOJ89z3UngYG
         NVP77BfDZ3Lv/DJ/vs/UNP+ze5yocITsjVViMCWzDnfJgZ4VV1zjOjhvn1LNlJ95nRUo
         2alczIZv6PFvHWysva84ldItgIeK6ph/fMATkwKgNmGTaTDjPsH+osaP6OS8Wg1tHloS
         6rCgofF4icTFuflNpbzFdmmnd2DFkWkpLslO6jv8EWr8i3bvETJ73pwp/xk0lX7Gu4DK
         fOwg==
X-Forwarded-Encrypted: i=1;
 AFNElJ9j34rctzPl293T/DWPMZMlMDe/HTrBEIPYah2VkSDCsBg1u6G/wRNyjWGIGt2tlakhvrSCMVsE0ptiGUs=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx5qcR1kMamVgQMBsdsO3lGn4ZBxeRnyZTyghpLlB9l9hs7GEo8
	lT0TlsYmJHY+C5yNEGE4pmkGl4SFgkh1crxWVjFQo7Rpw1r74SBqn4LjVAGn49jsW2H8plPKb1G
	81P8As3+UgD+rjNrakaOQYjnUnMuIMsZpZHTZVZqUpveTC6ONzut2ocWQka09iZYSbrI=
X-Gm-Gg: Acq92OHyr98xwCBllp+DQnCVz8bLYgE2TbIoTybjxLfSH0FDtBxpTAPEsuDBBi16aNJ
	HvYHS8/kOwXX0KNbftoh4w2dKPcHXAx17md7eTg3pfXqyZZR8ywAIOveT4MM3mLJ2pIRMNG9o70
	kO5z3vCeCvg8XEDfkwqgCUJLcGoFlM+mplVkLIHHKr0SVDNntFp6cP5SCtxmI+/pKXaLrO19PIX
	tXX5Zb93Ob4Dwx7kqcNJeRojZG2TpbnkPNylN4FjTWe4WIQUelEIhxF7QVQV37qM/IcWtDI4PEY
	Hzn3xKM3KtMf2SaioJBD7IAihbP6e43ibIL2c/XlHyAtgI/kWdjLjAnEz5oMv3PqdwZWG+wMZk2
	EIN++VxRMhgXhOlCbWFakZvktuXb/LR+BwciUTf3qOnq5VIwqpA==
X-Received: by 2002:a05:622a:4085:b0:510:141d:9d03 with SMTP id
 d75a77b69052e-51659ff9d60mr338521561cf.7.1779266954900;
        Wed, 20 May 2026 01:49:14 -0700 (PDT)
X-Received: by 2002:a05:622a:4085:b0:510:141d:9d03 with SMTP id
 d75a77b69052e-51659ff9d60mr338521241cf.7.1779266954412;
        Wed, 20 May 2026 01:49:14 -0700 (PDT)
Received: from brgl-qcom.home ([2a01:cb1d:dc:7e00:9ec3:885a:6d78:48d0])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-45da0a17a22sm52480643f8f.22.2026.05.20.01.49.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 20 May 2026 01:49:13 -0700 (PDT)
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
To: Geert Uytterhoeven <geert+renesas@glider.be>,
        Linus Walleij <linusw@kernel.org>,
        Bartosz Golaszewski <brgl@kernel.org>,
        Koichiro Den <koichiro.den@canonical.com>
Cc: linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org,
        Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Subject: [PATCH] gpio: aggregator: fix a potential use-after-free
Date: Wed, 20 May 2026 10:49:11 +0200
Message-ID: <20260520084911.27938-1-bartosz.golaszewski@oss.qualcomm.com>
X-Mailer: git-send-email 2.47.3
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTIwMDA4NCBTYWx0ZWRfX8nD7QSDGLVP9
 InfyogqDGMGi5mRp/Z6OnT7SFSrhFrod0OLmlod8qTMjCs1VosQB6fe57ikxI4/I4yixdpUQVIt
 MMFYnBKzfLqjTGhoR71vFvMTVIyYdGYpxGnVb58/+srh2GlsyswNxhCIVTRCHrlLkV+ubfU4fxE
 +seozHVce5WZTzKO49B/Gacui4goRBUJwLK1/mR+awXrD3dsmgRYFfqC+GJcihP67ENbU+yvrM8
 GSojpFd3GxXiFAHhLt6caz01Mgjh38HE+gqWdxgg9tTP9cXpGTFFh3uqXEZPJLfJ8NmsfeAhCEX
 6l7X7HA1Y5B1Kd5QlSwUuNsWiN3N8sunEvhoKZzw19S5A2/D9x6sDbuhDv0k4+2KrK6sCNm0hC0
 87ElcfYoK0t8EOUGyAG5Z8cJUOoW+VI8geaHnbiqkx88AYRPXLpN5EatyLgEUoKMVA/Lzw7nH99
 KflfE3QdeIzabxO/i4w==
X-Proofpoint-GUID: 7m9Mp3yUa9COeAgFdQusHqlDdElKmxEo
X-Proofpoint-ORIG-GUID: 7m9Mp3yUa9COeAgFdQusHqlDdElKmxEo
X-Authority-Analysis: v=2.4 cv=Mr9iLWae c=1 sm=1 tr=0 ts=6a0d758b cx=c_pps
 a=EVbN6Ke/fEF3bsl7X48z0g==:117 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10
 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22
 a=YMgV9FUhrdKAYTUUvYB2:22 a=EUspDBNiAAAA:8 a=IYF4p_Y9mJ23m3Ro410A:9
 a=a_PwQJl-kcHnX1M80qC6:22
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-05-20_01,2026-05-18_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 lowpriorityscore=0 adultscore=0 priorityscore=1501 malwarescore=0
 clxscore=1015 bulkscore=0 impostorscore=0 spamscore=0 phishscore=0
 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc=
 route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000
 definitions=main-2605200084
Content-Type: text/plain; charset="utf-8"

On error we free aggr->lookups->dev_id before removing the entry from
the lookup table. If a concurrent thread calls gpiod_find() before we
remove the entry, it could iterate over the list and call
gpiod_match_lookup_table() which unconditionally dereferences dev_id
when calling strcmp(). Reverse the order of cleanup.

Fixes: 86f162e73d2d ("gpio: aggregator: introduce basic configfs interface")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
 drivers/gpio/gpio-aggregator.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpio/gpio-aggregator.c b/drivers/gpio/gpio-aggregator.c
index 5915209e1e21..b53230065f50 100644
--- a/drivers/gpio/gpio-aggregator.c
+++ b/drivers/gpio/gpio-aggregator.c
@@ -979,8 +979,8 @@ static int gpio_aggregator_activate(struct gpio_aggrega=
tor *aggr)
 err_unregister_pdev:
 	platform_device_unregister(pdev);
 err_remove_lookup_table:
-	kfree(aggr->lookups->dev_id);
 	gpiod_remove_lookup_table(aggr->lookups);
+	kfree(aggr->lookups->dev_id);
 err_remove_swnode:
 	fwnode_remove_software_node(swnode);
 err_remove_lookups:
--=20
2.47.3