1. Patchew
  2. linux
  3. View series

[PATCH next] gpio: sysfs: Fix an end of loop test in gpiod_unexport()

Dan Carpenter posted 1 patch 2 months, 2 weeks ago 
drivers/gpio/gpiolib-sysfs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
[PATCH next] gpio: sysfs: Fix an end of loop test in gpiod_unexport()
Posted by Dan Carpenter 2 months, 2 weeks ago 
The test for "if (!desc_data)" does not work correctly because the list
iterator in a list_for_each_entry() loop is always non-NULL. If we don't
exit via a break, then it points to invalid memory.  Instead, use a tmp
variable for the list iterator and only set the "desc_data" when we have
found a match.

Fixes: 1cd53df733c2 ("gpio: sysfs: don't look up exported lines as class devices")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/gpio/gpiolib-sysfs.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c
index f31adc56bef1..b64106f1cb7b 100644
--- a/drivers/gpio/gpiolib-sysfs.c
+++ b/drivers/gpio/gpiolib-sysfs.c
@@ -927,7 +927,7 @@ EXPORT_SYMBOL_GPL(gpiod_export_link);
  */
 void gpiod_unexport(struct gpio_desc *desc)
 {
-	struct gpiod_data *desc_data = NULL;
+	struct gpiod_data *tmp, *desc_data = NULL;
 	struct gpiodev_data *gdev_data;
 	struct gpio_device *gdev;
 
@@ -945,9 +945,12 @@ void gpiod_unexport(struct gpio_desc *desc)
 		if (!gdev_data)
 			return;
 
-		list_for_each_entry(desc_data, &gdev_data->exported_lines, list)
-			if (gpiod_is_equal(desc, desc_data->desc))
+		list_for_each_entry(tmp, &gdev_data->exported_lines, list) {
+			if (gpiod_is_equal(desc, tmp->desc)) {
+				desc_data = tmp;
 				break;
+			}
+		}
 
 		if (!desc_data)
 			return;
-- 
2.47.2
Re: [PATCH next] gpio: sysfs: Fix an end of loop test in gpiod_unexport()
Posted by Bartosz Golaszewski 2 months, 2 weeks ago 
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>


On Fri, 18 Jul 2025 16:22:15 -0500, Dan Carpenter wrote:
> The test for "if (!desc_data)" does not work correctly because the list
> iterator in a list_for_each_entry() loop is always non-NULL. If we don't
> exit via a break, then it points to invalid memory.  Instead, use a tmp
> variable for the list iterator and only set the "desc_data" when we have
> found a match.
> 
> 
> [...]

Thanks for catching it. This is not obvious because in normal circumstances
we'll always find a matching descriptor and exit the loop via break so it's
hard to trigger a bug this way. Anyway, the patch is correct so applied.

[1/1] gpio: sysfs: Fix an end of loop test in gpiod_unexport()
      https://git.kernel.org/brgl/linux/c/5607f5ed3c5f30f41e72ce09c8e616af0fc0d474

Best regards,
-- 
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.