gpioib: do not free unrequested descriptors
authorTimur Tabi <timur@codeaurora.org>
Thu, 29 Mar 2018 18:29:12 +0000 (13:29 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 16 May 2018 08:10:26 +0000 (10:10 +0200)
commit ab3dbcf78f60f46d6a0ad63b1f4b690b7a427140 upstream.

If the main loop in linehandle_create() encounters an error, it
unwinds completely by freeing all previously requested GPIO
descriptors.  However, if the error occurs in the beginning of
the loop before that GPIO is requested, then the exit code
attempts to free a null descriptor.  If extrachecks is enabled,
gpiod_free() triggers a WARN_ON.

Instead, keep a separate count of legitimate GPIOs so that only
those are freed.

Cc: stable@vger.kernel.org
Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Timur Tabi <timur@codeaurora.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/gpio/gpiolib.c

index b4c8b25453a6800047954bcaf5bd58b5acdbd6db..65f751adb1cd7592f48c54b0ca48e14781c5cf57 100644 (file)
@@ -443,7 +443,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
        struct gpiohandle_request handlereq;
        struct linehandle_state *lh;
        struct file *file;
-       int fd, i, ret;
+       int fd, i, count = 0, ret;
 
        if (copy_from_user(&handlereq, ip, sizeof(handlereq)))
                return -EFAULT;
@@ -489,6 +489,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
                if (ret)
                        goto out_free_descs;
                lh->descs[i] = desc;
+               count = i;
 
                if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW)
                        set_bit(FLAG_ACTIVE_LOW, &desc->flags);
@@ -555,7 +556,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
 out_put_unused_fd:
        put_unused_fd(fd);
 out_free_descs:
-       for (; i >= 0; i--)
+       for (i = 0; i < count; i++)
                gpiod_free(lh->descs[i]);
        kfree(lh->label);
 out_free_lh: