The use of kmalloc() to allocate the gpio_device leaves the contained struct
device object in an unknown state. Calling dev_set_name() on a struct device
of unknown state can trigger the free() of an invalid pointer, as seen in the
following backtrace (collected by Tony Lindgren):
kfree
kobject_set_name_vargs
dev_set_name
gpiochip_add_data
omap_gpio_probe
platform_drv_probe
...
Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reported-by: Michael Welling <mwelling@ieee.org>
Reported-by: Tony Lindgren <tony@atomide.com>
Tested-by: Michael Welling <mwelling@ieee.org>
Tested-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Josh Cartwright <joshc@ni.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
* First: allocate and populate the internal stat container, and
* set up the struct device.
*/
- gdev = kmalloc(sizeof(*gdev), GFP_KERNEL);
+ gdev = kzalloc(sizeof(*gdev), GFP_KERNEL);
if (!gdev)
return -ENOMEM;
gdev->dev.bus = &gpio_bus_type;