gpio: swnode: Don't use __free() on result of swnode_get_gpio_device()
Commit Message
swnode_get_gpio_device() can return an error pointer, however
gpio_device_put() is not able to accept error values. Thus using
__free() will result in dereferencing an invalid pointer.
As there is only a single exit point anyway, simply call
gpio_device_put() manually. Whilst modifying the code move
the variable declaration to the top of the function, and move
fwnode_handle_put() until after the error check. Technically
fwnode_handle_put() will handle being passed an error value, but
no need to call it when the code knows it doesn't need to.
Fixes: b7b56e64a345 ("gpio: swnode: replace gpiochip_find() with gpio_device_find_by_label()")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
---
drivers/gpio/gpiolib-swnode.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
Comments
On Mon, Mar 04, 2024 at 05:34:27PM +0100, Bartosz Golaszewski wrote:
> On Mon, Mar 4, 2024 at 5:03 PM Charles Keepax
> <ckeepax@opensource.cirrus.com> wrote:
> >
> > swnode_get_gpio_device() can return an error pointer, however
> > gpio_device_put() is not able to accept error values. Thus using
> > __free() will result in dereferencing an invalid pointer.
> >
>
> Can you post the steps to reproduce this? Because it should work[1].
Hmm... yeah that does look like it should work, I have had the
patch sitting in my tree for a little while, let me double check
and I will come back/resend if it is actually still needed.
Thanks,
Charles
@@ -50,6 +50,7 @@ struct gpio_desc *swnode_find_gpio(struct fwnode_handle *fwnode,
{
const struct software_node *swnode;
struct fwnode_reference_args args;
+ struct gpio_device *gdev;
struct gpio_desc *desc;
char propname[32]; /* 32 is max size of property name */
int error;
@@ -71,12 +72,12 @@ struct gpio_desc *swnode_find_gpio(struct fwnode_handle *fwnode,
return ERR_PTR(error);
}
- struct gpio_device *gdev __free(gpio_device_put) =
- swnode_get_gpio_device(args.fwnode);
- fwnode_handle_put(args.fwnode);
+ gdev = swnode_get_gpio_device(args.fwnode);
if (IS_ERR(gdev))
return ERR_CAST(gdev);
+ fwnode_handle_put(args.fwnode);
+
/*
* FIXME: The GPIO device reference is put at return but the descriptor
* is passed on. Find a proper solution.
@@ -87,6 +88,8 @@ struct gpio_desc *swnode_find_gpio(struct fwnode_handle *fwnode,
pr_debug("%s: parsed '%s' property of node '%pfwP[%d]' - status (%d)\n",
__func__, propname, fwnode, idx, PTR_ERR_OR_ZERO(desc));
+ gpio_device_put(gdev);
+
return desc;
}