Commit 30c073ca authored by Bartosz Golaszewski's avatar Bartosz Golaszewski
Browse files

gpio: aggregator: fix a potential use-after-free 



On error we free aggr->lookups->dev_id before removing the entry from
the lookup table. If a concurrent thread calls gpiod_find() before we
remove the entry, it could iterate over the list and call
gpiod_match_lookup_table() which unconditionally dereferences dev_id
when calling strcmp(). Reverse the order of cleanup.

Fixes: 86f162e7 ("gpio: aggregator: introduce basic configfs interface")
Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260520084911.27938-1-bartosz.golaszewski@oss.qualcomm.com


Signed-off-by: default avatarBartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
parent 3e6ccd79

drivers/gpio/gpio-aggregator.c

+1 −1
Original line number Diff line number Diff line
@@ -979,8 +979,8 @@ static int gpio_aggregator_activate(struct gpio_aggregator *aggr) 
err_unregister_pdev:

	platform_device_unregister(pdev);

err_remove_lookup_table:

	kfree(aggr->lookups->dev_id);

	gpiod_remove_lookup_table(aggr->lookups);

	kfree(aggr->lookups->dev_id);

err_remove_swnode:

	fwnode_remove_software_node(swnode);

err_remove_lookups: