[PATCH 4.14 038/242] gpio: mvebu: fix potential user-after-free on probe

From: Greg Kroah-Hartman
Date: Mon Dec 28 2020 - 11:26:42 EST


From: Baruch Siach <baruch@xxxxxxxxxx>

[ Upstream commit 7ee1a01e47403f72b9f38839a737692f6991263e ]

When mvebu_pwm_probe() fails IRQ domain is not released. Move pwm probe
before IRQ domain allocation. Add pwm cleanup code to the failure path.

Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support")
Reported-by: Andrew Lunn <andrew@xxxxxxx>
Signed-off-by: Baruch Siach <baruch@xxxxxxxxxx>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@xxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/gpio/gpio-mvebu.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c
index be85d4b39e997..fc762b4adcb22 100644
--- a/drivers/gpio/gpio-mvebu.c
+++ b/drivers/gpio/gpio-mvebu.c
@@ -1195,6 +1195,13 @@ static int mvebu_gpio_probe(struct platform_device *pdev)

devm_gpiochip_add_data(&pdev->dev, &mvchip->chip, mvchip);

+ /* Some MVEBU SoCs have simple PWM support for GPIO lines */
+ if (IS_ENABLED(CONFIG_PWM)) {
+ err = mvebu_pwm_probe(pdev, mvchip, id);
+ if (err)
+ return err;
+ }
+
/* Some gpio controllers do not provide irq support */
if (!have_irqs)
return 0;
@@ -1204,7 +1211,8 @@ static int mvebu_gpio_probe(struct platform_device *pdev)
if (!mvchip->domain) {
dev_err(&pdev->dev, "couldn't allocate irq domain %s (DT).\n",
mvchip->chip.label);
- return -ENODEV;
+ err = -ENODEV;
+ goto err_pwm;
}

err = irq_alloc_domain_generic_chips(
@@ -1252,14 +1260,12 @@ static int mvebu_gpio_probe(struct platform_device *pdev)
mvchip);
}

- /* Some MVEBU SoCs have simple PWM support for GPIO lines */
- if (IS_ENABLED(CONFIG_PWM))
- return mvebu_pwm_probe(pdev, mvchip, id);
-
return 0;

err_domain:
irq_domain_remove(mvchip->domain);
+err_pwm:
+ pwmchip_remove(&mvchip->mvpwm->chip);

return err;
}
--
2.27.0