From c459c4eb0aa207ef691a7035fe2a2eba4a1582c8 Mon Sep 17 00:00:00 2001 From: Zeng Heng Date: Wed, 12 Jun 2024 11:18:28 +0800 Subject: [PATCH] pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() mainline inclusion from mainline-v6.9-rc7 commit a0cedbcc8852d6c77b00634b81e41f17f29d9404 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U3W9 CVE: CVE-2024-36959 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a0cedbcc8852d6c77b00634b81e41f17f29d9404 ---------------------------------------------------- If we fail to allocate propname buffer, we need to drop the reference count we just took. Because the pinctrl_dt_free_maps() includes the droping operation, here we call it directly. Fixes: 91d5c5060ee2 ("pinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map") Suggested-by: Dan Carpenter Signed-off-by: Zeng Heng Reviewed-by: Dan Carpenter Message-ID: <20240415105328.3651441-1-zengheng4@huawei.com> Signed-off-by: Linus Walleij Conflicts: drivers/pinctrl/devicetree.c [Resolve conflicts due to several refactor patches not merged.] Signed-off-by: Zeng Heng --- drivers/pinctrl/devicetree.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c index 177ee1136e34..01cc09e2bccb 100644 --- a/drivers/pinctrl/devicetree.c +++ b/drivers/pinctrl/devicetree.c @@ -235,12 +235,16 @@ int pinctrl_dt_to_map(struct pinctrl *p, struct pinctrl_dev *pctldev) for (state = 0; ; state++) { /* Retrieve the pinctrl-* property */ propname = kasprintf(GFP_KERNEL, "pinctrl-%d", state); + if (!propname) { + ret = -ENOMEM; + goto err; + } prop = of_find_property(np, propname, &size); kfree(propname); if (!prop) { if (state == 0) { - of_node_put(np); - return -ENODEV; + ret = -ENODEV; + goto err; } break; } -- Gitee