mainline inclusion from mainline-v6.9-rc7 commit a0cedbcc8852d6c77b00634b81e41f17f29d9404 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U3W9 CVE: CVE-2024-36959
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
----------------------------------------------------
If we fail to allocate propname buffer, we need to drop the reference count we just took. Because the pinctrl_dt_free_maps() includes the droping operation, here we call it directly.
Fixes: 91d5c5060ee2 ("pinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map") Suggested-by: Dan Carpenter dan.carpenter@linaro.org Signed-off-by: Zeng Heng zengheng4@huawei.com Reviewed-by: Dan Carpenter dan.carpenter@linaro.org Message-ID: 20240415105328.3651441-1-zengheng4@huawei.com Signed-off-by: Linus Walleij linus.walleij@linaro.org --- drivers/pinctrl/devicetree.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c index 177ee1136e34..01cc09e2bccb 100644 --- a/drivers/pinctrl/devicetree.c +++ b/drivers/pinctrl/devicetree.c @@ -235,12 +235,16 @@ int pinctrl_dt_to_map(struct pinctrl *p, struct pinctrl_dev *pctldev) for (state = 0; ; state++) { /* Retrieve the pinctrl-* property */ propname = kasprintf(GFP_KERNEL, "pinctrl-%d", state); + if (!propname) { + ret = -ENOMEM; + goto err; + } prop = of_find_property(np, propname, &size); kfree(propname); if (!prop) { if (state == 0) { - of_node_put(np); - return -ENODEV; + ret = -ENODEV; + goto err; } break; }