From patchwork Tue Feb 16 10:22:51 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Geert Uytterhoeven <geert+renesas@glider.be>
X-Patchwork-Id: 8323781
X-Patchwork-Delegate: geert@linux-m68k.org
Return-Path: <linux-renesas-soc-owner@kernel.org>
X-Original-To: patchwork-linux-renesas-soc@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id DC008C02AA
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Tue, 16 Feb 2016 10:23:20 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 42EF8202E5
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Tue, 16 Feb 2016 10:23:20 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 904D020295
	for <patchwork-linux-renesas-soc@patchwork.kernel.org>;
	Tue, 16 Feb 2016 10:23:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754673AbcBPKW7 (ORCPT
	<rfc822;patchwork-linux-renesas-soc@patchwork.kernel.org>);
	Tue, 16 Feb 2016 05:22:59 -0500
Received: from laurent.telenet-ops.be ([195.130.137.89]:42927 "EHLO
	laurent.telenet-ops.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754576AbcBPKW5 (ORCPT
	<rfc822;linux-renesas-soc@vger.kernel.org>);
	Tue, 16 Feb 2016 05:22:57 -0500
Received: from ayla.of.borg ([84.195.106.123])
	by laurent.telenet-ops.be with bizsmtp
	id JyNs1s00L2fm56U01yNsZi; Tue, 16 Feb 2016 11:22:52 +0100
Received: from ramsan.of.borg ([192.168.97.29] helo=ramsan)
	by ayla.of.borg with esmtp (Exim 4.82)
	(envelope-from <geert@linux-m68k.org>)
	id 1aVcmS-0001Ur-4s; Tue, 16 Feb 2016 11:22:52 +0100
Received: from geert by ramsan with local (Exim 4.82)
	(envelope-from <geert@linux-m68k.org>)
	id 1aVcmS-00033c-SV; Tue, 16 Feb 2016 11:22:52 +0100
From: Geert Uytterhoeven <geert+renesas@glider.be>
To: Linus Walleij <linus.walleij@linaro.org>,
	Alexandre Courbot <gnurou@gmail.com>
Cc: linux-gpio@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Geert Uytterhoeven <geert+renesas@glider.be>
Subject: [PATCH -next] gpio: Use kzalloc() to allocate struct gpio_device to
	fix crash
Date: Tue, 16 Feb 2016 11:22:51 +0100
Message-Id: <1455618171-11719-1-git-send-email-geert+renesas@glider.be>
X-Mailer: git-send-email 1.9.1
Sender: linux-renesas-soc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-renesas-soc.vger.kernel.org>
X-Mailing-List: linux-renesas-soc@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

gpiochip_add_data() allocates the struct gpio_device using kmalloc(),
which doesn't zero the returned memory.

Hence when calling dev_set_name(), it may try to free a bogus old name,
causing a crash:

    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    ...
    Backtrace:
    [<c01c9258>] (kfree) from [<c01a701c>] (kfree_const+0x28/0x34)
     r9:eea77210 r8:ffffffff r7:00000001 r6:eea77008 r5:eea77010 r4:ee13afc0
    [<c01a6ff4>] (kfree_const) from [<c02c47cc>] (kobject_set_name_vargs+0x90/0xa0)
    [<c02c473c>] (kobject_set_name_vargs) from [<c038b374>] (dev_set_name+0x28/0x30)
     r6:eea77008 r5:eea7721c r4:eea77000 r3:00001743
    [<c038b350>] (dev_set_name) from [<c02ed200>] (gpiochip_add_data+0xa8/0x5e4)
     r3:00001743 r2:00000001 r1:c083b195
    [<c02ed158>] (gpiochip_add_data) from [<c02f0890>] (gpio_rcar_probe+0x228/0x344)
     r10:ee922e9c r9:ee922e00 r8:0000001a r7:eea7721c r6:ee90e010 r5:ee922e80
     r4:eea77210
    [<c02f0668>] (gpio_rcar_probe) from [<c0390220>] (platform_drv_probe+0x58/0xa8)

Use kzalloc() instead of kmalloc() to fix this.

See also the comment for device_initialize():

    All fields in @dev must be initialized by the caller to 0, except
    for those explicitly set to some other value.  The simplest
    approach is to use kzalloc() to allocate the structure containing
    @dev.

Fixes: ff2b135922992756 ("gpio: make the gpiochip a real device")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
 drivers/gpio/gpiolib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index aa4a60e19339b8b5..dc49ba3fe5acf089 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -435,7 +435,7 @@ int gpiochip_add_data(struct gpio_chip *chip, void *data)
 	 * First: allocate and populate the internal stat container, and
 	 * set up the struct device.
 	 */
-	gdev = kmalloc(sizeof(*gdev), GFP_KERNEL);
+	gdev = kzalloc(sizeof(*gdev), GFP_KERNEL);
 	if (!gdev)
 		return -ENOMEM;
 	gdev->dev.bus = &gpio_bus_type;