The patch regmap: potentially duplicate the name string stored in regmap
has been applied to the regmap tree at https://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap.git All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark >From 8253bb3f82554cedb830a4cb65c84796df129c81 Mon Sep 17 00:00:00 2001 From: Bartosz Golaszewski <[email protected]> Date: Wed, 13 Dec 2017 17:25:31 +0100 Subject: [PATCH] regmap: potentially duplicate the name string stored in regmap Currently we just copy over the pointer passed to regmap_init() in the regmap config struct. To be on the safe side: duplicate the string with kstrdup_const() so that if an unaware user passes an address to a stack-allocated buffer, we won't crash. Signed-off-by: Bartosz Golaszewski <[email protected]> Signed-off-by: Mark Brown <[email protected]> --- drivers/base/regmap/regmap.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c index 496da7bc5e77..84b5784e171b 100644 --- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -672,6 +672,14 @@ struct regmap *__regmap_init(struct device *dev, goto err; } + if (config->name) { + map->name = kstrdup_const(config->name, GFP_KERNEL); + if (!map->name) { + ret = -ENOMEM; + goto err_map; + } + } + if (config->disable_locking) { map->lock = map->unlock = regmap_lock_unlock_none; regmap_debugfs_disable(map); @@ -683,7 +691,7 @@ struct regmap *__regmap_init(struct device *dev, map->hwlock = hwspin_lock_request_specific(config->hwlock_id); if (!map->hwlock) { ret = -ENXIO; - goto err_map; + goto err_name; } switch (config->hwlock_mode) { @@ -763,7 +771,6 @@ struct regmap *__regmap_init(struct device *dev, map->volatile_reg = config->volatile_reg; map->precious_reg = config->precious_reg; map->cache_type = config->cache_type; - map->name = config->name; spin_lock_init(&map->async_lock); INIT_LIST_HEAD(&map->async_list); @@ -1119,6 +1126,8 @@ struct regmap *__regmap_init(struct device *dev, err_hwlock: if (map->hwlock) hwspin_lock_free(map->hwlock); +err_name: + kfree_const(map->name); err_map: kfree(map); err: @@ -1308,6 +1317,7 @@ void regmap_exit(struct regmap *map) } if (map->hwlock) hwspin_lock_free(map->hwlock); + kfree_const(map->name); kfree(map); } EXPORT_SYMBOL_GPL(regmap_exit); -- 2.15.1
