On Thu, Apr 04, 2024 at 11:33:28AM +0200, Bartosz Golaszewski wrote:
From: Kent Gibson warthog618@gmail.com
When adding sanitization of the label, the path through edge_detector_setup() that leads to debounce_setup() was overlooked. A request taking this path does not allocate a new label and the request label is freed twice when the request is released, resulting in memory corruption.
Add label sanitization to debounce_setup().
...
+static inline char *make_irq_label(const char *orig) +{
- char *new;
- if (!orig)
return NULL;- new = kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
- if (!new)
return ERR_PTR(-ENOMEM);- return new;
+}
+static inline void free_irq_label(const char *label) +{
- kfree(label);
+}
First of all this could have been done in the previous patch already, but okay.
...
label = make_irq_label(line->req->label);if (IS_ERR(label))return -ENOMEM;irqflags = IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING; ret = request_irq(irq, debounce_irq_handler, irqflags, line->req->label, line);
But the main point how does this change fix anything?
Shouldn't be
- line->req->label, line); + label, line);
?
if (ret) {free_irq_label(label); return ret;}