Hi,
On 5-Oct-24 3:05 PM, Hans de Goede wrote:
> x86_android_tablet_remove() frees the pdevs[] array, so it should not
> be used after calling x86_android_tablet_remove().
>
> When platform_device_register() fails, store the pdevs[x] PTR_ERR() value
> into the local ret variable before calling x86_android_tablet_remove()
> to avoid using pdevs[] after it has been freed.
>
> Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs")
> Fixes: e2200d3f26da ("platform/x86: x86-android-tablets: Add gpio_keys support to x86_android_tablet_init()")
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Aleksandr Burakov <a.burakov@xxxxxxxxxxxx>
> Closes: https://lore.kernel.org/platform-driver-x86/20240917120458.7300-1-a.burakov@xxxxxxxxxxxx/
> Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx>
I've added this to my review-hans (soon to be fixes) branch now.
Regards,
Hans
> ---
> drivers/platform/x86/x86-android-tablets/core.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/platform/x86/x86-android-tablets/core.c b/drivers/platform/x86/x86-android-tablets/core.c
> index 1427a9a39008..ef572b90e06b 100644
> --- a/drivers/platform/x86/x86-android-tablets/core.c
> +++ b/drivers/platform/x86/x86-android-tablets/core.c
> @@ -390,8 +390,9 @@ static __init int x86_android_tablet_probe(struct platform_device *pdev)
> for (i = 0; i < pdev_count; i++) {
> pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]);
> if (IS_ERR(pdevs[i])) {
> + ret = PTR_ERR(pdevs[i]);
> x86_android_tablet_remove(pdev);
> - return PTR_ERR(pdevs[i]);
> + return ret;
> }
> }
>
> @@ -443,8 +444,9 @@ static __init int x86_android_tablet_probe(struct platform_device *pdev)
> PLATFORM_DEVID_AUTO,
> &pdata, sizeof(pdata));
> if (IS_ERR(pdevs[pdev_count])) {
> + ret = PTR_ERR(pdevs[pdev_count]);
> x86_android_tablet_remove(pdev);
> - return PTR_ERR(pdevs[pdev_count]);
> + return ret;
> }
> pdev_count++;
> }
