6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx> commit b3b95964590a3d756d69ea8604c856de805479ad upstream. We need to take into account that a line's consumer label may be NULL and not try to kstrdup() it in that case but rather pass the NULL pointer up the stack to the interrupt request function. To that end: let make_irq_label() return NULL as a valid return value and use ERR_PTR() instead to signal an allocation failure to callers. Cc: stable@xxxxxxxxxxxxxxx Fixes: b34490879baa ("gpio: cdev: sanitize the label before requesting the interrupt") Reported-by: Linux Kernel Functional Testing <lkft@xxxxxxxxxx> Closes: https://lore.kernel.org/lkml/20240402093534.212283-1-naresh.kamboju@xxxxxxxxxx/ Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@xxxxxxxxxx> Tested-by: Anders Roxell <anders.roxell@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/gpio/gpiolib-cdev.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -1012,7 +1012,16 @@ static u32 gpio_v2_line_config_debounce_ static inline char *make_irq_label(const char *orig) { - return kstrdup_and_replace(orig, '/', ':', GFP_KERNEL); + char *new; + + if (!orig) + return NULL; + + new = kstrdup_and_replace(orig, '/', ':', GFP_KERNEL); + if (!new) + return ERR_PTR(-ENOMEM); + + return new; } static inline void free_irq_label(const char *label) @@ -1086,8 +1095,8 @@ static int edge_detector_setup(struct li irqflags |= IRQF_ONESHOT; label = make_irq_label(line->req->label); - if (!label) - return -ENOMEM; + if (IS_ERR(label)) + return PTR_ERR(label); /* Request a thread to read the events */ ret = request_threaded_irq(irq, edge_irq_handler, edge_irq_thread, @@ -2194,8 +2203,8 @@ static int lineevent_create(struct gpio_ goto out_free_le; label = make_irq_label(le->label); - if (!label) { - ret = -ENOMEM; + if (IS_ERR(label)) { + ret = PTR_ERR(label); goto out_free_le; }