From 43d7ce70ae43dd8523754b17f567417e0e75dbce Mon Sep 17 00:00:00 2001 From: Wei Yongjun Date: Thu, 7 May 2020 09:42:52 +0000 Subject: gnss: sirf: fix error return code in sirf_probe() Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. This avoids a use-after-free in case the driver is later unbound. Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun [ johan: amend commit message; mention potential use-after-free ] Cc: stable # 4.19 Signed-off-by: Johan Hovold --- drivers/gnss/sirf.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gnss/sirf.c b/drivers/gnss/sirf.c index effed3a8d398..2ecb1d3e8eeb 100644 --- a/drivers/gnss/sirf.c +++ b/drivers/gnss/sirf.c @@ -439,14 +439,18 @@ static int sirf_probe(struct serdev_device *serdev) data->on_off = devm_gpiod_get_optional(dev, "sirf,onoff", GPIOD_OUT_LOW); - if (IS_ERR(data->on_off)) + if (IS_ERR(data->on_off)) { + ret = PTR_ERR(data->on_off); goto err_put_device; + } if (data->on_off) { data->wakeup = devm_gpiod_get_optional(dev, "sirf,wakeup", GPIOD_IN); - if (IS_ERR(data->wakeup)) + if (IS_ERR(data->wakeup)) { + ret = PTR_ERR(data->wakeup); goto err_put_device; + } ret = regulator_enable(data->vcc); if (ret) -- cgit From 9b5816b56af6a424619ab51d24de34dfc65102d8 Mon Sep 17 00:00:00 2001 From: "Gustavo A. R. Silva" Date: Thu, 7 May 2020 13:53:13 -0500 Subject: gnss: replace zero-length array with flexible-array The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] sizeof(flexible-array-member) triggers a warning because flexible array members have incomplete type[1]. There are some instances of code in which the sizeof operator is being incorrectly/erroneously applied to zero-length arrays and the result is zero. Such instances may be hiding some bugs. So, this work (flexible-array member conversions) will also help to get completely rid of those sorts of issues. This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Johan Hovold --- drivers/gnss/serial.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gnss/serial.h b/drivers/gnss/serial.h index 980ffdc86c2a..621953f7821d 100644 --- a/drivers/gnss/serial.h +++ b/drivers/gnss/serial.h @@ -16,7 +16,7 @@ struct gnss_serial { struct gnss_device *gdev; speed_t speed; const struct gnss_serial_ops *ops; - unsigned long drvdata[0]; + unsigned long drvdata[]; }; enum gnss_serial_pm_state { -- cgit