[PATCH] pinctrl: rockchip: fix NULL ptr deref in rockchip_pinctrl_parse_groups()
Sergey Shtylyov
s.shtylyov at omp.ru
Mon Sep 8 07:36:12 PDT 2025
On 9/8/25 8:53 AM, Chen-Yu Tsai wrote:
[...]
>> Am Mittwoch, 3. September 2025, 21:48:54 Mitteleuropäische Sommerzeit schrieb Sergey Shtylyov:
>>> In the Rockchip driver, rockchip_pinctrl_parse_groups() assumes that the
>>> "rockchip,pins" property will always be present in the DT node it parses
>>> and so doesn't check the result of of_get_property() for NULL. If the DT
>>> passed to the kernel happens to have such property missing, then we will
>>> get a kernel oops when the pointer is dereferenced in the *for* loop just
>>> a few lines after the call. I think it's better to play safe by checking
>>> the list variable for NULL (and reporting error if so), like we check the
>>> size variable for validity further down...
>>>
>>> Found by Linux Verification Center (linuxtesting.org) with the Svace static
>>> analysis tool.
>>>
>>> Fixes: d3e5116119bd ("pinctrl: add pinctrl driver for Rockchip SoCs")
>>> Signed-off-by: Sergey Shtylyov <s.shtylyov at omp.ru>
>>
>> Assuming that the DT is our friend, really is a bad assumption :-) .
>
> If this is invalid, perhaps you should make the "rockchip,pins" property
> required in the binding?
Looking at Documentation/devicetree/bindings/pinctrl/rockchip,pinctrl.txt
in 5.10.y, it was marked as required. The modern YAML bindings don't seem to
say that, at least explicitly...
[...]
MBR, Sergey
More information about the linux-arm-kernel
mailing list