gpio: aggregator: fix a potential use-after-free

On error we free aggr->lookups->dev_id before removing the entry from the lookup table. If a concurrent thread calls gpiod_find() before we remove the entry, it could iterate over the list and call gpiod_match_lookup_table() which unconditionally dereferences dev_id when calling strcmp(). Reverse the order of cleanup. Fixes: 86f162e73d2d ("gpio: aggregator: introduce basic configfs interface") Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Link: https://patch.msgid.link/20260520084911.27938-1-bartosz.golaszewski@oss.qualcomm.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
author: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> 2026-05-20 10:49:11 +0200
committer: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> 2026-05-21 12:00:42 +0200
commit: 30c073cab97afb31901f94de9605177b6b84367e (patch)
tree: 631ef6d2310e9ea64f9eba63552ead2d342e21a1
parent: 3e6ccd790ed69bedd3d9626d01dd35cf9821c121 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpio/gpio-aggregator.c b/drivers/gpio/gpio-aggregator.c
index 5915209e1e21..b53230065f50 100644
--- a/drivers/gpio/gpio-aggregator.c
+++ b/drivers/gpio/gpio-aggregator.c
@@ -979,8 +979,8 @@ static int gpio_aggregator_activate(struct gpio_aggregator *aggr)
 err_unregister_pdev:
 	platform_device_unregister(pdev);
 err_remove_lookup_table:
-	kfree(aggr->lookups->dev_id);
 	gpiod_remove_lookup_table(aggr->lookups);
+	kfree(aggr->lookups->dev_id);
 err_remove_swnode:
 	fwnode_remove_software_node(swnode);
 err_remove_lookups:
author	Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>	2026-05-20 10:49:11 +0200
committer	Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>	2026-05-21 12:00:42 +0200
commit	30c073cab97afb31901f94de9605177b6b84367e (patch)
tree	631ef6d2310e9ea64f9eba63552ead2d342e21a1
parent	3e6ccd790ed69bedd3d9626d01dd35cf9821c121 (diff)