staging: greybus: lights: avoid NULL deref

gb_lights_light_config() stores channel_count before allocating the
channels array. If kcalloc() fails, gb_lights_release() iterates the
non-zero count and dereferences light->channels, which is NULL.

Allocate channels first and only then publish channels_count so the
cleanup path can't walk a NULL pointer.

Fixes: 2870b52bae4c ("greybus: lights: add lights implementation")
Link: https://lore.kernel.org/all/20260108103700.15384-1-chaitanyamishra.ai@gmail.com/
Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Chaitanya Mishra <chaitanyamishra.ai@gmail.com>
Link: https://patch.msgid.link/20260108151254.81553-1-chaitanyamishra.ai@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c
index e509fdc715dbbf53fa4cbd9a9f6d7b539ce7e354..38c233a706c483f1d3b4f9bc15d4d20deab95bb3 100644 (file)
--- a/drivers/staging/greybus/light.c
+++ b/drivers/staging/greybus/light.c
@@ -1008,14 +1008,18 @@ static int gb_lights_light_config(struct gb_lights *glights, u8 id)
        if (!strlen(conf.name))
                return -EINVAL;
 
-       light->channels_count = conf.channel_count;
        light->name = kstrndup(conf.name, NAMES_MAX, GFP_KERNEL);
        if (!light->name)
                return -ENOMEM;
-       light->channels = kcalloc(light->channels_count,
+       light->channels = kcalloc(conf.channel_count,
                                  sizeof(struct gb_channel), GFP_KERNEL);
        if (!light->channels)
                return -ENOMEM;
+       /*
+        * Publish channels_count only after channels allocation so cleanup
+        * doesn't walk a NULL channels pointer on allocation failure.
+        */
+       light->channels_count = conf.channel_count;
 
        /* First we collect all the configurations for all channels */
        for (i = 0; i < light->channels_count; i++) {