aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLiu Jian <liujian56@huawei.com>2019-01-23 06:45:38 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-01-31 16:36:52 +0100
commit221a1f4ac12d2ab46246c160b2e00d1b1160d5d9 (patch)
treed2f2662d31635d9cc9f999fb48f4a27e93d21879
parentdriver: uio: fix possible memory leak in __uio_register_device (diff)
downloadlinux-dev-221a1f4ac12d2ab46246c160b2e00d1b1160d5d9.tar.xz
linux-dev-221a1f4ac12d2ab46246c160b2e00d1b1160d5d9.zip
driver: uio: fix possible use-after-free in __uio_register_device
In uio_dev_add_attributes() error handing case, idev is used after device_unregister(), in which 'idev' has been released, touch idev cause use-after-free. Fixes: a93e7b331568 ("uio: Prevent device destruction while fds are open") Signed-off-by: Liu Jian <liujian56@huawei.com> Reviewed-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat
-rw-r--r--drivers/uio/uio.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
index f23ef235359f..a57698985f9c 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -945,6 +945,7 @@ int __uio_register_device(struct module *owner,
return ret;
}
+ device_initialize(&idev->dev);
idev->dev.devt = MKDEV(uio_major, idev->minor);
idev->dev.class = &uio_class;
idev->dev.parent = parent;
@@ -955,7 +956,7 @@ int __uio_register_device(struct module *owner,
if (ret)
goto err_device_create;
- ret = device_register(&idev->dev);
+ ret = device_add(&idev->dev);
if (ret)
goto err_device_create;
@@ -987,9 +988,10 @@ int __uio_register_device(struct module *owner,
err_request_irq:
uio_dev_del_attributes(idev);
err_uio_dev_add_attributes:
- device_unregister(&idev->dev);
+ device_del(&idev->dev);
err_device_create:
uio_free_minor(idev);
+ put_device(&idev->dev);
return ret;
}
EXPORT_SYMBOL_GPL(__uio_register_device);
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.