| From foo@baz Mon Sep 17 12:33:31 CEST 2018 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Thu, 2 Aug 2018 11:24:47 +0300 |
| Subject: uio: potential double frees if __uio_register_device() fails |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| [ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ] |
| |
| The uio_unregister_device() function assumes that if "info->uio_dev" is |
| non-NULL that means "info" is fully allocated. Setting info->uio_de |
| has to be the last thing in the function. |
| |
| In the current code, if request_threaded_irq() fails then we return with |
| info->uio_dev set to non-NULL but info is not fully allocated and it can |
| lead to double frees. |
| |
| Fixes: beafc54c4e2f ("UIO: Add the User IO core code") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/uio/uio.c | 3 +-- |
| 1 file changed, 1 insertion(+), 2 deletions(-) |
| |
| --- a/drivers/uio/uio.c |
| +++ b/drivers/uio/uio.c |
| @@ -841,8 +841,6 @@ int __uio_register_device(struct module |
| if (ret) |
| goto err_uio_dev_add_attributes; |
| |
| - info->uio_dev = idev; |
| - |
| if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { |
| /* |
| * Note that we deliberately don't use devm_request_irq |
| @@ -858,6 +856,7 @@ int __uio_register_device(struct module |
| goto err_request_irq; |
| } |
| |
| + info->uio_dev = idev; |
| return 0; |
| |
| err_request_irq: |
