| From 432798195bbce1f8cd33d1c0284d0538835e25fb Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Fri, 26 Oct 2018 10:19:51 +0300 |
| Subject: uio: Fix an Oops on load |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 432798195bbce1f8cd33d1c0284d0538835e25fb upstream. |
| |
| I was trying to solve a double free but I introduced a more serious |
| NULL dereference bug. The problem is that if there is an IRQ which |
| triggers immediately, then we need "info->uio_dev" but it's not set yet. |
| |
| This patch puts the original initialization back to how it was and just |
| sets info->uio_dev to NULL on the error path so it should solve both |
| the Oops and the double free. |
| |
| Fixes: f019f07ecf6a ("uio: potential double frees if __uio_register_device() fails") |
| Reported-by: Mathias Thore <Mathias.Thore@infinera.com> |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Cc: stable <stable@vger.kernel.org> |
| Tested-by: Mathias Thore <Mathias.Thore@infinera.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/uio/uio.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/uio/uio.c |
| +++ b/drivers/uio/uio.c |
| @@ -959,6 +959,8 @@ int __uio_register_device(struct module |
| if (ret) |
| goto err_uio_dev_add_attributes; |
| |
| + info->uio_dev = idev; |
| + |
| if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { |
| /* |
| * Note that we deliberately don't use devm_request_irq |
| @@ -970,11 +972,12 @@ int __uio_register_device(struct module |
| */ |
| ret = request_irq(info->irq, uio_interrupt, |
| info->irq_flags, info->name, idev); |
| - if (ret) |
| + if (ret) { |
| + info->uio_dev = NULL; |
| goto err_request_irq; |
| + } |
| } |
| |
| - info->uio_dev = idev; |
| return 0; |
| |
| err_request_irq: |
