leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

uio: potential double frees if __uio_register_device() fails

Browse Source 
The uio_unregister_device() function assumes that if "info->uio_dev" is
non-NULL that means "info" is fully allocated.  Setting info->uio_de
has to be the last thing in the function.

In the current code, if request_threaded_irq() fails then we return with
info->uio_dev set to non-NULL but info is not fully allocated and it can
lead to double frees.

Fixes: beafc54c4e ("UIO: Add the User IO core code")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Dan Carpenter 2018-08-02 11:24:47 +03:00 committed by Greg Kroah-Hartman
parent c01513b4b2
commit f019f07ecf
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/uio/uio.c
View File

@ -953,8 +953,6 @@ int __uio_register_device(struct module *owner,
if (ret) if (ret)
goto err_uio_dev_add_attributes; goto err_uio_dev_add_attributes;
info->uio_dev = idev;
if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
/* /*
* Note that we deliberately don't use devm_request_irq * Note that we deliberately don't use devm_request_irq
@ -971,6 +969,7 @@ int __uio_register_device(struct module *owner,
goto err_request_irq; goto err_request_irq;
} }
info->uio_dev = idev;
return 0; return 0;
err_request_irq: err_request_irq: