* [PATCH] iio: dummy_evgen: Fix use after free on error in iio_dummy_evgen_create()
@ 2020-05-20 12:03 Dan Carpenter
2020-05-20 12:13 ` Marc Zyngier
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2020-05-20 12:03 UTC (permalink / raw)
To: Jonathan Cameron, Bartosz Golaszewski
Cc: Hartmut Knaack, Lars-Peter Clausen, Peter Meerwald-Stadler,
Kate Stewart, Marc Zyngier, Allison Randal, Linus Walleij,
linux-iio, kernel-janitors
We need to preserve the "iio_evgen->irq_sim_domain" error code before
we free "iio_evgen" otherwise it leads to a use after free.
Fixes: 337cbeb2c13e ("genirq/irq_sim: Simplify the API")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/iio/dummy/iio_dummy_evgen.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/iio/dummy/iio_dummy_evgen.c b/drivers/iio/dummy/iio_dummy_evgen.c
index 409fe0f7df1c..ee85d596e528 100644
--- a/drivers/iio/dummy/iio_dummy_evgen.c
+++ b/drivers/iio/dummy/iio_dummy_evgen.c
@@ -45,6 +45,8 @@ static struct iio_dummy_eventgen *iio_evgen;
static int iio_dummy_evgen_create(void)
{
+ int ret;
+
iio_evgen = kzalloc(sizeof(*iio_evgen), GFP_KERNEL);
if (!iio_evgen)
return -ENOMEM;
@@ -52,8 +54,9 @@ static int iio_dummy_evgen_create(void)
iio_evgen->irq_sim_domain = irq_domain_create_sim(NULL,
IIO_EVENTGEN_NO);
if (IS_ERR(iio_evgen->irq_sim_domain)) {
+ ret = PTR_ERR(iio_evgen->irq_sim_domain);
kfree(iio_evgen);
- return PTR_ERR(iio_evgen->irq_sim_domain);
+ return ret;
}
mutex_init(&iio_evgen->lock);
--
2.26.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] iio: dummy_evgen: Fix use after free on error in iio_dummy_evgen_create()
2020-05-20 12:03 [PATCH] iio: dummy_evgen: Fix use after free on error in iio_dummy_evgen_create() Dan Carpenter
@ 2020-05-20 12:13 ` Marc Zyngier
0 siblings, 0 replies; 2+ messages in thread
From: Marc Zyngier @ 2020-05-20 12:13 UTC (permalink / raw)
To: Dan Carpenter
Cc: Jonathan Cameron, Bartosz Golaszewski, Hartmut Knaack,
Lars-Peter Clausen, Peter Meerwald-Stadler, Kate Stewart,
Allison Randal, Linus Walleij, linux-iio, kernel-janitors
Hi Dan,
On 2020-05-20 13:03, Dan Carpenter wrote:
> We need to preserve the "iio_evgen->irq_sim_domain" error code before
> we free "iio_evgen" otherwise it leads to a use after free.
>
> Fixes: 337cbeb2c13e ("genirq/irq_sim: Simplify the API")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/iio/dummy/iio_dummy_evgen.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iio/dummy/iio_dummy_evgen.c
> b/drivers/iio/dummy/iio_dummy_evgen.c
> index 409fe0f7df1c..ee85d596e528 100644
> --- a/drivers/iio/dummy/iio_dummy_evgen.c
> +++ b/drivers/iio/dummy/iio_dummy_evgen.c
> @@ -45,6 +45,8 @@ static struct iio_dummy_eventgen *iio_evgen;
>
> static int iio_dummy_evgen_create(void)
> {
> + int ret;
> +
> iio_evgen = kzalloc(sizeof(*iio_evgen), GFP_KERNEL);
> if (!iio_evgen)
> return -ENOMEM;
> @@ -52,8 +54,9 @@ static int iio_dummy_evgen_create(void)
> iio_evgen->irq_sim_domain = irq_domain_create_sim(NULL,
> IIO_EVENTGEN_NO);
> if (IS_ERR(iio_evgen->irq_sim_domain)) {
> + ret = PTR_ERR(iio_evgen->irq_sim_domain);
> kfree(iio_evgen);
> - return PTR_ERR(iio_evgen->irq_sim_domain);
> + return ret;
> }
>
> mutex_init(&iio_evgen->lock);
Nice catch. I've applied it to irq/irqchip-next, since
the offending patch is queued there.
Thanks,
M.
--
Jazz is not dead. It just smells funny...
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-20 12:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-20 12:03 [PATCH] iio: dummy_evgen: Fix use after free on error in iio_dummy_evgen_create() Dan Carpenter
2020-05-20 12:13 ` Marc Zyngier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).