From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.4 09/47] uio: potential double frees if __uio_register_device() fails
Date: Sun, 2 Sep 2018 13:15:47 +0000 [thread overview]
Message-ID: <20180902131533.184092-9-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180902131533.184092-1-alexander.levin@microsoft.com>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ]
The uio_unregister_device() function assumes that if "info->uio_dev" is
non-NULL that means "info" is fully allocated. Setting info->uio_de
has to be the last thing in the function.
In the current code, if request_threaded_irq() fails then we return with
info->uio_dev set to non-NULL but info is not fully allocated and it can
lead to double frees.
Fixes: beafc54c4e2f ("UIO: Add the User IO core code")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/uio/uio.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
index bcc1fc027311..b9823eb9c195 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -833,8 +833,6 @@ int __uio_register_device(struct module *owner,
if (ret)
goto err_uio_dev_add_attributes;
- info->uio_dev = idev;
-
if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
/*
* Note that we deliberately don't use devm_request_irq
@@ -850,6 +848,7 @@ int __uio_register_device(struct module *owner,
goto err_request_irq;
}
+ info->uio_dev = idev;
return 0;
err_request_irq:
--
2.17.1
next prev parent reply other threads:[~2018-09-02 13:21 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-02 13:15 [PATCH AUTOSEL 4.4 01/47] misc: mic: SCIF Fix scif_get_new_port() error handling Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 02/47] ethtool: Remove trailing semicolon for static inline Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 03/47] Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 04/47] gpio: tegra: Move driver registration to subsys_init level Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 05/47] scsi: target: fix __transport_register_session locking Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 06/47] media: usbtv: use irqsave() in USB's complete callback Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 07/47] md/raid5: fix data corruption of replacements after originals dropped Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 08/47] misc: ti-st: Fix memory leak in the error path of probe() Sasha Levin
2018-09-02 13:15 ` Sasha Levin [this message]
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 10/47] tty: rocket: Fix possible buffer overwrite on register_PCI Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 11/47] f2fs: do not set free of current section Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 12/47] perf tools: Allow overriding MAX_NR_CPUS at compile time Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 13/47] NFSv4.0 fix client reference leak in callback Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 14/47] macintosh/via-pmu: Add missing mmio accessors Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 15/47] ath10k: prevent active scans on potential unusable channels Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 16/47] wlcore: Set rx_status boottime_ns field on rx Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 17/47] MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 18/47] ata: libahci: Correct setting of DEVSLP register Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 19/47] scsi: 3ware: fix return 0 on the error path of probe Sasha Levin
2018-09-02 13:15 ` [PATCH AUTOSEL 4.4 20/47] ath10k: disable bundle mgmt tx completion event support Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 21/47] Bluetooth: hidp: Fix handling of strncpy for hid->name information Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 22/47] x86/mm: Remove in_nmi() warning from vmalloc_fault() Sasha Levin
2018-09-03 13:42 ` Pavel Machek
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 23/47] x86/kexec: Allocate 8k PGDs for PTI Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 24/47] gpio: ml-ioh: Fix buffer underwrite on probe error path Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 25/47] net: mvneta: fix mtu change on port without link Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 26/47] tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 27/47] MIPS: Octeon: add missing of_node_put() Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 28/47] iio: ad9523: Fix return value for ad952x_store() Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 29/47] net: dcb: For wild-card lookups, use priority -1, not 0 Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 30/47] Input: atmel_mxt_ts - only use first T9 instance Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 31/47] partitions/aix: append null character to print data from disk Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 32/47] partitions/aix: fix usage of uninitialized lv_info and lvname structures Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 33/47] media: em28xx: Fix DualHD disconnect oops Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 34/47] iommu/ipmmu-vmsa: Fix allocation in atomic context Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 35/47] mfd: ti_am335x_tscadc: Fix struct clk memory leak Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 36/47] f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 38/47] ALSA: wss: Fix sparse warning wrt PCM format type Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 37/47] ALSA: riptide: Properly endian notations Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 39/47] ALSA: sb: Fix PCM format bit calculation Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 40/47] ALSA: asihpi: Fix PCM format notations Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 41/47] ALSA: ad1816a: Fix sparse warning wrt PCM format type Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 42/47] ALSA: hda: Fix implicit PCM format type conversion Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 43/47] ALSA: au88x0: Fix sparse warning wrt PCM format type Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 44/47] ALSA: sb: " Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 45/47] MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 46/47] RDMA/cma: Do not ignore net namespace for unbound cm_id Sasha Levin
2018-09-02 13:16 ` [PATCH AUTOSEL 4.4 47/47] fuse: Add missed unlock_page() to fuse_readpages_fill() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180902131533.184092-9-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=dan.carpenter@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).