After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to remove unit->cdev from the system properly.
Found by code review.
Cc: stable@vger.kernel.org Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c") Signed-off-by: Ma Ke make24@iscas.ac.cn --- drivers/char/xillybus/xillybus_class.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c index c92a628e389e..045e125ec423 100644 --- a/drivers/char/xillybus/xillybus_class.c +++ b/drivers/char/xillybus/xillybus_class.c @@ -105,7 +105,7 @@ int xillybus_init_chrdev(struct device *dev, dev_err(dev, "Failed to add cdev.\n"); /* kobject_put() is normally done by cdev_del() */ kobject_put(&unit->cdev->kobj); - goto unregister_chrdev; + goto err_cdev; }
for (i = 0; i < num_nodes; i++) { @@ -157,6 +157,7 @@ int xillybus_init_chrdev(struct device *dev, device_destroy(&xillybus_class, MKDEV(unit->major, i + unit->lowest_minor));
+err_cdev: cdev_del(unit->cdev);
unregister_chrdev:
Hello,
Thanks for your patch.
However, as far as I understand, applying it will cause a Use After Free (UAF) error by cdev_del(), as the call to kobject_put() unwinds the memory allocation made by cdev_alloc().
Or have I missed something?
Regards, Eli
On 10/03/2025 4:28, Ma Ke wrote:
After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to remove unit->cdev from the system properly.
Found by code review.
Cc: stable@vger.kernel.org Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c") Signed-off-by: Ma Ke make24@iscas.ac.cn
drivers/char/xillybus/xillybus_class.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c index c92a628e389e..045e125ec423 100644 --- a/drivers/char/xillybus/xillybus_class.c +++ b/drivers/char/xillybus/xillybus_class.c @@ -105,7 +105,7 @@ int xillybus_init_chrdev(struct device *dev, dev_err(dev, "Failed to add cdev.\n"); /* kobject_put() is normally done by cdev_del() */ kobject_put(&unit->cdev->kobj);
goto unregister_chrdev;
goto err_cdev;for (i = 0; i < num_nodes; i++) { @@ -157,6 +157,7 @@ int xillybus_init_chrdev(struct device *dev, device_destroy(&xillybus_class, MKDEV(unit->major, i + unit->lowest_minor)); +err_cdev: cdev_del(unit->cdev); unregister_chrdev:
linux-stable-mirror@lists.linaro.org
-
Eli Billauer -
Ma Ke