After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to remove unit->cdev from the system properly.
Found by code review.
Cc: stable@vger.kernel.org Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c") Signed-off-by: Ma Ke make24@iscas.ac.cn --- Changes in v2: - modified the patch as suggestions to avoid UAF. --- drivers/char/xillybus/xillybus_class.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c index c92a628e389e..356af6551b0d 100644 --- a/drivers/char/xillybus/xillybus_class.c +++ b/drivers/char/xillybus/xillybus_class.c @@ -104,8 +104,7 @@ int xillybus_init_chrdev(struct device *dev, if (rc) { dev_err(dev, "Failed to add cdev.\n"); /* kobject_put() is normally done by cdev_del() */ - kobject_put(&unit->cdev->kobj); - goto unregister_chrdev; + goto err_cdev; }
for (i = 0; i < num_nodes; i++) { @@ -157,6 +156,7 @@ int xillybus_init_chrdev(struct device *dev, device_destroy(&xillybus_class, MKDEV(unit->major, i + unit->lowest_minor));
+err_cdev: cdev_del(unit->cdev);
unregister_chrdev:
Hello,
In what way is this better? cdev_del() calls cdev_unmap() to undo the mapping that a successful call to cdev_add() performs, but that's unnecessary, because the whole point is that the latter failed. And then cdev_del() calls kobject_put(), and then returns.
So the existing code calls kobject_put() directly, achieving the same effect. It's a matter of coding style. Which is better? I don't know.
What is the common convention in the kernel? Not clear either. For example, in fs/fuse/cuse.c a failure of cdev_add() leads to a call to cdev_del(), like you suggested. However, in uio/uio.c the same scenario is handled by a call to kobject_put(), exactly as in my driver.
Has this topic been discussed in the past? Any decision made?
Besides, if we remove the call to kobject_put(), so should the comment explaining it.
Regards, Eli
On 11/03/2025 3:39, Ma Ke wrote:
After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to remove unit->cdev from the system properly.
Found by code review.
Cc: stable@vger.kernel.org Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c") Signed-off-by: Ma Ke make24@iscas.ac.cn
Changes in v2:
- modified the patch as suggestions to avoid UAF.
drivers/char/xillybus/xillybus_class.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c index c92a628e389e..356af6551b0d 100644 --- a/drivers/char/xillybus/xillybus_class.c +++ b/drivers/char/xillybus/xillybus_class.c @@ -104,8 +104,7 @@ int xillybus_init_chrdev(struct device *dev, if (rc) { dev_err(dev, "Failed to add cdev.\n"); /* kobject_put() is normally done by cdev_del() */
kobject_put(&unit->cdev->kobj);goto unregister_chrdev;
goto err_cdev;for (i = 0; i < num_nodes; i++) { @@ -157,6 +156,7 @@ int xillybus_init_chrdev(struct device *dev, device_destroy(&xillybus_class, MKDEV(unit->major, i + unit->lowest_minor)); +err_cdev: cdev_del(unit->cdev); unregister_chrdev:
linux-stable-mirror@lists.linaro.org
-
Eli Billauer -
Ma Ke