driver: uio: fix possible use-after-free in __uio_register_device

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In uio_dev_add_attributes() error handing case, idev is used after
device_unregister(), in which 'idev' has been released, touch idev cause
use-after-free.

Fixes: a93e7b331568 ("uio: Prevent device destruction while fds are open")
Signed-off-by: Liu Jian <liujian56@huawei.com>
Reviewed-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Liu Jian and committed by

Greg Kroah-Hartman 7 years ago 221a1f4a 1a392b3d

+4 -2

1 changed file

expand all

drivers

uio

uio.c

+4 -2

drivers/uio/uio.c

··· 945 945 return ret; 946 946 } 947 947 948 + device_initialize(&idev->dev); 948 949 idev->dev.devt = MKDEV(uio_major, idev->minor); 949 950 idev->dev.class = &uio_class; 950 951 idev->dev.parent = parent; ··· 956 955 if (ret) 957 956 goto err_device_create; 958 957 959 - ret = device_register(&idev->dev); 958 + ret = device_add(&idev->dev); 960 959 if (ret) 961 960 goto err_device_create; 962 961 ··· 988 987 err_request_irq: 989 988 uio_dev_del_attributes(idev); 990 989 err_uio_dev_add_attributes: 991 - device_unregister(&idev->dev); 990 + device_del(&idev->dev); 992 991 err_device_create: 993 992 uio_free_minor(idev); 993 + put_device(&idev->dev); 994 994 return ret; 995 995 } 996 996 EXPORT_SYMBOL_GPL(__uio_register_device);