[thirdparty/kernel/stable-queue.git] / releases / 4.4.157 / uio-potential-double-frees-if-__uio_register_device-fails.patch

From foo@baz Mon Sep 17 12:15:09 CEST 2018
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 2 Aug 2018 11:24:47 +0300
Subject: uio: potential double frees if __uio_register_device() fails

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ]

The uio_unregister_device() function assumes that if "info->uio_dev" is
non-NULL that means "info" is fully allocated.  Setting info->uio_de
has to be the last thing in the function.

In the current code, if request_threaded_irq() fails then we return with
info->uio_dev set to non-NULL but info is not fully allocated and it can
lead to double frees.

Fixes: beafc54c4e2f ("UIO: Add the User IO core code")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/uio/uio.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -833,8 +833,6 @@ int __uio_register_device(struct module
 	if (ret)
 		goto err_uio_dev_add_attributes;
 
-	info->uio_dev = idev;
-
 	if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
 		/*
 		 * Note that we deliberately don't use devm_request_irq
@@ -850,6 +848,7 @@ int __uio_register_device(struct module
 			goto err_request_irq;
 	}
 
+	info->uio_dev = idev;
 	return 0;
 
 err_request_irq:
Commit	Line	Data
7be860c4 GKH	1	From foo@baz Mon Sep 17 12:15:09 CEST 2018
	2	From: Dan Carpenter <dan.carpenter@oracle.com>
	3	Date: Thu, 2 Aug 2018 11:24:47 +0300
	4	Subject: uio: potential double frees if __uio_register_device() fails
	5
	6	From: Dan Carpenter <dan.carpenter@oracle.com>
	7
	8	[ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ]
	9
	10	The uio_unregister_device() function assumes that if "info->uio_dev" is
	11	non-NULL that means "info" is fully allocated. Setting info->uio_de
	12	has to be the last thing in the function.
	13
	14	In the current code, if request_threaded_irq() fails then we return with
	15	info->uio_dev set to non-NULL but info is not fully allocated and it can
	16	lead to double frees.
	17
	18	Fixes: beafc54c4e2f ("UIO: Add the User IO core code")
	19	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23	---
	24	drivers/uio/uio.c \| 3 +--
	25	1 file changed, 1 insertion(+), 2 deletions(-)
	26
	27	--- a/drivers/uio/uio.c
	28	+++ b/drivers/uio/uio.c
	29	@@ -833,8 +833,6 @@ int __uio_register_device(struct module
	30	if (ret)
	31	goto err_uio_dev_add_attributes;
	32
	33	- info->uio_dev = idev;
	34	-
	35	if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
	36	/*
	37	* Note that we deliberately don't use devm_request_irq
	38	@@ -850,6 +848,7 @@ int __uio_register_device(struct module
	39	goto err_request_irq;
	40	}
	41
	42	+ info->uio_dev = idev;
	43	return 0;
	44
	45	err_request_irq: