releases/4.9.128/uio-potential-double-frees-if-__uio_register_device-fails.patch

   1 From foo@baz Mon Sep 17 12:22:41 CEST 2018
   2 From: Dan Carpenter <dan.carpenter@oracle.com>
   3 Date: Thu, 2 Aug 2018 11:24:47 +0300
   4 Subject: uio: potential double frees if __uio_register_device() fails
   5
   6 From: Dan Carpenter <dan.carpenter@oracle.com>
   7
   8 [ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ]
   9
  10 The uio_unregister_device() function assumes that if "info->uio_dev" is
  11 non-NULL that means "info" is fully allocated.  Setting info->uio_de
  12 has to be the last thing in the function.
  13
  14 In the current code, if request_threaded_irq() fails then we return with
  15 info->uio_dev set to non-NULL but info is not fully allocated and it can
  16 lead to double frees.
  17
  18 Fixes: beafc54c4e2f ("UIO: Add the User IO core code")
  19 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
  20 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
  22 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23 ---
  24  drivers/uio/uio.c |    3 +--
  25  1 file changed, 1 insertion(+), 2 deletions(-)
  26
  27 --- a/drivers/uio/uio.c
  28 +++ b/drivers/uio/uio.c
  29 @@ -841,8 +841,6 @@ int __uio_register_device(struct module
  30         if (ret)
  31                 goto err_uio_dev_add_attributes;
  32
  33 -       info->uio_dev = idev;
  34 -
  35         if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) {
  36                 /*
  37                  * Note that we deliberately don't use devm_request_irq
  38 @@ -858,6 +856,7 @@ int __uio_register_device(struct module
  39                         goto err_request_irq;
  40         }
  41
  42 +       info->uio_dev = idev;
  43         return 0;
  44
  45  err_request_irq: