gpio: sysfs: fix use-after-free in error path

When invoking device_create_with_groups(), its return value is stored
in `data->cdev_base`. However, in case of faiure, `data` is first freed
and then derefernced in order to return `data->cdev_base`.

Fix the use-after-free by extracting the error code before free'ing
`data`.

Fixes: fd19792851db ("gpio: sysfs: remove the mockdev pointer from struct gpio_device")
Addresses-Coverity-ID: 1644512 ("Memory - illegal accesses  (USE_AFTER_FREE)")
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Link: https://lore.kernel.org/r/20250622220221.28025-1-antonio@mandelbit.com
[Bartosz: added Fixes: tag, tweaked commit message]
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c
index 956411fc467a26a9827c616d8dc067c70f9244bf..c4c21e25c682b939e4a0517393308343feb6585a 100644 (file)
--- a/drivers/gpio/gpiolib-sysfs.c
+++ b/drivers/gpio/gpiolib-sysfs.c
@@ -741,6 +741,7 @@ int gpiochip_sysfs_register(struct gpio_device *gdev)
        struct gpiodev_data *data;
        struct gpio_chip *chip;
        struct device *parent;
+       int err;
 
        /*
         * Many systems add gpio chips for SOC support very early,
@@ -781,8 +782,9 @@ int gpiochip_sysfs_register(struct gpio_device *gdev)
                                                    GPIOCHIP_NAME "%d",
                                                    chip->base);
        if (IS_ERR(data->cdev_base)) {
+               err = PTR_ERR(data->cdev_base);
                kfree(data);
-               return PTR_ERR(data->cdev_base);
+               return err;
        }
 
        return 0;