From: Antonio Quartulli <antonio@mandelbit.com>
Date: Sun, 22 Jun 2025 22:02:21 +0000 (+0200)
Subject: gpio: sysfs: fix use-after-free in error path
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6bb78570f7d531622ec572ef9ddbe6e66ff16ce;p=thirdparty%2Fkernel%2Flinux.git

gpio: sysfs: fix use-after-free in error path

When invoking device_create_with_groups(), its return value is stored
in `data->cdev_base`. However, in case of faiure, `data` is first freed
and then derefernced in order to return `data->cdev_base`.

Fix the use-after-free by extracting the error code before free'ing
`data`.

Fixes: fd19792851db ("gpio: sysfs: remove the mockdev pointer from struct gpio_device")
Addresses-Coverity-ID: 1644512 ("Memory - illegal accesses  (USE_AFTER_FREE)")
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Link: https://lore.kernel.org/r/20250622220221.28025-1-antonio@mandelbit.com
[Bartosz: added Fixes: tag, tweaked commit message]
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---

diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c
index 956411fc467a2..c4c21e25c682b 100644
--- a/drivers/gpio/gpiolib-sysfs.c
+++ b/drivers/gpio/gpiolib-sysfs.c
@@ -741,6 +741,7 @@ int gpiochip_sysfs_register(struct gpio_device *gdev)
 	struct gpiodev_data *data;
 	struct gpio_chip *chip;
 	struct device *parent;
+	int err;
 
 	/*
 	 * Many systems add gpio chips for SOC support very early,
@@ -781,8 +782,9 @@ int gpiochip_sysfs_register(struct gpio_device *gdev)
 						    GPIOCHIP_NAME "%d",
 						    chip->base);
 	if (IS_ERR(data->cdev_base)) {
+		err = PTR_ERR(data->cdev_base);
 		kfree(data);
-		return PTR_ERR(data->cdev_base);
+		return err;
 	}
 
 	return 0;