Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp12374358imu;
        Tue, 1 Jan 2019 22:16:32 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5qwElTwZCYX55vCJW2QiRRSqTcp7M1RLKILT991wOS7LjqnBajnqpzAfG5HrNQw5/UKTYP
X-Received: by 2002:a65:4946:: with SMTP id q6mr12217394pgs.201.1546409792754;
        Tue, 01 Jan 2019 22:16:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546409792; cv=none;
        d=google.com; s=arc-20160816;
        b=xxMdDNQHXOe20omqfUbJGbka7erQ9m3hnqvQ/vNVtnAywL7igJKxR+DRMoxr6l+Iqy
         BX6c6HLVzC5IEarKkB46YROnZtyqiA4Bh+3nkPv2n5qiWmfNy5E5Z8MRiG2fjlowwOeV
         pJlDS1yY1dm06YUxcL7200sNbA1MCnUIRj0DatYgP42IN8mXUwNZmYhbjXlChxVpBmto
         mJCX2ZMJ2nq0ImImCtz3Aj7FQW6+1Man6+RHQG9f/A288oQ2qNm1cG6ua3z9Y8TppFX0
         p65n8c8FLGJnLW6+fLkmJnOk12L2djjW71akKy073tuHFwBbMV8Z/CU+TYcNw8WiT4JT
         O2hA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from;
        bh=eL4WylUAFTuNPg53IrcqSFd/A++1UTCTX8ONJiCj1XI=;
        b=NT8Fz03MU4/TTDy+R0jonC20n6y552RG5lAy/zsPsi6lLB93AAtm0Oi8WzS9LX1D6W
         2bl7yTSEJiXtJHKROecTIhI71lCHxeZpuVJz31RD2n1GrKOsKQYzW314rXtkRdzfpPPF
         UX87qo2oNCB+c8nyg9uu9+n/wQPwMtrHJJY9xHX7OszNF9UXteET/YTCNCFpVFbBnDOz
         U38f4r7HjVNMksEyjZBPEVHop3TjGO4W26DqgKbPO1Hrm7dZKIvhiTQMoDYUfnCB7M1E
         pRtrt/Hj+51Ht3uyX7PXHEix3bfotK8IEePBepUdTB2UwLtAVL5nSgdd05V+18FFSVKT
         vdRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d65si51368479pfc.201.2019.01.01.22.16.14;
        Tue, 01 Jan 2019 22:16:32 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728152AbfABFle (ORCPT <rfc822;dacohen@gmail.com> + 99 others);
        Wed, 2 Jan 2019 00:41:34 -0500
Received: from szxga05-in.huawei.com ([45.249.212.191]:16672 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1727265AbfABFle (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Jan 2019 00:41:34 -0500
Received: from DGGEMS401-HUB.china.huawei.com (unknown [172.30.72.58])
        by Forcepoint Email with ESMTP id F0C3FCFFBA121;
        Wed,  2 Jan 2019 13:41:26 +0800 (CST)
Received: from huawei.com (10.175.104.208) by DGGEMS401-HUB.china.huawei.com
 (10.3.19.201) with Microsoft SMTP Server id 14.3.408.0; Wed, 2 Jan 2019
 13:41:21 +0800
From:   liujian <liujian56@huawei.com>
To:     <gregkh@linuxfoundation.org>, <hamish.martin@alliedtelesis.co.nz>
CC:     <liujian56@huawei.com>, <linux-kernel@vger.kernel.org>
Subject: [PATCH] driver: uio: fix possible memory leak and use-after-free in __uio_register_device
Date:   Wed, 2 Jan 2019 23:42:20 +0800
Message-ID: <1546443740-22370-1-git-send-email-liujian56@huawei.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.175.104.208]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Before device_register, if something goes wrong, we need to manually
 free idev.

In the error handling path, after device_unregister, idev maybe have been
 released, we should not use it anymore.

Signed-off-by: liujian <liujian56@huawei.com>
---
 drivers/uio/uio.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
index 1313422..5c10fc7 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -413,13 +413,18 @@ static int uio_get_minor(struct uio_device *idev)
 	return retval;
 }
 
-static void uio_free_minor(struct uio_device *idev)
+static void __uio_free_minor(int id)
 {
 	mutex_lock(&minor_lock);
-	idr_remove(&uio_idr, idev->minor);
+	idr_remove(&uio_idr, id);
 	mutex_unlock(&minor_lock);
 }
 
+static void uio_free_minor(struct uio_device *idev)
+{
+	__uio_free_minor(idev->minor);
+}
+
 /**
  * uio_event_notify - trigger an interrupt event
  * @info: UIO device capabilities
@@ -919,6 +924,7 @@ int __uio_register_device(struct module *owner,
 {
 	struct uio_device *idev;
 	int ret = 0;
+	int uio_minor;
 
 	if (!uio_class_registered)
 		return -EPROBE_DEFER;
@@ -940,8 +946,12 @@ int __uio_register_device(struct module *owner,
 	atomic_set(&idev->event, 0);
 
 	ret = uio_get_minor(idev);
-	if (ret)
+	if (ret) {
+		kfree(idev);
 		return ret;
+	}
+
+	uio_minor = idev->minor;
 
 	idev->dev.devt = MKDEV(uio_major, idev->minor);
 	idev->dev.class = &uio_class;
@@ -950,8 +960,11 @@ int __uio_register_device(struct module *owner,
 	dev_set_drvdata(&idev->dev, idev);
 
 	ret = dev_set_name(&idev->dev, "uio%d", idev->minor);
-	if (ret)
-		goto err_device_create;
+	if (ret) {
+		__uio_free_minor(uio_minor);
+		kfree(idev);
+		return ret;
+	}
 
 	ret = device_register(&idev->dev);
 	if (ret)
@@ -987,7 +1000,7 @@ int __uio_register_device(struct module *owner,
 err_uio_dev_add_attributes:
 	device_unregister(&idev->dev);
 err_device_create:
-	uio_free_minor(idev);
+	__uio_free_minor(uio_minor);
 	return ret;
 }
 EXPORT_SYMBOL_GPL(__uio_register_device);
-- 
2.7.4