Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3757783imu; Mon, 7 Jan 2019 08:55:57 -0800 (PST) X-Google-Smtp-Source: AFSGD/VaEp5PEM047HY+fz5ydgDSS7sNtFzZCYM2iGdWtXBHqyRhaPvhZYrjd2BKS17tTJEMagv6 X-Received: by 2002:a62:1c86:: with SMTP id c128mr66387049pfc.54.1546880157182; Mon, 07 Jan 2019 08:55:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546880157; cv=none; d=google.com; s=arc-20160816; b=P82Xivdcx53dzSULJv39F1AzTaWKJNEtm1zPwDKsBKsisZzrFOpvUlpyeHJuY0wAv7 Oh22yh5wqtsf5aH4X7lcANpQou8kk1GA2IOzsaSRWiz1M/7rwvVJCVXH7AuZz+6fXigi krt0PZJ28O7ELBFl1t90R63QVlQ18Hd4ovFZs7mk2SF0w3zVv8lvYWLAHd1GNHXmBvMB JRUaEVDrS5Q5c5LJr322rKt3wZAXN3dGusuG7zpclwqR5dNrZgFKUirLCTRQsO/aaqoX qpvv9iXleZpsLfWvJxN9lQ4uro5OybybSDxrljHdf5O7BX7XWYHxV/MwKtkDYe3LZLaD tBTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=30fAXOMbUItAlcXry9UngOcKzoSxbyZYwE23OxnlZXI=; b=OuE+55ZyzEurD6XqGsMc3WnfQxZrff6Cyy7mh7SfnLMajuXp1KPUm0CY4cTU0Mma9l vSBgfbCawhsZUCNioIBXxSVyU1GUchD00NRBbVTKgIaalweWpx9CAe+K4UX0B1R0gz7Z orcfztGkjkvmYTQ7IGbUINtyKUOm0N/4D20hjWTjHQN0JBTSs7UaH/1j518Jefolgq+V JPiKtOfAAnG243BzzxDhf3+IkMpov4sNDz53mDIXhyYxjhrBXkjeWSec1j1DncYhKVFL N5bb7ArrnoAFAZBS+6f8RVOD07WYh24rJWgJzlxp7C6hLACzy8UQBxp8ifXmQPxc9jip luqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YIoPVhNJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 76si7732306pfw.66.2019.01.07.08.55.41; Mon, 07 Jan 2019 08:55:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YIoPVhNJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727681AbfAGQNT (ORCPT + 99 others); Mon, 7 Jan 2019 11:13:19 -0500 Received: from mail.kernel.org ([198.145.29.99]:36364 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726921AbfAGQNS (ORCPT ); Mon, 7 Jan 2019 11:13:18 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8D12E2070C; Mon, 7 Jan 2019 16:13:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1546877598; bh=IxZK/QKjKw8nM4y2pcu1M0PmOOwY7WlQ8afgLuTY4H8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=YIoPVhNJ11+biXgpMhVUOkjxzXERCcoM4jHpe6wroqzPr6zqXY9zy9HUZmgJVWVNR Ijhh+Wp6jR3MabNu09GKbGpEldzi1cyTnz2g0k1xcGlRYTDQohYq+vSsCOMuzieczb ZFsNHcUKQGi5WuLtEhVUL43YH2FOhBRS5q3+ibvw= Date: Mon, 7 Jan 2019 17:13:15 +0100 From: Greg KH To: liujian Cc: michal.simek@xilinx.com, hamish.martin@alliedtelesis.co.nz, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] driver: uio: fix possible memory leak and use-after-free in __uio_register_device Message-ID: <20190107161315.GA25694@kroah.com> References: <1546611548-205765-1-git-send-email-liujian56@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1546611548-205765-1-git-send-email-liujian56@huawei.com> User-Agent: Mutt/1.11.1 (2018-12-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 04, 2019 at 10:19:08PM +0800, liujian wrote: > 'idev' is malloced in __uio_register_device() and leak free it before > leaving from the uio_get_minor() error handing case, it will cause > memory leak. > > Also, in uio_dev_add_attributes() error handing case, idev is used after > device_unregister(), in which 'idev' has been released, touch idev cause > use-after-free. > > Fixes: a93e7b331568 ("uio: Prevent device destruction while fds are open") > Fixes: e6789cd3dfb5 ("uio: Simplify uio error path by using devres functions") > Signed-off-by: liujian > Reviewed-by: Hamish Martin > --- > v1->v2: > change git log and fix code > > drivers/uio/uio.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c > index 1313422..be2a943 100644 > --- a/drivers/uio/uio.c > +++ b/drivers/uio/uio.c > @@ -940,9 +940,12 @@ int __uio_register_device(struct module *owner, > atomic_set(&idev->event, 0); > > ret = uio_get_minor(idev); > - if (ret) > + if (ret) { > + kfree(idev); > return ret; > + } > > + device_initialize(&idev->dev); > idev->dev.devt = MKDEV(uio_major, idev->minor); > idev->dev.class = &uio_class; > idev->dev.parent = parent; > @@ -953,7 +956,7 @@ int __uio_register_device(struct module *owner, > if (ret) > goto err_device_create; > > - ret = device_register(&idev->dev); > + ret = device_add(&idev->dev); > if (ret) > goto err_device_create; > > @@ -985,9 +988,10 @@ int __uio_register_device(struct module *owner, > err_request_irq: > uio_dev_del_attributes(idev); > err_uio_dev_add_attributes: > - device_unregister(&idev->dev); > + device_del(&idev->dev); > err_device_create: > uio_free_minor(idev); > + put_device(&idev->dev); device_del() and then put_device()? I don't think that's a correct error cleanup path do you? Please fix one thing at a time here also, this should be a a patch series, right? thanks, greg k-h