rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree().
Fixes: e8de370188d0 ("rapidio: add mport char device driver") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li haoxiang_li2024@163.com --- drivers/rapidio/devices/rio_mport_cdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c index 27afbb9d544b..cfff1c82fb25 100644 --- a/drivers/rapidio/devices/rio_mport_cdev.c +++ b/drivers/rapidio/devices/rio_mport_cdev.c @@ -1742,7 +1742,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, err = rio_add_net(net); if (err) { rmcd_debug(RDEV, "failed to register net, err=%d", err); - kfree(net); + put_device(&net->dev); goto cleanup; } }
On Thu, Feb 27, 2025 at 11:58:59AM +0800, Haoxiang Li wrote:
rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree().
Fixes: e8de370188d0 ("rapidio: add mport char device driver") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li haoxiang_li2024@163.com
drivers/rapidio/devices/rio_mport_cdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c index 27afbb9d544b..cfff1c82fb25 100644 --- a/drivers/rapidio/devices/rio_mport_cdev.c +++ b/drivers/rapidio/devices/rio_mport_cdev.c @@ -1742,7 +1742,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, err = rio_add_net(net); if (err) { rmcd_debug(RDEV, "failed to register net, err=%d", err);
kfree(net);
put_device(&net->dev);
Yeah, you're right. But the worse bug is that we're missing an "mport->net = NULL;" before this goto. It leads to a quite bad use after free issue if we trigger this path.
Please fix that as well and resend.
regards, dan carpenter
goto cleanup; }}
2.25.1
linux-stable-mirror@lists.linaro.org
-
Dan Carpenter -
Haoxiang Li