1. Patchew
  2. linux
  3. View series

[PATCH] char: xillybus: Fix error handling in xillybus_init_chrdev()

Ma Ke posted 1 patch 11 months ago
There is a newer version of this series
drivers/char/xillybus/xillybus_class.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] char: xillybus: Fix error handling in xillybus_init_chrdev()
Posted by Ma Ke 11 months ago 
After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to
remove unit->cdev from the system properly.

Found by code review.

Cc: stable@vger.kernel.org
Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
 drivers/char/xillybus/xillybus_class.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c
index c92a628e389e..045e125ec423 100644
--- a/drivers/char/xillybus/xillybus_class.c
+++ b/drivers/char/xillybus/xillybus_class.c
@@ -105,7 +105,7 @@ int xillybus_init_chrdev(struct device *dev,
 		dev_err(dev, "Failed to add cdev.\n");
 		/* kobject_put() is normally done by cdev_del() */
 		kobject_put(&unit->cdev->kobj);
-		goto unregister_chrdev;
+		goto err_cdev;
 	}
 
 	for (i = 0; i < num_nodes; i++) {
@@ -157,6 +157,7 @@ int xillybus_init_chrdev(struct device *dev,
 		device_destroy(&xillybus_class, MKDEV(unit->major,
 						     i + unit->lowest_minor));
 
+err_cdev:
 	cdev_del(unit->cdev);
 
 unregister_chrdev:
-- 
2.25.1
Re: [PATCH] char: xillybus: Fix error handling in xillybus_init_chrdev()
Posted by Eli Billauer 11 months ago 
Hello,

Thanks for your patch.

However, as far as I understand, applying it will cause a Use After Free 
(UAF) error by cdev_del(), as the call to kobject_put() unwinds the 
memory allocation made by cdev_alloc().

Or have I missed something?

Regards,
    Eli

On 10/03/2025 4:28, Ma Ke wrote:
> After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to
> remove unit->cdev from the system properly.
> 
> Found by code review.
> 
> Cc: stable@vger.kernel.org
> Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
>   drivers/char/xillybus/xillybus_class.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c
> index c92a628e389e..045e125ec423 100644
> --- a/drivers/char/xillybus/xillybus_class.c
> +++ b/drivers/char/xillybus/xillybus_class.c
> @@ -105,7 +105,7 @@ int xillybus_init_chrdev(struct device *dev,
>   		dev_err(dev, "Failed to add cdev.\n");
>   		/* kobject_put() is normally done by cdev_del() */
>   		kobject_put(&unit->cdev->kobj);
> -		goto unregister_chrdev;
> +		goto err_cdev;
>   	}
>   
>   	for (i = 0; i < num_nodes; i++) {
> @@ -157,6 +157,7 @@ int xillybus_init_chrdev(struct device *dev,
>   		device_destroy(&xillybus_class, MKDEV(unit->major,
>   						     i + unit->lowest_minor));
>   
> +err_cdev:
>   	cdev_del(unit->cdev);
>   
>   unregister_chrdev:

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.