drivers/char/xillybus/xillybus_class.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to
remove unit->cdev from the system properly.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
Changes in v2:
- modified the patch as suggestions to avoid UAF.
---
drivers/char/xillybus/xillybus_class.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c
index c92a628e389e..356af6551b0d 100644
--- a/drivers/char/xillybus/xillybus_class.c
+++ b/drivers/char/xillybus/xillybus_class.c
@@ -104,8 +104,7 @@ int xillybus_init_chrdev(struct device *dev,
if (rc) {
dev_err(dev, "Failed to add cdev.\n");
/* kobject_put() is normally done by cdev_del() */
- kobject_put(&unit->cdev->kobj);
- goto unregister_chrdev;
+ goto err_cdev;
}
for (i = 0; i < num_nodes; i++) {
@@ -157,6 +156,7 @@ int xillybus_init_chrdev(struct device *dev,
device_destroy(&xillybus_class, MKDEV(unit->major,
i + unit->lowest_minor));
+err_cdev:
cdev_del(unit->cdev);
unregister_chrdev:
--
2.25.1Hello,
In what way is this better? cdev_del() calls cdev_unmap() to undo the
mapping that a successful call to cdev_add() performs, but that's
unnecessary, because the whole point is that the latter failed. And then
cdev_del() calls kobject_put(), and then returns.
So the existing code calls kobject_put() directly, achieving the same
effect. It's a matter of coding style. Which is better? I don't know.
What is the common convention in the kernel? Not clear either. For
example, in fs/fuse/cuse.c a failure of cdev_add() leads to a call to
cdev_del(), like you suggested. However, in uio/uio.c the same scenario
is handled by a call to kobject_put(), exactly as in my driver.
Has this topic been discussed in the past? Any decision made?
Besides, if we remove the call to kobject_put(), so should the comment
explaining it.
Regards,
Eli
On 11/03/2025 3:39, Ma Ke wrote:
> After cdev_alloc() succeed and cdev_add() failed, call cdev_del() to
> remove unit->cdev from the system properly.
>
> Found by code review.
>
> Cc: stable@vger.kernel.org
> Fixes: 8cb5d216ab33 ("char: xillybus: Move class-related functions to new xillybus_class.c")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
> Changes in v2:
> - modified the patch as suggestions to avoid UAF.
> ---
> drivers/char/xillybus/xillybus_class.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/char/xillybus/xillybus_class.c b/drivers/char/xillybus/xillybus_class.c
> index c92a628e389e..356af6551b0d 100644
> --- a/drivers/char/xillybus/xillybus_class.c
> +++ b/drivers/char/xillybus/xillybus_class.c
> @@ -104,8 +104,7 @@ int xillybus_init_chrdev(struct device *dev,
> if (rc) {
> dev_err(dev, "Failed to add cdev.\n");
> /* kobject_put() is normally done by cdev_del() */
> - kobject_put(&unit->cdev->kobj);
> - goto unregister_chrdev;
> + goto err_cdev;
> }
>
> for (i = 0; i < num_nodes; i++) {
> @@ -157,6 +156,7 @@ int xillybus_init_chrdev(struct device *dev,
> device_destroy(&xillybus_class, MKDEV(unit->major,
> i + unit->lowest_minor));
>
> +err_cdev:
> cdev_del(unit->cdev);
>
> unregister_chrdev:
© 2016 - 2026 Red Hat, Inc.