github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-30 10:04:04 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

gpio: sysfs: fix use-after-free in error path

Browse Source 
When invoking device_create_with_groups(), its return value is stored
in `data->cdev_base`. However, in case of faiure, `data` is first freed
and then derefernced in order to return `data->cdev_base`.

Fix the use-after-free by extracting the error code before free'ing
`data`.

Fixes: fd19792851 ("gpio: sysfs: remove the mockdev pointer from struct gpio_device")
Addresses-Coverity-ID: 1644512 ("Memory - illegal accesses  (USE_AFTER_FREE)")
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Link: https://lore.kernel.org/r/20250622220221.28025-1-antonio@mandelbit.com
[Bartosz: added Fixes: tag, tweaked commit message]
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
This commit is contained in:
Antonio Quartulli 2025-06-23 00:02:21 +02:00 committed by Bartosz Golaszewski
parent fd19792851
commit e6bb78570f
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/gpio/gpiolib-sysfs.c
View File

@ -741,6 +741,7 @@ int gpiochip_sysfs_register(struct gpio_device *gdev)
struct gpiodev_data *data;
struct gpio_chip *chip;
struct device *parent;
int err;
/*
* Many systems add gpio chips for SOC support very early,
@ -781,8 +782,9 @@ int gpiochip_sysfs_register(struct gpio_device *gdev)
GPIOCHIP_NAME "%d",
chip->base);
if (IS_ERR(data->cdev_base)) {
err = PTR_ERR(data->cdev_base);
kfree(data);
return PTR_ERR(data->cdev_base);
return err;
}
return 0;