| Message ID | 20250622220221.28025-1-antonio@mandelbit.com |
|---|---|
| State | New |
| Headers | show |
| Series | gpiolib-sysfs: fix use-after-free in error path | expand |
diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c index 956411fc467a..c4c21e25c682 100644 --- a/drivers/gpio/gpiolib-sysfs.c +++ b/drivers/gpio/gpiolib-sysfs.c @@ -741,6 +741,7 @@ int gpiochip_sysfs_register(struct gpio_device *gdev) struct gpiodev_data *data; struct gpio_chip *chip; struct device *parent; + int err; /* * Many systems add gpio chips for SOC support very early, @@ -781,8 +782,9 @@ int gpiochip_sysfs_register(struct gpio_device *gdev) GPIOCHIP_NAME "%d", chip->base); if (IS_ERR(data->cdev_base)) { + err = PTR_ERR(data->cdev_base); kfree(data); - return PTR_ERR(data->cdev_base); + return err; } return 0;
When invoking device_create_with_groups() its return value is stored in `data->cdev_base`. However, in case of faiure, `data` is first freed and then derefernced in order to return `data->cdev_base`. Fix the use-after-free by extracting the error code before free'ing `data`. This issue was reported by Coverity Scan. Addresses-Coverity-ID: 1644512 ("Memory - illegal accesses (USE_AFTER_FREE)") Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> --- drivers/gpio/gpiolib-sysfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)