[PATCH 5.2 047/144] can: flexcan: fix an use-after-free in flexcan_setup_stop_mode()
From: Greg Kroah-Hartman
Date: Wed Aug 14 2019 - 13:04:03 EST
From: Wen Yang <wen.yang99@xxxxxxxxxx>
commit e9f2a856e102fa27715b94bcc2240f686536d29b upstream.
The gpr_np variable is still being used in dev_dbg() after the
of_node_put() call, which may result in use-after-free.
Fixes: de3578c198c6 ("can: flexcan: add self wakeup support")
Signed-off-by: Wen Yang <wen.yang99@xxxxxxxxxx>
Cc: linux-stable <stable@xxxxxxxxxxxxxxx> # >= v5.0
Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/can/flexcan.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -1455,10 +1455,10 @@ static int flexcan_setup_stop_mode(struc
priv = netdev_priv(dev);
priv->stm.gpr = syscon_node_to_regmap(gpr_np);
- of_node_put(gpr_np);
if (IS_ERR(priv->stm.gpr)) {
dev_dbg(&pdev->dev, "could not find gpr regmap\n");
- return PTR_ERR(priv->stm.gpr);
+ ret = PTR_ERR(priv->stm.gpr);
+ goto out_put_node;
}
priv->stm.req_gpr = out_val[1];
@@ -1473,7 +1473,9 @@ static int flexcan_setup_stop_mode(struc
device_set_wakeup_capable(&pdev->dev, true);
- return 0;
+out_put_node:
+ of_node_put(gpr_np);
+ return ret;
}
static const struct of_device_id flexcan_of_match[] = {