Re: [PATCH] rapidio: fix an API misues when rio_add_net() fails
From: Dan Carpenter
Date: Thu Feb 27 2025 - 00:56:54 EST
On Thu, Feb 27, 2025 at 11:58:59AM +0800, Haoxiang Li wrote:
> rio_add_net() calls device_register() and fails when device_register()
> fails. Thus, put_device() should be used rather than kfree().
>
> Fixes: e8de370188d0 ("rapidio: add mport char device driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Haoxiang Li <haoxiang_li2024@xxxxxxx>
> ---
> drivers/rapidio/devices/rio_mport_cdev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
> index 27afbb9d544b..cfff1c82fb25 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -1742,7 +1742,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
> err = rio_add_net(net);
> if (err) {
> rmcd_debug(RDEV, "failed to register net, err=%d", err);
> - kfree(net);
> + put_device(&net->dev);
Yeah, you're right. But the worse bug is that we're missing an
"mport->net = NULL;" before this goto. It leads to a quite bad
use after free issue if we trigger this path.
Please fix that as well and resend.
regards,
dan carpenter
> goto cleanup;
> }
> }
> --
> 2.25.1