Skip to content

Commit

Permalink
IB/core: Fix sysfs registration error flow
Browse files Browse the repository at this point in the history 
commit b312be3 upstream.

The kernel commit cited below restructured ib device management
so that the device kobject is initialized in ib_alloc_device.

As part of the restructuring, the kobject is now initialized in
procedure ib_alloc_device, and is later added to the device hierarchy
in the ib_register_device call stack, in procedure
ib_device_register_sysfs (which calls device_add).

However, in the ib_device_register_sysfs error flow, if an error
occurs following the call to device_add, the cleanup procedure
device_unregister is called. This call results in the device object
being deleted -- which results in various use-after-free crashes.

The correct cleanup call is device_del -- which undoes device_add
without deleting the device object.

The device object will then (correctly) be deleted in the
ib_register_device caller's error cleanup flow, when the caller invokes
ib_dealloc_device.

Fixes: 55aeed0 ("IB/core: Make ib_alloc_device init the kobject")
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: Ia1a8c018aa89e15e891efd5c03272ba0c677e8c3
  • Loading branch information
Jack Morgenstein authored and Lee Jones committed Oct 14, 2020
1 parent e2a2895 commit 4c8c61f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/infiniband/core/sysfs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -888,7 +888,7 @@ int ib_device_register_sysfs(struct ib_device *device,
free_port_list_attributes(device);

err_unregister:
device_unregister(class_dev);
device_del(class_dev);

err:
return ret;
Expand Down

0 comments on commit 4c8c61f

Please sign in to comment.