Commit 2a181074 authored Oct 31, 2024 by Zijun Hu Committed by Yongqiang Liu Oct 31, 2024

driver core: bus: Fix double free in driver API bus_register()

stable inclusion
from stable-v6.6.57
commit d885c464c25018b81a6b58f5d548fc2e3ef87dd1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYREJ
CVE: CVE-2024-50055

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d885c464c25018b81a6b58f5d548fc2e3ef87dd1



--------------------------------

[ Upstream commit bfa54a793ba77ef696755b66f3ac4ed00c7d1248 ]

For bus_register(), any error which happens after kset_register() will
cause that @priv are freed twice, fixed by setting @priv with NULL after
the first free.

Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20240727-bus_register_fix-v1-1-fed8dd0dba7a@quicinc.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

parent 90d2f3a5

drivers/base/bus.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -920,6 +920,8 @@ int bus_register(const struct bus_type *bus)
		bus_remove_file(bus, &bus_attr_uevent);
		bus_uevent_fail:
		kset_unregister(&priv->subsys);
		/* Above kset_unregister() will kfree @priv */
		priv = NULL;
		out:
		kfree(priv);
		return retval;