Commit 765bc5ec authored by Julian Ruess's avatar Julian Ruess Committed by Liu Kai
Browse files

s390/ism: add release function for struct device 

stable inclusion
from stable-v6.6.80
commit 940d15254d2216b585558bcf36312da50074e711
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBSW0X
CVE: CVE-2025-21856

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=940d15254d2216b585558bcf36312da50074e711



--------------------------------

[ Upstream commit 915e34d5ad35a6a9e56113f852ade4a730fb88f0 ]

According to device_release() in /drivers/base/core.c,
a device without a release function is a broken device
and must be fixed.

The current code directly frees the device after calling device_add()
without waiting for other kernel parts to release their references.
Thus, a reference could still be held to a struct device,
e.g., by sysfs, leading to potential use-after-free
issues if a proper release function is not set.

Fixes: 8c81ba20 ("net/smc: De-tangle ism and smc device initialization")
Reviewed-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
Signed-off-by: default avatarJulian Ruess <julianr@linux.ibm.com>
Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250214120137.563409-1-wintera@linux.ibm.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarLiu Kai <liukai284@huawei.com>
parent 0278be80

drivers/s390/net/ism_drv.c

+12 −2
Original line number Diff line number Diff line
@@ -588,6 +588,15 @@ static int ism_dev_init(struct ism_dev *ism) 
	return ret;

}



static void ism_dev_release(struct device *dev)

{

	struct ism_dev *ism;



	ism = container_of(dev, struct ism_dev, dev);



	kfree(ism);

}



static int ism_probe(struct pci_dev *pdev, const struct pci_device_id *id)

{

	struct ism_dev *ism;
@@ -601,6 +610,7 @@ static int ism_probe(struct pci_dev *pdev, const struct pci_device_id *id) 
	dev_set_drvdata(&pdev->dev, ism);

	ism->pdev = pdev;

	ism->dev.parent = &pdev->dev;

	ism->dev.release = ism_dev_release;

	device_initialize(&ism->dev);

	dev_set_name(&ism->dev, dev_name(&pdev->dev));

	ret = device_add(&ism->dev);
@@ -637,7 +647,7 @@ static int ism_probe(struct pci_dev *pdev, const struct pci_device_id *id) 
	device_del(&ism->dev);

err_dev:

	dev_set_drvdata(&pdev->dev, NULL);

	kfree(ism);

	put_device(&ism->dev);



	return ret;

}
@@ -682,7 +692,7 @@ static void ism_remove(struct pci_dev *pdev) 
	pci_disable_device(pdev);

	device_del(&ism->dev);

	dev_set_drvdata(&pdev->dev, NULL);

	kfree(ism);

	put_device(&ism->dev);

}



static struct pci_driver ism_driver = {