[PATCH] driver: base: fix UAF when driver_attach failed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Schspa Shi <schspa@gmail.com>
To: gregkh@linuxfoundation.org, rafael@kernel.org
Cc: ming.lei@canonical.com, linux-kernel@vger.kernel.org,
	Schspa Shi <schspa@gmail.com>
Subject: [PATCH] driver: base: fix UAF when driver_attach failed
Date: Wed, 11 May 2022 20:43:36 +0800	[thread overview]
Message-ID: <20220511124336.66705-1-schspa@gmail.com> (raw)

When driver_attach(drv); failed, the driver_private will be freed.
But it has been added to the bus, which caused a UAF.

To fix it, we need to delete it from the bus when failed.

Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe")

Signed-off-by: Schspa Shi <schspa@gmail.com>
---
 drivers/base/bus.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/base/bus.c b/drivers/base/bus.c
index 97936ec49bde..7ca47e5b3c1f 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -617,7 +617,7 @@ int bus_add_driver(struct device_driver *drv)
 	if (drv->bus->p->drivers_autoprobe) {
 		error = driver_attach(drv);
 		if (error)
-			goto out_unregister;
+			goto out_del_list;
 	}
 	module_add_driver(drv->owner, drv);
 
@@ -644,6 +644,8 @@ int bus_add_driver(struct device_driver *drv)
 
 	return 0;
 
+out_del_list:
+	klist_del(&priv->knode_bus);
 out_unregister:
 	kobject_put(&priv->kobj);
 	/* drv->p is freed in driver_release()  */
-- 
2.29.0

next             reply	other threads:[~2022-05-11 12:43 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-11 12:43 Schspa Shi [this message]
2022-05-11 12:57 ` [PATCH] driver: base: fix UAF when driver_attach failed Greg KH
2022-05-11 13:25   ` Schspa Shi

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:97936ec49bd dfblob:7ca47e5b3c1 )
 OR (
bs:"[PATCH] driver: base: fix UAF when driver_attach failed" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220511124336.66705-1-schspa@gmail.com \
    --to=schspa@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ming.lei@canonical.com \
    --cc=rafael@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.