[PATCH v2] driver: base: fix UAF when driver

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] driver: base: fix UAF when driver_attach failed
@ 2022-05-13 11:24 Schspa Shi
  0 siblings, 0 replies; only message in thread
From: Schspa Shi @ 2022-05-13 11:24 UTC (permalink / raw)
  To: gregkh, rafael; +Cc: linux-kernel, schspa

When driver_attach(drv); failed, the driver_private will be freed.
But it has been added to the bus, which caused a UAF.

To fix it, we need to delete it from the bus when failed.

Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe")
Signed-off-by: Schspa Shi <schspa@gmail.com>

---

Changelog:
v1 -> v2:
        - Remove the blank line needed after fixes
---
 drivers/base/bus.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/base/bus.c b/drivers/base/bus.c
index 97936ec49bde..7ca47e5b3c1f 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -617,7 +617,7 @@ int bus_add_driver(struct device_driver *drv)
 	if (drv->bus->p->drivers_autoprobe) {
 		error = driver_attach(drv);
 		if (error)
-			goto out_unregister;
+			goto out_del_list;
 	}
 	module_add_driver(drv->owner, drv);
 
@@ -644,6 +644,8 @@ int bus_add_driver(struct device_driver *drv)
 
 	return 0;
 
+out_del_list:
+	klist_del(&priv->knode_bus);
 out_unregister:
 	kobject_put(&priv->kobj);
 	/* drv->p is freed in driver_release()  */
-- 
2.29.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2022-05-13 11:25 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-13 11:24 [PATCH v2] driver: base: fix UAF when driver_attach failed Schspa Shi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.