From: Greg KH <gregkh@linuxfoundation.org>
To: Schspa Shi <schspa@gmail.com>
Cc: rafael@kernel.org, ming.lei@canonical.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] driver: base: fix UAF when driver_attach failed
Date: Wed, 11 May 2022 14:57:28 +0200 [thread overview]
Message-ID: <YnuyuFRaDTY2n4VB@kroah.com> (raw)
In-Reply-To: <20220511124336.66705-1-schspa@gmail.com>
On Wed, May 11, 2022 at 08:43:36PM +0800, Schspa Shi wrote:
> When driver_attach(drv); failed, the driver_private will be freed.
> But it has been added to the bus, which caused a UAF.
>
> To fix it, we need to delete it from the bus when failed.
>
> Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe")
>
> Signed-off-by: Schspa Shi <schspa@gmail.com>
No blank line needed after fixes:
> ---
> drivers/base/bus.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/base/bus.c b/drivers/base/bus.c
> index 97936ec49bde..7ca47e5b3c1f 100644
> --- a/drivers/base/bus.c
> +++ b/drivers/base/bus.c
> @@ -617,7 +617,7 @@ int bus_add_driver(struct device_driver *drv)
> if (drv->bus->p->drivers_autoprobe) {
> error = driver_attach(drv);
> if (error)
> - goto out_unregister;
> + goto out_del_list;
> }
> module_add_driver(drv->owner, drv);
>
> @@ -644,6 +644,8 @@ int bus_add_driver(struct device_driver *drv)
>
> return 0;
>
> +out_del_list:
> + klist_del(&priv->knode_bus);
Odd, how did you find this? Has this ever been triggered by any
real-world situations?
thanks,
greg k-h
next prev parent reply other threads:[~2022-05-11 12:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-11 12:43 [PATCH] driver: base: fix UAF when driver_attach failed Schspa Shi
2022-05-11 12:57 ` Greg KH [this message]
2022-05-11 13:25 ` Schspa Shi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YnuyuFRaDTY2n4VB@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=rafael@kernel.org \
--cc=schspa@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.