From: Schspa Shi <schspa@gmail.com> mainline inclusion from mainline-v5.19-rc1 commit 310862e574001a97ad02272bac0fd13f75f42a27 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP35K CVE: CVE-2022-49385 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- When driver_attach(drv); failed, the driver_private will be freed. But it has been added to the bus, which caused a UAF. To fix it, we need to delete it from the bus when failed. Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe") Signed-off-by: Schspa Shi <schspa@gmail.com> Link: https://lore.kernel.org/r/20220513112444.45112-1-schspa@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/base/bus.c [Fixing conflicts] Signed-off-by: Tirui Yin <yintirui@huawei.com> Reviewed-by: Weilong Chen <chenweilong@huawei.com> --- drivers/base/bus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/base/bus.c b/drivers/base/bus.c index 5f1966081c42..f45506c56c33 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -661,7 +661,7 @@ int bus_add_driver(struct device_driver *drv) } else { error = driver_attach(drv); if (error) - goto out_unregister; + goto out_del_list; } } module_add_driver(drv->owner, drv); @@ -689,6 +689,8 @@ int bus_add_driver(struct device_driver *drv) return 0; +out_del_list: + klist_del(&priv->knode_bus); out_unregister: kobject_put(&priv->kobj); /* drv->p is freed in driver_release() */ -- 2.22.0