From: Dan Carpenter dan.carpenter@linaro.org
stable inclusion from stable-v4.19.316 commit 6cc30ef8eb6d8f8d6df43152264bbf8835d99931 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3T CVE: CVE-2024-38627
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 3df463865ba42b8f88a590326f4c9ea17a1ce459 ]
The put_device(&stm->dev) call will trigger stm_device_release() which frees "stm" so the vfree(stm) on the next line is a double free.
Fixes: 389b6699a2aa ("stm class: Fix stm device initialization order") Signed-off-by: Dan Carpenter dan.carpenter@linaro.org Reviewed-by: Amelie Delaunay amelie.delaunay@foss.st.com Reviewed-by: Andy Shevchenko andriy.shevchenko@linux.intel.com Signed-off-by: Alexander Shishkin alexander.shishkin@linux.intel.com Link: https://lore.kernel.org/r/20240429130119.1518073-2-alexander.shishkin@linux.... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hwtracing/stm/core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c index eeba421dc823..9bb85d20934a 100644 --- a/drivers/hwtracing/stm/core.c +++ b/drivers/hwtracing/stm/core.c @@ -701,8 +701,11 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, return -ENOMEM;
stm->major = register_chrdev(0, stm_data->name, &stm_fops); - if (stm->major < 0) - goto err_free; + if (stm->major < 0) { + err = stm->major; + vfree(stm); + return err; + }
device_initialize(&stm->dev); stm->dev.devt = MKDEV(stm->major, 0); @@ -746,10 +749,8 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, err_device: unregister_chrdev(stm->major, stm_data->name);
- /* matches device_initialize() above */ + /* calls stm_device_release() */ put_device(&stm->dev); -err_free: - vfree(stm);
return err; }