driver: base: fix UAF when driver_attach failed

When driver_attach(drv); failed, the driver_private will be freed. But it has been added to the bus, which caused a UAF. To fix it, we need to delete it from the bus when failed. Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe") Signed-off-by: Schspa Shi <schspa@gmail.com> Link: https://lore.kernel.org/r/20220513112444.45112-1-schspa@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Schspa Shi <schspa@gmail.com> 2022-05-13 19:24:44 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-19 19:28:42 +0200
commit: 310862e574001a97ad02272bac0fd13f75f42a27 (patch)
tree: 1c2c74d10a8273d9c654441c8919dbc8287a1d7b /drivers/base
parent: 185b29c6151cf3a5c387ca5904c51c6af3292a0c (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/base/bus.c b/drivers/base/bus.c
index 97936ec49bde..7ca47e5b3c1f 100644
--- a/drivers/base/bus.c
+++ b/drivers/base/bus.c
@@ -617,7 +617,7 @@ int bus_add_driver(struct device_driver *drv)
 	if (drv->bus->p->drivers_autoprobe) {
 		error = driver_attach(drv);
 		if (error)
-			goto out_unregister;
+			goto out_del_list;
 	}
 	module_add_driver(drv->owner, drv);
 
@@ -644,6 +644,8 @@ int bus_add_driver(struct device_driver *drv)
 
 	return 0;
 
+out_del_list:
+	klist_del(&priv->knode_bus);
 out_unregister:
 	kobject_put(&priv->kobj);
 	/* drv->p is freed in driver_release()  */
author	Schspa Shi <schspa@gmail.com>	2022-05-13 19:24:44 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-05-19 19:28:42 +0200
commit	310862e574001a97ad02272bac0fd13f75f42a27 (patch)
tree	1c2c74d10a8273d9c654441c8919dbc8287a1d7b /drivers/base
parent	185b29c6151cf3a5c387ca5904c51c6af3292a0c (diff)