--- /dev/null
+From bfa54a793ba77ef696755b66f3ac4ed00c7d1248 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sat, 27 Jul 2024 16:34:01 +0800
+Subject: driver core: bus: Fix double free in driver API bus_register()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit bfa54a793ba77ef696755b66f3ac4ed00c7d1248 upstream.
+
+For bus_register(), any error which happens after kset_register() will
+cause that @priv are freed twice, fixed by setting @priv with NULL after
+the first free.
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20240727-bus_register_fix-v1-1-fed8dd0dba7a@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[ Brennan : Backport requires bus->p = NULL instead of priv = NULL ]
+Signed-off-by: Brennan Lamoreaux <brennan.lamoreaux@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/bus.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -853,6 +853,8 @@ bus_devices_fail:
+ bus_remove_file(bus, &bus_attr_uevent);
+ bus_uevent_fail:
+ kset_unregister(&bus->p->subsys);
++ /* Above kset_unregister() will kfree @bus->p */
++ bus->p = NULL;
+ out:
+ kfree(bus->p);
+ bus->p = NULL;
exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch
bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch
usb-xhci-fix-td-invalidation-under-pending-set-tr-dequeue.patch
+driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
