From 04920d6a72fb54c113c25ea15e52596619959d83 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Dec 2024 09:27:27 +0100
Subject: [PATCH] 5.15-stable patches

added patches:
	driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
---
 ...uble-free-in-driver-api-bus_register.patch | 34 +++++++++++++++++++
 queue-5.15/series                             |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 queue-5.15/driver-core-bus-fix-double-free-in-driver-api-bus_register.patch

diff --git a/queue-5.15/driver-core-bus-fix-double-free-in-driver-api-bus_register.patch b/queue-5.15/driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
new file mode 100644
index 00000000000..56962143c92
--- /dev/null
+++ b/queue-5.15/driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
@@ -0,0 +1,34 @@
+From bfa54a793ba77ef696755b66f3ac4ed00c7d1248 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sat, 27 Jul 2024 16:34:01 +0800
+Subject: driver core: bus: Fix double free in driver API bus_register()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit bfa54a793ba77ef696755b66f3ac4ed00c7d1248 upstream.
+
+For bus_register(), any error which happens after kset_register() will
+cause that @priv are freed twice, fixed by setting @priv with NULL after
+the first free.
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20240727-bus_register_fix-v1-1-fed8dd0dba7a@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[ Brennan : Backport requires bus->p = NULL instead of priv = NULL ]
+Signed-off-by: Brennan Lamoreaux <brennan.lamoreaux@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/bus.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -853,6 +853,8 @@ bus_devices_fail:
+ 	bus_remove_file(bus, &bus_attr_uevent);
+ bus_uevent_fail:
+ 	kset_unregister(&bus->p->subsys);
++	/* Above kset_unregister() will kfree @bus->p */
++	bus->p = NULL;
+ out:
+ 	kfree(bus->p);
+ 	bus->p = NULL;
diff --git a/queue-5.15/series b/queue-5.15/series
index 12fdbbefde5..9667f5fedcc 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -310,3 +310,4 @@ locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.
 exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch
 bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch
 usb-xhci-fix-td-invalidation-under-pending-set-tr-dequeue.patch
+driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
-- 
2.47.3