From 25dbe9638a2a7fe3e1d9df5aba05efa8deb7967b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Dec 2024 09:25:04 +0100
Subject: [PATCH] 5.10-stable patches

added patches:
	driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
---
 ...uble-free-in-driver-api-bus_register.patch | 34 +++++++++++++++++++
 queue-5.10/series                             |  2 +-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 queue-5.10/driver-core-bus-fix-double-free-in-driver-api-bus_register.patch

diff --git a/queue-5.10/driver-core-bus-fix-double-free-in-driver-api-bus_register.patch b/queue-5.10/driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
new file mode 100644
index 00000000000..212cd4d5208
--- /dev/null
+++ b/queue-5.10/driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
@@ -0,0 +1,34 @@
+From bfa54a793ba77ef696755b66f3ac4ed00c7d1248 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sat, 27 Jul 2024 16:34:01 +0800
+Subject: driver core: bus: Fix double free in driver API bus_register()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit bfa54a793ba77ef696755b66f3ac4ed00c7d1248 upstream.
+
+For bus_register(), any error which happens after kset_register() will
+cause that @priv are freed twice, fixed by setting @priv with NULL after
+the first free.
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20240727-bus_register_fix-v1-1-fed8dd0dba7a@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[ Brennan : Backport requires bus->p = NULL instead of priv = NULL ]
+Signed-off-by: Brennan Lamoreaux <brennan.lamoreaux@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/bus.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -874,6 +874,8 @@ bus_devices_fail:
+ 	bus_remove_file(bus, &bus_attr_uevent);
+ bus_uevent_fail:
+ 	kset_unregister(&bus->p->subsys);
++	/* Above kset_unregister() will kfree @bus->p */
++	bus->p = NULL;
+ out:
+ 	kfree(bus->p);
+ 	bus->p = NULL;
diff --git a/queue-5.10/series b/queue-5.10/series
index 4097d085a9b..8e725d981f1 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -251,5 +251,5 @@ apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch
 tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch
 locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch
 exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch
-xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch
 bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch
+driver-core-bus-fix-double-free-in-driver-api-bus_register.patch
-- 
2.47.3