| From 0f9b011d3321ca1079c7a46c18cb1956fbdb7bcb Mon Sep 17 00:00:00 2001 |
| From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> |
| Date: Tue, 29 Aug 2017 21:23:49 +0200 |
| Subject: driver core: bus: Fix a potential double free |
| |
| From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> |
| |
| commit 0f9b011d3321ca1079c7a46c18cb1956fbdb7bcb upstream. |
| |
| The .release function of driver_ktype is 'driver_release()'. |
| This function frees the container_of this kobject. |
| |
| So, this memory must not be freed explicitly in the error handling path of |
| 'bus_add_driver()'. Otherwise a double free will occur. |
| |
| Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/base/bus.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/base/bus.c |
| +++ b/drivers/base/bus.c |
| @@ -736,7 +736,7 @@ int bus_add_driver(struct device_driver |
| |
| out_unregister: |
| kobject_put(&priv->kobj); |
| - kfree(drv->p); |
| + /* drv->p is freed in driver_release() */ |
| drv->p = NULL; |
| out_put_bus: |
| bus_put(bus); |
