projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8c12460)
HSI: core: Fix return freed object in hsi_new_client
authorChengfeng Ye <cyeaa@connect.ust.hk>
Fri, 5 Nov 2021 13:45:07 +0000 (06:45 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 27 Jan 2022 10:04:31 +0000 (11:04 +0100)
[ Upstream commit a1ee1c08fcd5af03187dcd41dcab12fd5b379555 ]

cl is freed on error of calling device_register, but this
object is return later, which will cause uaf issue. Fix it
by return NULL on error.

Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/hsi/hsi_core.c patch | blob | history

diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c
index ec90713..8840661 100644 (file)
--- a/drivers/hsi/hsi_core.c
+++ b/drivers/hsi/hsi_core.c
@@ -102,6 +102,7 @@ struct hsi_client *hsi_new_client(struct hsi_port *port,
        if (device_register(&cl->device) < 0) {
                pr_err("hsi: failed to register client: %s\n", info->name);
                put_device(&cl->device);
+               goto err;
        }
 
        return cl;
Domain: System / Kernel;