From 23b2c9f7460c9d75fdf4781fe6d326b44841f547 Mon Sep 17 00:00:00 2001 From: Hangyu Hua Date: Fri, 28 Mar 2025 08:37:07 +0000 Subject: [PATCH] usb: usbip: fix a refcount leak in stub_probe() stable inclusion from stable-v4.19.325 commit 247d3809e45a34d9e1a3a2bb7012e31ed8b46031 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP3SN CVE: CVE-2022-49389 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.19.y&id=247d3809e45a34d9e1a3a2bb7012e31ed8b46031 -------------------------------- [ Upstream commit 9ec4cbf1cc55d126759051acfe328d489c5d6e60 ] usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails after that, usb_put_dev() needs to be called to release the reference. Fix this by moving usb_put_dev() to sdev_free error path handling. Find this by code review. Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()") Reviewed-by: Shuah Khan Signed-off-by: Hangyu Hua Link: https://lore.kernel.org/r/20220412020257.9767-1-hbh25y@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Xia Fukun --- drivers/usb/usbip/stub_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c index 93891d445c30..2650ef62757a 100644 --- a/drivers/usb/usbip/stub_dev.c +++ b/drivers/usb/usbip/stub_dev.c @@ -410,7 +410,6 @@ static int stub_probe(struct usb_device *udev) (struct usb_dev_state *) udev); err_port: dev_set_drvdata(&udev->dev, NULL); - usb_put_dev(udev); /* we already have busid_priv, just lock busid_lock */ spin_lock(&busid_priv->busid_lock); @@ -425,6 +424,7 @@ static int stub_probe(struct usb_device *udev) put_busid_priv(busid_priv); sdev_free: + usb_put_dev(udev); stub_device_free(sdev); return rc; -- Gitee