From 3894f464e5426dc6e613b20461cfefa701479697 Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Mon, 13 May 2024 10:06:14 +0800 Subject: [PATCH] NTB: fix possible name leak in ntb_register_device() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mainline inclusion from mainline-v6.9-rc1 commit aebfdfe39b9327a3077d0df8db3beb3160c9bdd0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L9IV CVE: CVE-2023-52652 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aebfdfe39b9327a3077d0df8db3beb3160c9bdd0 -------------------------------- If device_register() fails in ntb_register_device(), the device name allocated by dev_set_name() should be freed. As per the comment in device_register(), callers should use put_device() to give up the reference in the error path. So fix this by calling put_device() in the error path so that the name can be freed in kobject_cleanup(). As a result of this, put_device() in the error path of ntb_register_device() is removed and the actual error is returned. Fixes: a1bd3baeb2f1 ("NTB: Add NTB hardware abstraction layer") Signed-off-by: Yang Yingliang Reviewed-by: Ilpo Järvinen Reviewed-by: Manivannan Sadhasivam Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/20231201033057.1399131-1-yangyingliang@huaweicloud.com [mani: reworded commit message] Signed-off-by: Manivannan Sadhasivam Conflicts: drivers/ntb/core.c drivers/pci/endpoint/functions/pci-epf-vntb.c [The version does not include the pci-epf-vntb.c source file, and ntb_register_device() function is located in drivers/ntb/ntb.c.] Signed-off-by: Zeng Heng --- drivers/ntb/ntb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/ntb/ntb.c b/drivers/ntb/ntb.c index 2581ab724c34..3305a2fbea4e 100644 --- a/drivers/ntb/ntb.c +++ b/drivers/ntb/ntb.c @@ -100,6 +100,8 @@ EXPORT_SYMBOL(ntb_unregister_client); int ntb_register_device(struct ntb_dev *ntb) { + int ret; + if (!ntb) return -EINVAL; if (!ntb->pdev) @@ -120,7 +122,11 @@ int ntb_register_device(struct ntb_dev *ntb) ntb->ctx_ops = NULL; spin_lock_init(&ntb->ctx_lock); - return device_register(&ntb->dev); + ret = device_register(&ntb->dev); + if (ret) + put_device(&ntb->dev); + + return ret; } EXPORT_SYMBOL(ntb_register_device); -- Gitee