Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp9437847pxu;
        Mon, 28 Dec 2020 16:32:21 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwYjCPUiJI96I9GAuhZP2r5XqDkgL1SSWU3ayuP84fyfcqotd8sk2x+VtR2blJTCU6KtVr3
X-Received: by 2002:a17:906:e206:: with SMTP id gf6mr43716510ejb.342.1609201941713;
        Mon, 28 Dec 2020 16:32:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1609201941; cv=none;
        d=google.com; s=arc-20160816;
        b=hQ36g2jkFFVgQE61ojbwNMvXFIvif+493UiyzYv34yKuh7owoz88SeqDsXZp0rhhsp
         ARWcoNV/wqcE/v9AtjpnyGU30SQFbkDm5bVMUboFrzEW0ttWHLwOZICR8QQSCsYorcT6
         T51u8XwZ/QnHru1nXxaUmfyLK5Oz72AHPnUiESG0Bdlep4whkJQi4W86+Mz6TaiUz7s8
         KBdt+hrUrifiJf/RTt1pFxjrQx3EssvnFUkHOQ/F+o/eo9KafKhrm+cX0BjScfUlkLlv
         jCZOKjbzmwReD8inPKJrzjS4UFYVUTOQcF9jZXptLZpbyfzp13ExhigNYYH/j4NsLWAj
         vkJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=rr7mnGMGjh/O5JMo0e9mctqF3S6eAzihyba1zlVpto4=;
        b=OiUanLqgkZjD0w9PtrNarLkHLy8SYSjmUcApVEPCgkm5uqbvHWIro+XMorxw6LyfDK
         GQ8ZBhJO75q/uvcFOpKrn7baqacyfxNrk728/l5Z2/w1QkY4phpGSTymAb3jNNC4RsF/
         t36+paZ4IdsqxKjurf2lPxincnoD8OrJpfAevjNcc/MG4bksxWhJ5NsYwkjxUP7S0fst
         Zbogq38wmac/rRRnl81UgALBOHQU6JKAkt1SW4sng89cP/kv8hLKG3eJWY3RP5G6TTgE
         3GfOTcxpVSdBY2OvR5DgOSLSLnSJqeNbkSQoF5KojZxubiuvxgvZWfp2eW+2+wVQfkJ3
         35jA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=e+bCkvzR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ov28si17502304ejb.512.2020.12.28.16.31.58;
        Mon, 28 Dec 2020 16:32:21 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=e+bCkvzR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2632942AbgL1Pm6 (ORCPT <rfc822;luca.barbieri@gmail.com>
        + 99 others); Mon, 28 Dec 2020 10:42:58 -0500
Received: from mail.kernel.org ([198.145.29.99]:46016 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2405495AbgL1NrA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Dec 2020 08:47:00 -0500
Received: by mail.kernel.org (Postfix) with ESMTPSA id 75EBE22B3B;
        Mon, 28 Dec 2020 13:46:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1609163205;
        bh=b3YkWgAGCc8tgJYY2DJD3faZH2Q/m3Lni073ZwViY7g=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=e+bCkvzRw1oYWvfD/J+YMEVxFsuBPvjJ/I89kxBisxRFv7XRC3jo96o2nTVc+kDHY
         asq9L1GjlY/Ts9EvQTM+bMlewPEzerNCl8ML7TbPaXUUw1PgEFSQ81SOLrGJ7zk8rP
         OOny6sT2tBv3xTeJOOJiehJck/lkNfPPdEw843kc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Hulk Robot <hulkci@huawei.com>,
        Qinglang Miao <miaoqinglang@huawei.com>,
        Serge Semin <fancer.lancer@gmail.com>,
        Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 176/453] mips: cdmm: fix use-after-free in mips_cdmm_bus_discover
Date:   Mon, 28 Dec 2020 13:46:52 +0100
Message-Id: <20201228124945.668591367@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201228124937.240114599@linuxfoundation.org>
References: <20201228124937.240114599@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Qinglang Miao <miaoqinglang@huawei.com>

[ Upstream commit f0e82242b16826077a2775eacfe201d803bb7a22 ]

kfree(dev) has been called inside put_device so anther
kfree would cause a use-after-free bug/

Fixes: 8286ae03308c ("MIPS: Add CDMM bus support")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
Acked-by: Serge Semin <fancer.lancer@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/bus/mips_cdmm.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/bus/mips_cdmm.c b/drivers/bus/mips_cdmm.c
index 1b14256376d24..7c1da45be166e 100644
--- a/drivers/bus/mips_cdmm.c
+++ b/drivers/bus/mips_cdmm.c
@@ -544,10 +544,8 @@ static void mips_cdmm_bus_discover(struct mips_cdmm_bus *bus)
 		dev_set_name(&dev->dev, "cdmm%u-%u", cpu, id);
 		++id;
 		ret = device_register(&dev->dev);
-		if (ret) {
+		if (ret)
 			put_device(&dev->dev);
-			kfree(dev);
-		}
 	}
 }
 
-- 
2.27.0