Description
In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: <TASK> kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Before commit c79a39dc8d06 ("pps: Fix a use-after-free"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.
Product status
785c78ed0d39d1717cca3ef931d3e51337b5e90e (git) before 38c7bb10aae5118dd48fa7a82f7bf93839bcc320
1a7735ab2cb9747518a7416fb5929e85442dec62 (git) before 2a194707ca27a3b0523023fa8b446e5ec922dc51
c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7 (git) before 125527db41805693208ee1aacd7f3ffe6a3a489c
91932db1d96b2952299ce30c1c693d834d10ace6 (git) before 4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8
cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64 (git) before cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e
7e5ee3281dc09014367f5112b6d566ba36ea2d49 (git) before f01fa3588e0b3cb1540f56d2c6bd99e5b3810234
c79a39dc8d060b9e64e8b0fa9d245d44befeefbe (git) before 0f97564a1fb62f34b3b498e2f12caffbe99c004a
c79a39dc8d060b9e64e8b0fa9d245d44befeefbe (git) before b0531cdba5029f897da5156815e3bdafe1e9b88d
85241f7de216f8298f6e48540ea13d7dcd100870 (git)
6.14
Any version before 6.14
5.4.301 (semver)
5.10.246 (semver)
5.15.195 (semver)
6.1.156 (semver)
6.6.112 (semver)
6.12.53 (semver)
6.17.3 (semver)
6.18-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/38c7bb10aae5118dd48fa7a82f7bf93839bcc320
git.kernel.org/...c/2a194707ca27a3b0523023fa8b446e5ec922dc51
git.kernel.org/...c/125527db41805693208ee1aacd7f3ffe6a3a489c
git.kernel.org/...c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8
git.kernel.org/...c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e
git.kernel.org/...c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234
git.kernel.org/...c/0f97564a1fb62f34b3b498e2f12caffbe99c004a
git.kernel.org/...c/b0531cdba5029f897da5156815e3bdafe1e9b88d
