CVE-2023-54321

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> driver core: fix potential null-ptr-deref in device_add()<br /> <br /> I got the following null-ptr-deref report while doing fault injection test:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000058<br /> CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+<br /> RIP: 0010:klist_put+0x2d/0xd0<br /> Call Trace:<br /> <br /> klist_remove+0xf1/0x1c0<br /> device_release_driver_internal+0x196/0x210<br /> bus_remove_device+0x1bd/0x240<br /> device_add+0xd3d/0x1100<br /> w1_add_master_device+0x476/0x490 [wire]<br /> ds2482_probe+0x303/0x3e0 [ds2482]<br /> <br /> This is how it happened:<br /> <br /> w1_alloc_dev()<br /> // The dev-&gt;driver is set to w1_master_driver.<br /> memcpy(&amp;dev-&gt;dev, device, sizeof(struct device));<br /> device_add()<br /> bus_add_device()<br /> dpm_sysfs_add() // It fails, calls bus_remove_device.<br /> <br /> // error path<br /> bus_remove_device()<br /> // The dev-&gt;driver is not null, but driver is not bound.<br /> __device_release_driver()<br /> klist_remove(&amp;dev-&gt;p-&gt;knode_driver) driver is set, in the error path after calling bus_add_device()<br /> in device_add(), bus_remove_device() is called, then the device will be<br /> detached from driver. But device_bind_driver() is not called yet, so it<br /> causes null-ptr-deref while access the &amp;#39;knode_driver&amp;#39;. To fix this, set<br /> dev-&gt;driver to null in the error path before calling bus_remove_device().