scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()

[ Upstream commit e208a1d795a08d1ac0398c79ad9c58106531bcc5 ] If device_register() fails in sdebug_add_host_helper(), it will goto clean and sdbg_host will be freed, but sdbg_host->host_list will not be removed from sdebug_host_list, then list traversal may cause UAF. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yuan Can <yuancan@huawei.com> Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Yuan Can <yuancan@huawei.com> 2022-11-17 11:44:21 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-11-25 19:45:55 +0300
commit: 89ece5ff7dbed52348502db603d5c6bc52b90218 (patch)
tree: 3336ccc663ad901cad769fa81dc90a9ce22becbc
parent: 75205f1b47a88c3fac4f30bd7567e89b2887c7fd (diff)
download: linux-89ece5ff7dbed52348502db603d5c6bc52b90218.tar.xz
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 5eb959b5f701..261b915835b4 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -7079,8 +7079,12 @@ static int sdebug_add_host_helper(int per_host_idx)
 	dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts);
 
 	error = device_register(&sdbg_host->dev);
-	if (error)
+	if (error) {
+		spin_lock(&sdebug_host_list_lock);
+		list_del(&sdbg_host->host_list);
+		spin_unlock(&sdebug_host_list_lock);
 		goto clean;
+	}
 
 	++sdebug_num_hosts;
 	return 0;
author	Yuan Can <yuancan@huawei.com>	2022-11-17 11:44:21 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-11-25 19:45:55 +0300
commit	89ece5ff7dbed52348502db603d5c6bc52b90218 (patch)
tree	3336ccc663ad901cad769fa81dc90a9ce22becbc
parent	75205f1b47a88c3fac4f30bd7567e89b2887c7fd (diff)
download	linux-89ece5ff7dbed52348502db603d5c6bc52b90218.tar.xz