Commit 09f0e21e authored by Yuan Can's avatar Yuan Can Committed by sanglipeng
Browse files

scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper() 

stable inclusion
from stable-v5.10.156
commit 89ece5ff7dbed52348502db603d5c6bc52b90218
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7MCG1

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=89ece5ff7dbed52348502db603d5c6bc52b90218



--------------------------------

[ Upstream commit e208a1d7 ]

If device_register() fails in sdebug_add_host_helper(), it will goto clean
and sdbg_host will be freed, but sdbg_host->host_list will not be removed
from sdebug_host_list, then list traversal may cause UAF. Fix it.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarYuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com


Acked-by: default avatarDouglas Gilbert <dgilbert@interlog.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarsanglipeng <sanglipeng1@jd.com>
parent b5a2f790

drivers/scsi/scsi_debug.c

+5 −1
Original line number Diff line number Diff line
@@ -7079,8 +7079,12 @@ static int sdebug_add_host_helper(int per_host_idx) 
	dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts);



	error = device_register(&sdbg_host->dev);

	if (error)

	if (error) {

		spin_lock(&sdebug_host_list_lock);

		list_del(&sdbg_host->host_list);

		spin_unlock(&sdebug_host_list_lock);

		goto clean;

	}



	++sdebug_num_hosts;

	return 0;