scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()

[ Upstream commit e208a1d ] If device_register() fails in sdebug_add_host_helper(), it will goto clean and sdbg_host will be freed, but sdbg_host->host_list will not be removed from sdebug_host_list, then list traversal may cause UAF. Fix it. Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Yuan Can <[email protected]> Link: https://lore.kernel.org/r/[email protected] Acked-by: Douglas Gilbert <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
beagleboard · Nov 25, 2022 · 89ece5f · 89ece5f
1 parent 75205f1
commit 89ece5f
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
@@ -7079,8 +7079,12 @@ static int sdebug_add_host_helper(int per_host_idx)
 	dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts);
 
 	error = device_register(&sdbg_host->dev);
-	if (error)
+	if (error) {
+		spin_lock(&sdebug_host_list_lock);
+		list_del(&sdbg_host->host_list);
+		spin_unlock(&sdebug_host_list_lock);
 		goto clean;
+	}
 
 	++sdebug_num_hosts;
 	return 0;