summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYuan Can <yuancan@huawei.com>2022-11-17 09:44:21 +0100
committerMartin K. Petersen <martin.petersen@oracle.com>2022-11-17 18:48:32 +0100
commite208a1d795a08d1ac0398c79ad9c58106531bcc5 (patch)
treefdac95ef3df6a113c3101e38a270eee8c462b12e
parentscsi: target: tcm_loop: Fix possible name leak in tcm_loop_setup_hba_bus() (diff)
downloadlinux-e208a1d795a08d1ac0398c79ad9c58106531bcc5.tar.xz
linux-e208a1d795a08d1ac0398c79ad9c58106531bcc5.zip
scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()
If device_register() fails in sdebug_add_host_helper(), it will goto clean and sdbg_host will be freed, but sdbg_host->host_list will not be removed from sdebug_host_list, then list traversal may cause UAF. Fix it. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yuan Can <yuancan@huawei.com> Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com Acked-by: Douglas Gilbert <dgilbert@interlog.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-rw-r--r--drivers/scsi/scsi_debug.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 629853662b82..bebda917b138 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -7323,8 +7323,12 @@ static int sdebug_add_host_helper(int per_host_idx)
dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts);
error = device_register(&sdbg_host->dev);
- if (error)
+ if (error) {
+ spin_lock(&sdebug_host_list_lock);
+ list_del(&sdbg_host->host_list);
+ spin_unlock(&sdebug_host_list_lock);
goto clean;
+ }
++sdebug_num_hosts;
return 0;