scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()

If device_register() fails in sdebug_add_host_helper(), it will goto clean
and sdbg_host will be freed, but sdbg_host->host_list will not be removed
from sdebug_host_list, then list traversal may cause UAF. Fix it.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 629853662b820f6e271e435517bde3f908dbf715..bebda917b13839734103a2d3fb20440797d33451 100644 (file)
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -7323,8 +7323,12 @@ static int sdebug_add_host_helper(int per_host_idx)
        dev_set_name(&sdbg_host->dev, "adapter%d", sdebug_num_hosts);
 
        error = device_register(&sdbg_host->dev);
-       if (error)
+       if (error) {
+               spin_lock(&sdebug_host_list_lock);
+               list_del(&sdbg_host->host_list);
+               spin_unlock(&sdebug_host_list_lock);
                goto clean;
+       }
 
        ++sdebug_num_hosts;
        return 0;