Hello,
Our fault injection tool finds a possible use-after-free in the
megaraid_sas driver in Linux 5.10.0:
In the file drivers/scsi/megaraid/megaraid_sas_base.c:
In megasas_io_attach(), the call to scsi_add_host() may fail:
6814: if (scsi_add_host(host, &instance->pdev->dev)) {
...
6818: return -ENODEV;
6819: }
This error is then propagated to its caller megasas_probe_one().
7414: if (megasas_io_attach(instance))
7415: goto fail_io_attach;
In error handling code of megasas_probe_one(), it calls scsi_host_put():
7457: scsi_host_put(host);
The function scsi_host_put() calls scsi_host_dev_release() to free `host`,
which contains a variable `instance`.
But megasas_probe_one() calls megasas_init_fw() before:
7372: if (megasas_init_fw(instance))
In megasas_init_fw(), it starts a timer:
6369: megasas_start_timer(instance);
And megasas_probe_one() does nothing about it in error handling code. When
the timer expires, it accesses `instance`, causing a use-after-free bug.
I am not quite sure how to fix this possible bug. Any feedback would be
appreciated, thanks!
Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx>
Best wishes,
Zixuan Fu
