https://bugzilla.kernel.org/show_bug.cgi?id=216454 Bug ID: 216454 Summary: scsi: megaraid_sas: possible use-after-free caused by bad error handling in megasas_probe_one() Product: IO/Storage Version: 2.5 Kernel Version: 5.10.0 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: SCSI Assignee: linux-scsi@xxxxxxxxxxxxxxx Reporter: r33s3n6@xxxxxxxxx Regression: No Hello, Our fault injection tool finds a possible use-after-free in the megaraid_sas driver in Linux 5.10.0: In the file drivers/scsi/megaraid/megaraid_sas_base.c: In megasas_io_attach(), the call to scsi_add_host() may fail: 6814: if (scsi_add_host(host, &instance->pdev->dev)) { ... 6818: return -ENODEV; 6819: } This error is then propagated to its caller megasas_probe_one(). 7414: if (megasas_io_attach(instance)) 7415: goto fail_io_attach; In error handling code of megasas_probe_one(), it calls scsi_host_put(): 7457: scsi_host_put(host); The function scsi_host_put() calls scsi_host_dev_release() to free `host`, which contains a variable `instance`. But megasas_probe_one() calls megasas_init_fw() before: 7372: if (megasas_init_fw(instance)) In megasas_init_fw(), it starts a timer: 6369: megasas_start_timer(instance); And megasas_probe_one() does nothing about it in error handling code. When the timer expires, it accesses `instance`, causing a use-after-free bug. I am not quite sure how to fix this possible bug. Any feedback would be appreciated, thanks! Reported-by: TOTE Robot <oslab@xxxxxxxxxxxxxxx> Best wishes, Zixuan Fu -- You may reply to this email to add a comment. You are receiving this mail because: You are the assignee for the bug.
