This is a note to let you know that I've just added the patch titled
scsi: snic: Fix possible UAF in snic_tgt_create()
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 644b28530526744d0d88f30d35e30ce1db9f4fbf
Author: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
Date: Thu Nov 17 11:51:00 2022 +0800
scsi: snic: Fix possible UAF in snic_tgt_create()
[ Upstream commit e118df492320176af94deec000ae034cc92be754 ]
Smatch reports a warning as follows:
drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn:
'&tgt->list' not removed from list
If device_add() fails in snic_tgt_create(), tgt will be freed, but
tgt->list will not be removed from snic->disc.tgt_list, then list traversal
may cause UAF.
Remove from snic->disc.tgt_list before free().
Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA")
Signed-off-by: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20221117035100.2944812-1-cuigaosheng1@xxxxxxxxxx
Acked-by: Narsimhulu Musini <nmusini@xxxxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c
index e9ccfb97773f..7cf871323b2c 100644
--- a/drivers/scsi/snic/snic_disc.c
+++ b/drivers/scsi/snic/snic_disc.c
@@ -318,6 +318,9 @@ snic_tgt_create(struct snic *snic, struct snic_tgt_id *tgtid)
ret);
put_device(&snic->shost->shost_gendev);
+ spin_lock_irqsave(snic->shost->host_lock, flags);
+ list_del(&tgt->list);
+ spin_unlock_irqrestore(snic->shost->host_lock, flags);
kfree(tgt);
tgt = NULL;
