From: Yuan Can <yuancan@huawei.com>
Date: Thu, 17 Nov 2022 08:44:21 +0000
Subject: scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()
Git-commit: e208a1d795a08d1ac0398c79ad9c58106531bcc5
Patch-mainline: v6.1-rc6
References: git-fixes

If device_register() fails in sdebug_add_host_helper(), it will goto clean
and sdbg_host will be freed, but sdbg_host->host_list will not be removed
from sdebug_host_list, then list traversal may cause UAF. Fix it.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Lee Duncan <lduncan@suse.com>
---
 drivers/scsi/scsi_debug.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -5577,8 +5577,12 @@ static int sdebug_add_adapter(void)
 
 	error = device_register(&sdbg_host->dev);
 
-	if (error)
+	if (error) {
+		spin_lock(&sdebug_host_list_lock);
+		list_del(&sdbg_host->host_list);
+		spin_unlock(&sdebug_host_list_lock);
 		goto clean;
+	}
 
 	++sdebug_add_host;
 	return error;