https://github.com/torvalds/linux
Revision e208a1d795a08d1ac0398c79ad9c58106531bcc5 authored by Yuan Can on 17 November 2022, 08:44:21 UTC, committed by Martin K. Petersen on 17 November 2022, 17:48:32 UTC
If device_register() fails in sdebug_add_host_helper(), it will goto clean
and sdbg_host will be freed, but sdbg_host->host_list will not be removed
from sdebug_host_list, then list traversal may cause UAF. Fix it.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221117084421.58918-1-yuancan@huawei.com
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 parent bc68e42
Tip revision: e208a1d795a08d1ac0398c79ad9c58106531bcc5 authored by Yuan Can on 17 November 2022, 08:44:21 UTC
scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()
scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper()
Tip revision: e208a1d
| File | Mode | Size |
|---|---|---|
| Makefile | -rw-r--r-- | 366 bytes |
| advise.c | -rw-r--r-- | 2.1 KB |
| advise.h | -rw-r--r-- | 316 bytes |
| alloc_cache.h | -rw-r--r-- | 1.1 KB |
| cancel.c | -rw-r--r-- | 7.2 KB |
| cancel.h | -rw-r--r-- | 579 bytes |
| epoll.c | -rw-r--r-- | 1.5 KB |
| epoll.h | -rw-r--r-- | 213 bytes |
| fdinfo.c | -rw-r--r-- | 6.5 KB |
| fdinfo.h | -rw-r--r-- | 100 bytes |
| filetable.c | -rw-r--r-- | 4.4 KB |
| filetable.h | -rw-r--r-- | 2.5 KB |
| fs.c | -rw-r--r-- | 6.6 KB |
| fs.h | -rw-r--r-- | 929 bytes |
| io-wq.c | -rw-r--r-- | 33.4 KB |
| io-wq.h | -rw-r--r-- | 2.0 KB |
| io_uring.c | -rw-r--r-- | 106.3 KB |
| io_uring.h | -rw-r--r-- | 9.6 KB |
| kbuf.c | -rw-r--r-- | 13.2 KB |
| kbuf.h | -rw-r--r-- | 3.6 KB |
| msg_ring.c | -rw-r--r-- | 4.1 KB |
| msg_ring.h | -rw-r--r-- | 178 bytes |
| net.c | -rw-r--r-- | 35.7 KB |
| net.h | -rw-r--r-- | 2.2 KB |
| nop.c | -rw-r--r-- | 498 bytes |
| nop.h | -rw-r--r-- | 168 bytes |
| notif.c | -rw-r--r-- | 1.8 KB |
| notif.h | -rw-r--r-- | 896 bytes |
| opdef.c | -rw-r--r-- | 11.9 KB |
| opdef.h | -rw-r--r-- | 1.3 KB |
| openclose.c | -rw-r--r-- | 6.1 KB |
| openclose.h | -rw-r--r-- | 596 bytes |
| poll.c | -rw-r--r-- | 25.6 KB |
| poll.h | -rw-r--r-- | 1006 bytes |
| refs.h | -rw-r--r-- | 1.2 KB |
| rsrc.c | -rw-r--r-- | 31.4 KB |
| rsrc.h | -rw-r--r-- | 4.5 KB |
| rw.c | -rw-r--r-- | 27.1 KB |
| rw.h | -rw-r--r-- | 705 bytes |
| slist.h | -rw-r--r-- | 3.0 KB |
| splice.c | -rw-r--r-- | 2.9 KB |
| splice.h | -rw-r--r-- | 306 bytes |
| sqpoll.c | -rw-r--r-- | 9.5 KB |
| sqpoll.h | -rw-r--r-- | 753 bytes |
| statx.c | -rw-r--r-- | 1.6 KB |
| statx.h | -rw-r--r-- | 217 bytes |
| sync.c | -rw-r--r-- | 2.7 KB |
| sync.h | -rw-r--r-- | 460 bytes |
| tctx.c | -rw-r--r-- | 7.2 KB |
| tctx.h | -rw-r--r-- | 992 bytes |
| timeout.c | -rw-r--r-- | 16.6 KB |
| timeout.h | -rw-r--r-- | 1.2 KB |
| uring_cmd.c | -rw-r--r-- | 4.0 KB |
| uring_cmd.h | -rw-r--r-- | 494 bytes |
| xattr.c | -rw-r--r-- | 5.5 KB |
| xattr.h | -rw-r--r-- | 654 bytes |
Computing file changes ...
