From 46ab3871c606cc1e985befb6006ab495174b31c3 Mon Sep 17 00:00:00 2001 From: Julian Wiedmann Date: Tue, 26 Mar 2024 22:30:04 +0800 Subject: [PATCH] net/smc: remove device from smcd_dev_list after failed device_add() mainline inclusion from mainline-v5.13-rc4 commit 444d7be9532dcfda8e0385226c862fd7e986f607 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9BGMR CVE: CVE-2021-47143 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=444d7be9532dcfda8e0385226c862fd7e986f607 -------------------------------- If the device_add() for a smcd_dev fails, there's no cleanup step that rolls back the earlier list_add(). The device subsequently gets freed, and we end up with a corrupted list. Add some error handling that removes the device from the list. Fixes: c6ba7c9ba43d ("net/smc: add base infrastructure for SMC-D and ISM") Signed-off-by: Julian Wiedmann Signed-off-by: Karsten Graul Signed-off-by: David S. Miller Conflicts: net/smc/smc_ism.c Signed-off-by: Zhengchao Shao --- net/smc/smc_ism.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/net/smc/smc_ism.c b/net/smc/smc_ism.c index e36f21ce7252..05ad14630d12 100644 --- a/net/smc/smc_ism.c +++ b/net/smc/smc_ism.c @@ -274,11 +274,20 @@ EXPORT_SYMBOL_GPL(smcd_alloc_dev); int smcd_register_dev(struct smcd_dev *smcd) { + int rc; + spin_lock(&smcd_dev_list.lock); list_add_tail(&smcd->list, &smcd_dev_list.list); spin_unlock(&smcd_dev_list.lock); - return device_add(&smcd->dev); + rc = device_add(&smcd->dev); + if (rc) { + spin_lock(&smcd_dev_list.lock); + list_del(&smcd->list); + spin_unlock(&smcd_dev_list.lock); + } + + return rc; } EXPORT_SYMBOL_GPL(smcd_register_dev); -- Gitee