From: Julian Wiedmann <jwi@linux.ibm.com> mainline inclusion from mainline-v5.13-rc4 commit 444d7be9532dcfda8e0385226c862fd7e986f607 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9BGMR CVE: CVE-2021-47143 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- If the device_add() for a smcd_dev fails, there's no cleanup step that rolls back the earlier list_add(). The device subsequently gets freed, and we end up with a corrupted list. Add some error handling that removes the device from the list. Fixes: c6ba7c9ba43d ("net/smc: add base infrastructure for SMC-D and ISM") Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com> Signed-off-by: Karsten Graul <kgraul@linux.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/smc/smc_ism.c Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> --- net/smc/smc_ism.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/net/smc/smc_ism.c b/net/smc/smc_ism.c index e36f21ce7252..05ad14630d12 100644 --- a/net/smc/smc_ism.c +++ b/net/smc/smc_ism.c @@ -274,11 +274,20 @@ EXPORT_SYMBOL_GPL(smcd_alloc_dev); int smcd_register_dev(struct smcd_dev *smcd) { + int rc; + spin_lock(&smcd_dev_list.lock); list_add_tail(&smcd->list, &smcd_dev_list.list); spin_unlock(&smcd_dev_list.lock); - return device_add(&smcd->dev); + rc = device_add(&smcd->dev); + if (rc) { + spin_lock(&smcd_dev_list.lock); + list_del(&smcd->list); + spin_unlock(&smcd_dev_list.lock); + } + + return rc; } EXPORT_SYMBOL_GPL(smcd_register_dev); -- 2.34.1