[PATCH openEuler-1.0-LTS] net/smc: remove device from smcd_dev_list after failed device_add()

From: Julian Wiedmann jwi@linux.ibm.com

mainline inclusion from mainline-v5.13-rc4 commit 444d7be9532dcfda8e0385226c862fd7e986f607 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9BGMR CVE: CVE-2021-47143

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

If the device_add() for a smcd_dev fails, there's no cleanup step that rolls back the earlier list_add(). The device subsequently gets freed, and we end up with a corrupted list.

Add some error handling that removes the device from the list.

Fixes: c6ba7c9ba43d ("net/smc: add base infrastructure for SMC-D and ISM") Signed-off-by: Julian Wiedmann jwi@linux.ibm.com Signed-off-by: Karsten Graul kgraul@linux.ibm.com Signed-off-by: David S. Miller davem@davemloft.net

Conflicts: net/smc/smc_ism.c

Signed-off-by: Zhengchao Shao shaozhengchao@huawei.com --- net/smc/smc_ism.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/smc/smc_ism.c b/net/smc/smc_ism.c index e36f21ce7252..05ad14630d12 100644 --- a/net/smc/smc_ism.c +++ b/net/smc/smc_ism.c @@ -274,11 +274,20 @@ EXPORT_SYMBOL_GPL(smcd_alloc_dev);

int smcd_register_dev(struct smcd_dev *smcd) { + int rc; + spin_lock(&smcd_dev_list.lock); list_add_tail(&smcd->list, &smcd_dev_list.list); spin_unlock(&smcd_dev_list.lock);

- return device_add(&smcd->dev); + rc = device_add(&smcd->dev); + if (rc) { + spin_lock(&smcd_dev_list.lock); + list_del(&smcd->list); + spin_unlock(&smcd_dev_list.lock); + } + + return rc; } EXPORT_SYMBOL_GPL(smcd_register_dev);