diff mbox series

scsi: scsi_transport_spi: Fix unhandled errors in spi_transport_init()

Message ID 20221103092223.192181-1-chenzhongjin@huawei.com
State New
Headers show
Series scsi: scsi_transport_spi: Fix unhandled errors in spi_transport_init() | expand

Commit Message

Chen Zhongjin Nov. 3, 2022, 9:22 a.m. UTC 
In spi_transport_init(), error return values are not handled, which can
makes memory leak and list node leak.

anon_transport_class_register() calls attribute_container_register()
and add list node to attribute_container_list. If it is not unregistered
and removed, when iterating the list in other modules, already released
memory &spi_device_class will be accessed and cause kernel panic:

KASAN: maybe wild-memory-access in range
[0x8febffffffeac550-0x8febffffffeac557]
CPU: 0 PID: 381 Comm: modprobe
Hardware name: QEMU Standard PC
RIP: 0010:attribute_container_add_device+0xe2/0x320
...
Call Trace:
 <TASK>
 scsi_sysfs_add_host+0x1d/0x40
 scsi_add_host_with_dma.cold+0x73d/0x79c
 sdebug_driver_probe+0x50f/0x6f0 [scsi_debug]
 ...

Add error handling in spi_transport_init() to avoid kernel panic when
module fails to load.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
---
 drivers/scsi/scsi_transport_spi.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/drivers/scsi/scsi_transport_spi.c b/drivers/scsi/scsi_transport_spi.c
index f569cf0095c2..2af81118a191 100644
--- a/drivers/scsi/scsi_transport_spi.c
+++ b/drivers/scsi/scsi_transport_spi.c
@@ -1620,9 +1620,22 @@  static __init int spi_transport_init(void)
 
 	error = transport_class_register(&spi_transport_class);
 	if (error)
-		return error;
+		goto err_list;
 	error = anon_transport_class_register(&spi_device_class);
-	return transport_class_register(&spi_host_class);
+	if (error)
+		goto err_transport;
+	error = transport_class_register(&spi_host_class);
+	if (error)
+		goto err_device;
+	return 0;
+
+err_device:
+	anon_transport_class_unregister(&spi_device_class);
+err_transport:
+	transport_class_unregister(&spi_transport_class);
+err_list:
+	scsi_dev_info_remove_list(SCSI_DEVINFO_SPI);
+	return error;
 }
 
 static void __exit spi_transport_exit(void)