[PATCH -next] scsi: snic: fix double free in snic_tgt_create()

From: Zhu Wang <wangzhu9@huawei.com>
To: <kartilak@cisco.com>, <sebaddel@cisco.com>, <jejb@linux.ibm.com>,
	<martin.petersen@oracle.com>, <nmusini@cisco.com>,
	<bvanassche@acm.org>, <dan.carpenter@linaro.org>,
	<linux-scsi@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Cc: <wangzhu9@huawei.com>
Subject: [PATCH -next] scsi: snic: fix double free in snic_tgt_create()
Date: Sat, 19 Aug 2023 08:39:41 +0000	[thread overview]
Message-ID: <20230819083941.164365-1-wangzhu9@huawei.com> (raw)

The commit 41320b18a0e0 ("scsi: snic: Fix possible memory leak if
device_add() fails") fix the memory leak caused by dev_set_name() when
device_add() failed. While it did not consider that 'tgt' has already been
released when put_device(&tgt->dev) is called. We removed kfree(tgt) in
the error path to avoid double free 'tgt'. And we moved
put_device(&tgt->dev) after the removed kfree(tgt) to avoid UAF
(Use-After-Free).

Fixes: 41320b18a0e0 ("scsi: snic: Fix possible memory leak if device_add() fails")
Signed-off-by: Zhu Wang <wangzhu9@huawei.com>
---
 drivers/scsi/snic/snic_disc.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c
index e429ad23c396..4db3ba62fcd3 100644
--- a/drivers/scsi/snic/snic_disc.c
+++ b/drivers/scsi/snic/snic_disc.c
@@ -303,12 +303,11 @@ snic_tgt_create(struct snic *snic, struct snic_tgt_id *tgtid)
 			      "Snic Tgt: device_add, with err = %d\n",
 			      ret);
 
-		put_device(&tgt->dev);
 		put_device(&snic->shost->shost_gendev);
 		spin_lock_irqsave(snic->shost->host_lock, flags);
 		list_del(&tgt->list);
 		spin_unlock_irqrestore(snic->shost->host_lock, flags);
-		kfree(tgt);
+		put_device(&tgt->dev);
 		tgt = NULL;
 
 		return tgt;
-- 
2.34.1

