CVE-2022-49823

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-transport: fix error handling in ata_tdev_add()<br /> <br /> In ata_tdev_add(), the return value of transport_add_device() is<br /> not checked. As a result, it causes null-ptr-deref while removing<br /> the module, because transport_remove_device() is called to remove<br /> the device that was not added.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0<br /> CPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #36<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : device_del+0x48/0x3a0<br /> lr : device_del+0x44/0x3a0<br /> Call trace:<br /> device_del+0x48/0x3a0<br /> attribute_container_class_device_del+0x28/0x40<br /> transport_remove_classdev+0x60/0x7c<br /> attribute_container_device_trigger+0x118/0x120<br /> transport_remove_device+0x20/0x30<br /> ata_tdev_delete+0x24/0x50 [libata]<br /> ata_tlink_delete+0x40/0xa0 [libata]<br /> ata_tport_delete+0x2c/0x60 [libata]<br /> ata_port_detach+0x148/0x1b0 [libata]<br /> ata_pci_remove_one+0x50/0x80 [libata]<br /> ahci_remove_one+0x4c/0x8c [ahci]<br /> <br /> Fix this by checking and handling return value of transport_add_device()<br /> in ata_tdev_add(). In the error path, device_del() is called to delete<br /> the device which was added earlier in this function, and ata_tdev_free()<br /> is called to free ata_dev.