CVE-2022-49823

In the Linux kernel, the following vulnerability has been resolved:

ata: libata-transport: fix error handling in atatdevadd()

In atatdevadd(), the return value of transportadddevice() is not checked. As a result, it causes null-ptr-deref while removing the module, because transportremovedevice() is called to remove the device that was not added.

Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 CPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #36 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : devicedel+0x48/0x3a0 lr : devicedel+0x44/0x3a0 Call trace: devicedel+0x48/0x3a0 attributecontainerclassdevicedel+0x28/0x40 transportremoveclassdev+0x60/0x7c attributecontainerdevicetrigger+0x118/0x120 transportremovedevice+0x20/0x30 atatdevdelete+0x24/0x50 [libata] atatlinkdelete+0x40/0xa0 [libata] atatportdelete+0x2c/0x60 [libata] ataportdetach+0x148/0x1b0 [libata] atapciremoveone+0x50/0x80 [libata] ahciremove_one+0x4c/0x8c [ahci]

Fix this by checking and handling return value of transportadddevice() in atatdevadd(). In the error path, devicedel() is called to delete the device which was added earlier in this function, and atatdevfree() is called to free atadev.