CVE-2022-50532

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Fix possible resource leaks in mpt3sastransportport_add()

In mpt3sastransportportadd(), if sasrphyadd() returns error, sasrphyfree() needs be called to free the resource allocated in sasenddevicealloc(). Otherwise a kernel crash will happen:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : devicedel+0x54/0x3d0 lr : devicedel+0x37c/0x3d0 Call trace: devicedel+0x54/0x3d0 attributecontainerclassdevicedel+0x28/0x38 transportremoveclassdev+0x6c/0x80 attributecontainerdevicetrigger+0x108/0x110 transportremovedevice+0x28/0x38 sasrphyremove+0x50/0x78 [scsitransportsas] sasportdelete+0x30/0x148 [scsitransportsas] dosasphydelete+0x78/0x80 [scsitransportsas] deviceforeachchild+0x68/0xb0 sasremovechildren+0x30/0x50 [scsitransportsas] sasrphyremove+0x38/0x78 [scsitransportsas] sasportdelete+0x30/0x148 [scsitransportsas] dosasphydelete+0x78/0x80 [scsitransportsas] deviceforeachchild+0x68/0xb0 sasremovechildren+0x30/0x50 [scsitransportsas] sasremovehost+0x20/0x38 [scsitransportsas] scsih_remove+0xd8/0x420 [mpt3sas]

Because transportadddevice() is not called when sasrphyadd() fails, the device is not added. When sasrphyremove() is subsequently called to remove the device in the remove() path, a NULL pointer dereference happens.