Message ID | 20231204084727.23114-1-dinghao.liu@zju.edu.cn (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | scsi: megaraid_sas: fix a use-after-free in megasas_alloc_cmdlist_fusion | expand |
diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c index c60014e07b44..a47735e64624 100644 --- a/drivers/scsi/megaraid/megaraid_sas_fusion.c +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c @@ -613,6 +613,7 @@ megasas_alloc_cmdlist_fusion(struct megasas_instance *instance) for (j = 0; j < i; j++) kfree(fusion->cmd_list[j]); kfree(fusion->cmd_list); + fusion->cmd_list = NULL; dev_err(&instance->pdev->dev, "Failed from %s %d\n", __func__, __LINE__); return -ENOMEM;
When kzalloc() fails, megasas_alloc_cmdlist_fusion will free fusion->cmd_list and its array elements. However, the caller megasas_alloc_cmds_fusion() will call megasas_free_cmds_fusion() on the same failure, which tries to free fusion->cmd_list again and leads to a use-after-free. Fix this by setting fusion->cmd_list to NULL after kfree(). Fixes: 70c54e210ee9 ("scsi: megaraid_sas: fix memleak in megasas_alloc_cmdlist_fusion") Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn> --- drivers/scsi/megaraid/megaraid_sas_fusion.c | 1 + 1 file changed, 1 insertion(+)