diff mbox series

scsi: megaraid_sas: fix a use-after-free in megasas_alloc_cmdlist_fusion

Message ID 20231204084727.23114-1-dinghao.liu@zju.edu.cn (mailing list archive)
State New, archived
Headers show
Series scsi: megaraid_sas: fix a use-after-free in megasas_alloc_cmdlist_fusion | expand

Commit Message

Dinghao Liu Dec. 4, 2023, 8:47 a.m. UTC 
When kzalloc() fails, megasas_alloc_cmdlist_fusion will free
fusion->cmd_list and its array elements. However, the caller
megasas_alloc_cmds_fusion() will call megasas_free_cmds_fusion()
on the same failure, which tries to free fusion->cmd_list again
and leads to a use-after-free. Fix this by setting
fusion->cmd_list to NULL after kfree().

Fixes: 70c54e210ee9 ("scsi: megaraid_sas: fix memleak in megasas_alloc_cmdlist_fusion")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
---
 drivers/scsi/megaraid/megaraid_sas_fusion.c | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
index c60014e07b44..a47735e64624 100644
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -613,6 +613,7 @@  megasas_alloc_cmdlist_fusion(struct megasas_instance *instance)
 			for (j = 0; j < i; j++)
 				kfree(fusion->cmd_list[j]);
 			kfree(fusion->cmd_list);
+			fusion->cmd_list = NULL;
 			dev_err(&instance->pdev->dev,
 				"Failed from %s %d\n",  __func__, __LINE__);
 			return -ENOMEM;