| Message ID | ZsZvfqlQMveoL5KQ@decadent.org.uk (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 919ddf8336f0b84c0453bac583808c9f165a85c2 |
| Headers | show |
| Series | aacraid: Fix double-free on probe failure | expand |
On Thu, 22 Aug 2024 00:51:42 +0200, Ben Hutchings wrote: > aac_probe_one() calls hardware-specific init functions through the > aac_driver_ident::init pointer, all of which eventually call down to > aac_init_adapter(). > > If aac_init_adapter() fails after allocating memory for > aac_dev::queues, it frees the memory but does not clear that member. > > [...] Applied to 6.11/scsi-fixes, thanks! [1/1] aacraid: Fix double-free on probe failure https://git.kernel.org/mkp/scsi/c/919ddf8336f0
diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c index bd99c5492b7d..0f64b0244303 100644 --- a/drivers/scsi/aacraid/comminit.c +++ b/drivers/scsi/aacraid/comminit.c @@ -642,6 +642,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev) if (aac_comm_init(dev)<0){ kfree(dev->queues); + dev->queues = NULL; return NULL; } /* @@ -649,6 +650,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev) */ if (aac_fib_setup(dev) < 0) { kfree(dev->queues); + dev->queues = NULL; return NULL; }
aac_probe_one() calls hardware-specific init functions through the aac_driver_ident::init pointer, all of which eventually call down to aac_init_adapter(). If aac_init_adapter() fails after allocating memory for aac_dev::queues, it frees the memory but does not clear that member. After the hardware-specific init function returns an error, aac_probe_one() goes down an error path that frees the memory pointed to by aac_dev::queues, resulting.in a double-free. Reported-by: Michael Gordon <m.gordon.zelenoborsky@gmail.com> References: https://bugs.debian.org/1075855 Fixes: 8e0c5ebde82b ("[SCSI] aacraid: Newer adapter communication iterface support") Signed-off-by: Ben Hutchings <benh@debian.org> --- drivers/scsi/aacraid/comminit.c | 2 ++ 1 file changed, 2 insertions(+)