[PATCH] aacraid: Fix double-free on probe failure

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] aacraid: Fix double-free on probe failure
@ 2024-08-21 22:51 Ben Hutchings
  2024-08-23  1:56 ` Martin K. Petersen
  0 siblings, 1 reply; 2+ messages in thread
From: Ben Hutchings @ 2024-08-21 22:51 UTC (permalink / raw)
  To: James E.J. Bottomley, Martin K. Petersen
  Cc: Adaptec OEM Raid Solutions, linux-scsi

[-- Attachment #1: Type: text/plain, Size: 1373 bytes --]

aac_probe_one() calls hardware-specific init functions through the
aac_driver_ident::init pointer, all of which eventually call down to
aac_init_adapter().

If aac_init_adapter() fails after allocating memory for
aac_dev::queues, it frees the memory but does not clear that member.

After the hardware-specific init function returns an error,
aac_probe_one() goes down an error path that frees the memory pointed
to by aac_dev::queues, resulting.in a double-free.

Reported-by: Michael Gordon <m.gordon.zelenoborsky@gmail.com>
References: https://bugs.debian.org/1075855
Fixes: 8e0c5ebde82b ("[SCSI] aacraid: Newer adapter communication iterface support")
Signed-off-by: Ben Hutchings <benh@debian.org>
---
 drivers/scsi/aacraid/comminit.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
index bd99c5492b7d..0f64b0244303 100644
--- a/drivers/scsi/aacraid/comminit.c
+++ b/drivers/scsi/aacraid/comminit.c
@@ -642,6 +642,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
 
 	if (aac_comm_init(dev)<0){
 		kfree(dev->queues);
+		dev->queues = NULL;
 		return NULL;
 	}
 	/*
@@ -649,6 +650,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
 	 */
 	if (aac_fib_setup(dev) < 0) {
 		kfree(dev->queues);
+		dev->queues = NULL;
 		return NULL;
 	}
 		

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] aacraid: Fix double-free on probe failure
  2024-08-21 22:51 [PATCH] aacraid: Fix double-free on probe failure Ben Hutchings
@ 2024-08-23  1:56 ` Martin K. Petersen
  0 siblings, 0 replies; 2+ messages in thread
From: Martin K. Petersen @ 2024-08-23  1:56 UTC (permalink / raw)
  To: James E.J. Bottomley, Ben Hutchings
  Cc: Martin K . Petersen, Adaptec OEM Raid Solutions, linux-scsi

On Thu, 22 Aug 2024 00:51:42 +0200, Ben Hutchings wrote:

> aac_probe_one() calls hardware-specific init functions through the
> aac_driver_ident::init pointer, all of which eventually call down to
> aac_init_adapter().
> 
> If aac_init_adapter() fails after allocating memory for
> aac_dev::queues, it frees the memory but does not clear that member.
> 
> [...]

Applied to 6.11/scsi-fixes, thanks!

[1/1] aacraid: Fix double-free on probe failure
      https://git.kernel.org/mkp/scsi/c/919ddf8336f0

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-08-23  1:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-21 22:51 [PATCH] aacraid: Fix double-free on probe failure Ben Hutchings
2024-08-23  1:56 ` Martin K. Petersen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox