* [PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix
@ 2025-06-24 11:58 jackysliu
2025-07-15 10:45 ` Krzysztof Kozlowski
0 siblings, 1 reply; 3+ messages in thread
From: jackysliu @ 2025-06-24 11:58 UTC (permalink / raw)
To: anil.gurumurthy
Cc: sudarsana.kalluru, James.Bottomley, martin.petersen, linux-scsi,
linux-kernel, jackysliu
In the QLogic BR-series Fibre Channel driver (bfad),
there exists a double-free vulnerability.
When the bfad_im_probe() function fails during initialization,
the memory pointed to by bfad->im is freed without
setting bfad->im to NULL.
Subsequently, during driver uninstallation,
when the state machine enters the bfad_sm_stopping state
and calls the bfad_im_probe_undo() function,
it attempts to free the memory pointed to by bfad->im again,
thereby triggering a double-free vulnerability.
Signed-off-by: jackysliu <1972843537@qq.com>
---
drivers/scsi/bfa/bfad_im.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
index a719a18f0fbc..c21210064fbd 100644
--- a/drivers/scsi/bfa/bfad_im.c
+++ b/drivers/scsi/bfa/bfad_im.c
@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad)
if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
kfree(im);
+ bfad->im = NULL;
return BFA_STATUS_FAILED;
}
--
2.43.5
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix
2025-06-24 11:58 [PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix jackysliu
@ 2025-07-15 10:45 ` Krzysztof Kozlowski
2025-07-16 3:01 ` jackysliu
0 siblings, 1 reply; 3+ messages in thread
From: Krzysztof Kozlowski @ 2025-07-15 10:45 UTC (permalink / raw)
To: jackysliu, anil.gurumurthy
Cc: sudarsana.kalluru, James.Bottomley, martin.petersen, linux-scsi,
linux-kernel
On 24/06/2025 13:58, jackysliu wrote:
> In the QLogic BR-series Fibre Channel driver (bfad),
> there exists a double-free vulnerability.
> When the bfad_im_probe() function fails during initialization,
> the memory pointed to by bfad->im is freed without
> setting bfad->im to NULL.
> Subsequently, during driver uninstallation,
> when the state machine enters the bfad_sm_stopping state
> and calls the bfad_im_probe_undo() function,
> it attempts to free the memory pointed to by bfad->im again,
> thereby triggering a double-free vulnerability.
>
> Signed-off-by: jackysliu <1972843537@qq.com>
> ---
> drivers/scsi/bfa/bfad_im.c | 1 +
> 1 file changed, 1 insertion(+)
You should disclose that you used some AI tool for that... and that
other report(s) was really fake finding. People should know you
generated it with AI, so they could make informed decision whether to
even allocate time here.
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] scsi:bfa: Double-free vulnerability fix
2025-07-15 10:45 ` Krzysztof Kozlowski
@ 2025-07-16 3:01 ` jackysliu
0 siblings, 0 replies; 3+ messages in thread
From: jackysliu @ 2025-07-16 3:01 UTC (permalink / raw)
To: krzk
Cc: 1972843537, James.Bottomley, anil.gurumurthy, linux-kernel,
linux-scsi, martin.petersen, sudarsana.kalluru
On Tue, Jul 15 2025 12:45:00 +0200 Krzysztof Kozlowski wrote:
>You should disclose that you used some AI tool for that... and that
>other report(s) was really fake finding. People should know you
>generated it with AI, so they could make informed decision whether to
>even allocate time here.
Although this problem was detected with the help of ai and static methods,
I checked the trigger path by myself and verified this problem.
I'll describe the ways of detection if I find other issues in the future.
Anyway, thanks for your review.
Siyang Liu
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-07-16 3:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-24 11:58 [PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix jackysliu
2025-07-15 10:45 ` Krzysztof Kozlowski
2025-07-16 3:01 ` jackysliu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox