scsi: aacraid: Fix double-free on probe failure

benh-debian · martinkpetersen · commit 919ddf8336f0 · 2024-08-22T21:04:12.000-04:00
aac_probe_one() calls hardware-specific init functions through the aac_driver_ident::init pointer, all of which eventually call down to aac_init_adapter(). If aac_init_adapter() fails after allocating memory for aac_dev::queues, it frees the memory but does not clear that member. After the hardware-specific init function returns an error, aac_probe_one() goes down an error path that frees the memory pointed to by aac_dev::queues, resulting.in a double-free. Reported-by: Michael Gordon <m.gordon.zelenoborsky@gmail.com> Link: https://bugs.debian.org/1075855 Fixes: 8e0c5eb ("[SCSI] aacraid: Newer adapter communication iterface support") Signed-off-by: Ben Hutchings <benh@debian.org> Link: https://lore.kernel.org/r/ZsZvfqlQMveoL5KQ@decadent.org.uk Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
@@ -642,13 +642,15 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
 
 	if (aac_comm_init(dev)<0){
 		kfree(dev->queues);
+		dev->queues = NULL;
 		return NULL;
 	}
 	/*
 	 *	Initialize the list of fibs
 	 */
 	if (aac_fib_setup(dev) < 0) {
 		kfree(dev->queues);
+		dev->queues = NULL;
 		return NULL;
 	}
 		

Original file line number	Diff line number	Diff line change
`@@ -642,13 +642,15 @@ struct aac_dev aac_init_adapter(struct aac_dev dev)`
`642`	`642`
`643`	`643`	`if (aac_comm_init(dev)<0){`
`644`	`644`	`kfree(dev->queues);`
	`645`	`+ dev->queues = NULL;`
`645`	`646`	`return NULL;`
`646`	`647`	`}`
`647`	`648`	`/*`
`648`	`649`	`* Initialize the list of fibs`
`649`	`650`	`*/`
`650`	`651`	`if (aac_fib_setup(dev) < 0) {`
`651`	`652`	`kfree(dev->queues);`
	`653`	`+ dev->queues = NULL;`
`652`	`654`	`return NULL;`
`653`	`655`	`}`
`654`	`656`