diff mbox series

scsi:bfa: Double-free vulnerability fix

Message ID tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com
State New
Headers show
Series scsi:bfa: Double-free vulnerability fix | expand

Commit Message

jackysliu June 24, 2025, 11:58 a.m. UTC 
In the QLogic BR-series Fibre Channel driver (bfad),
there exists a double-free vulnerability.
When the bfad_im_probe() function fails during initialization,
the memory pointed to by bfad->im is freed without
 setting bfad->im to NULL.
Subsequently, during driver uninstallation,
when the state machine enters the bfad_sm_stopping state
and calls the bfad_im_probe_undo() function,
it attempts to free the memory pointed to by bfad->im again,
thereby triggering a double-free vulnerability.

Signed-off-by: jackysliu <1972843537@qq.com>
---
 drivers/scsi/bfa/bfad_im.c | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
index a719a18f0fbc..c21210064fbd 100644
--- a/drivers/scsi/bfa/bfad_im.c
+++ b/drivers/scsi/bfa/bfad_im.c
@@ -706,6 +706,7 @@  bfad_im_probe(struct bfad_s *bfad)
 
 	if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
 		kfree(im);
+		bfad->im = NULL;
 		return BFA_STATUS_FAILED;
 	}