scsi: bfa: Double-free fix

forsaken641 · martinkpetersen · commit add4c4850363 · 2025-07-14T21:10:30.000-04:00
When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, it attempts to free the memory pointed to by bfad->im again, thereby triggering a double-free vulnerability. Set bfad->im to NULL if probing fails. Signed-off-by: jackysliu <1972843537@qq.com> Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad)
 
 	if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
 		kfree(im);
+		bfad->im = NULL;
 		return BFA_STATUS_FAILED;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad)`
`706`	`706`
`707`	`707`	`if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {`
`708`	`708`	`kfree(im);`
	`709`	`+ bfad->im = NULL;`
`709`	`710`	`return BFA_STATUS_FAILED;`
`710`	`711`	`}`
`711`	`712`