[PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix

From: jackysliu
Date: Tue Jun 24 2025 - 07:58:54 EST

Next message: Mark Brown: "Re: [PATCH 6.1 000/508] 6.1.142-rc1 review"
Previous message: Mark Brown: "Re: [PATCH 6.6 000/290] 6.6.95-rc1 review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In the QLogic BR-series Fibre Channel driver (bfad),
there exists a double-free vulnerability.
When the bfad_im_probe() function fails during initialization,
the memory pointed to by bfad->im is freed without
setting bfad->im to NULL.
Subsequently, during driver uninstallation,
when the state machine enters the bfad_sm_stopping state
and calls the bfad_im_probe_undo() function,
it attempts to free the memory pointed to by bfad->im again,
thereby triggering a double-free vulnerability.

Signed-off-by: jackysliu <1972843537@xxxxxx>
---
drivers/scsi/bfa/bfad_im.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
index a719a18f0fbc..c21210064fbd 100644
--- a/drivers/scsi/bfa/bfad_im.c
+++ b/drivers/scsi/bfa/bfad_im.c
@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad)

if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
kfree(im);
+ bfad->im = NULL;
return BFA_STATUS_FAILED;
}

--
2.43.5

Next message: Mark Brown: "Re: [PATCH 6.1 000/508] 6.1.142-rc1 review"
Previous message: Mark Brown: "Re: [PATCH 6.6 000/290] 6.6.95-rc1 review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]