Fixes for 5.4

author Sasha Levin <sashal@kernel.org>

Sun, 1 Sep 2024 11:25:54 +0000 (07:25 -0400)

committer Sasha Levin <sashal@kernel.org>

Sun, 1 Sep 2024 11:25:54 +0000 (07:25 -0400)
author Sasha Levin <sashal@kernel.org>
Sun, 1 Sep 2024 11:25:54 +0000 (07:25 -0400)
committer Sasha Levin <sashal@kernel.org>
Sun, 1 Sep 2024 11:25:54 +0000 (07:25 -0400)
diff --git a/queue-5.4/scsi-aacraid-fix-double-free-on-probe-failure.patch b/queue-5.4/scsi-aacraid-fix-double-free-on-probe-failure.patch

new file mode 100644 (file)

index 0000000..14651db
--- /dev/null
+++ b/queue-5.4/scsi-aacraid-fix-double-free-on-probe-failure.patch
@@ -0,0 +1,54 @@
+From b6f6abe2fca350e3bafbc8732371e0d54569f585 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 00:51:42 +0200
+Subject: scsi: aacraid: Fix double-free on probe failure
+
+From: Ben Hutchings <benh@debian.org>
+
+[ Upstream commit 919ddf8336f0b84c0453bac583808c9f165a85c2 ]
+
+aac_probe_one() calls hardware-specific init functions through the
+aac_driver_ident::init pointer, all of which eventually call down to
+aac_init_adapter().
+
+If aac_init_adapter() fails after allocating memory for aac_dev::queues,
+it frees the memory but does not clear that member.
+
+After the hardware-specific init function returns an error,
+aac_probe_one() goes down an error path that frees the memory pointed to
+by aac_dev::queues, resulting.in a double-free.
+
+Reported-by: Michael Gordon <m.gordon.zelenoborsky@gmail.com>
+Link: https://bugs.debian.org/1075855
+Fixes: 8e0c5ebde82b ("[SCSI] aacraid: Newer adapter communication iterface support")
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Link: https://lore.kernel.org/r/ZsZvfqlQMveoL5KQ@decadent.org.uk
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/comminit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
+index d4fcfa1e54e02..8849eca08a494 100644
+--- a/drivers/scsi/aacraid/comminit.c
++++ b/drivers/scsi/aacraid/comminit.c
+@@ -638,6 +638,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
+ 
+       if (aac_comm_init(dev)<0){
+               kfree(dev->queues);
++              dev->queues = NULL;
+               return NULL;
+       }
+       /*
+@@ -645,6 +646,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
+        */
+       if (aac_fib_setup(dev) < 0) {
+               kfree(dev->queues);
++              dev->queues = NULL;
+               return NULL;
+       }
+               
+-- 
+2.43.0
+
diff --git a/queue-5.4/series b/queue-5.4/series

index 08356a4d08db7b435c01f567b1527e66c8f50c0b..7bb41ee7eb27b655abe2a7f527c8a544e0a44ce4 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -131,3 +131,4 @@ usb-dwc3-st-fix-probed-platform-device-ref-count-on-probe-error-path.patch
  usb-dwc3-st-add-missing-depopulate-in-probe-error-path.patch
  usb-core-sysfs-unmerge-usb3_hardware_lpm_attr_group-in-remove_power_attributes.patch
  net-dsa-mv8e6xxx-fix-stub-function-parameters.patch
+scsi-aacraid-fix-double-free-on-probe-failure.patch
author	Sasha Levin <sashal@kernel.org>
	Sun, 1 Sep 2024 11:25:54 +0000 (07:25 -0400)
committer	Sasha Levin <sashal@kernel.org>
	Sun, 1 Sep 2024 11:25:54 +0000 (07:25 -0400)
queue-5.4/scsi-aacraid-fix-double-free-on-probe-failure.patch	[new file with mode: 0644]	patch \| blob
queue-5.4/series		patch \| blob \| blame \| history