From: Sasha Levin <sashal@kernel.org>
Date: Sun, 1 Sep 2024 11:25:55 +0000 (-0400)
Subject: Fixes for 4.19
X-Git-Tag: v4.19.321~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=47c5e3c09e5cb4d5f0dd874678b7415dda4b42d7;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.19/scsi-aacraid-fix-double-free-on-probe-failure.patch b/queue-4.19/scsi-aacraid-fix-double-free-on-probe-failure.patch
new file mode 100644
index 00000000000..f01f3736bed
--- /dev/null
+++ b/queue-4.19/scsi-aacraid-fix-double-free-on-probe-failure.patch
@@ -0,0 +1,54 @@
+From 65abd9b507848ae493ca22f107fb46cf0921c468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 00:51:42 +0200
+Subject: scsi: aacraid: Fix double-free on probe failure
+
+From: Ben Hutchings <benh@debian.org>
+
+[ Upstream commit 919ddf8336f0b84c0453bac583808c9f165a85c2 ]
+
+aac_probe_one() calls hardware-specific init functions through the
+aac_driver_ident::init pointer, all of which eventually call down to
+aac_init_adapter().
+
+If aac_init_adapter() fails after allocating memory for aac_dev::queues,
+it frees the memory but does not clear that member.
+
+After the hardware-specific init function returns an error,
+aac_probe_one() goes down an error path that frees the memory pointed to
+by aac_dev::queues, resulting.in a double-free.
+
+Reported-by: Michael Gordon <m.gordon.zelenoborsky@gmail.com>
+Link: https://bugs.debian.org/1075855
+Fixes: 8e0c5ebde82b ("[SCSI] aacraid: Newer adapter communication iterface support")
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Link: https://lore.kernel.org/r/ZsZvfqlQMveoL5KQ@decadent.org.uk
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/comminit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
+index 0dc7b5a4fea25..0378fd3eb0392 100644
+--- a/drivers/scsi/aacraid/comminit.c
++++ b/drivers/scsi/aacraid/comminit.c
+@@ -652,6 +652,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
+ 
+ 	if (aac_comm_init(dev)<0){
+ 		kfree(dev->queues);
++		dev->queues = NULL;
+ 		return NULL;
+ 	}
+ 	/*
+@@ -659,6 +660,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
+ 	 */
+ 	if (aac_fib_setup(dev) < 0) {
+ 		kfree(dev->queues);
++		dev->queues = NULL;
+ 		return NULL;
+ 	}
+ 		
+-- 
+2.43.0
+
diff --git a/queue-4.19/series b/queue-4.19/series
index dc872cda958..e2a062f3d04 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -93,3 +93,4 @@ usb-dwc3-omap-add-missing-depopulate-in-probe-error-path.patch
 usb-dwc3-core-prevent-usb-core-invalid-event-buffer-address-access.patch
 usb-dwc3-st-fix-probed-platform-device-ref-count-on-probe-error-path.patch
 usb-core-sysfs-unmerge-usb3_hardware_lpm_attr_group-in-remove_power_attributes.patch
+scsi-aacraid-fix-double-free-on-probe-failure.patch