From: Sasha Levin <sashal@kernel.org>
Date: Sun, 1 Sep 2024 11:25:54 +0000 (-0400)
Subject: Fixes for 5.4
X-Git-Tag: v4.19.321~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=56ba9c9ab71e37636dea62f750715e371162ced4;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.4/scsi-aacraid-fix-double-free-on-probe-failure.patch b/queue-5.4/scsi-aacraid-fix-double-free-on-probe-failure.patch
new file mode 100644
index 00000000000..14651db9fb4
--- /dev/null
+++ b/queue-5.4/scsi-aacraid-fix-double-free-on-probe-failure.patch
@@ -0,0 +1,54 @@
+From b6f6abe2fca350e3bafbc8732371e0d54569f585 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 00:51:42 +0200
+Subject: scsi: aacraid: Fix double-free on probe failure
+
+From: Ben Hutchings <benh@debian.org>
+
+[ Upstream commit 919ddf8336f0b84c0453bac583808c9f165a85c2 ]
+
+aac_probe_one() calls hardware-specific init functions through the
+aac_driver_ident::init pointer, all of which eventually call down to
+aac_init_adapter().
+
+If aac_init_adapter() fails after allocating memory for aac_dev::queues,
+it frees the memory but does not clear that member.
+
+After the hardware-specific init function returns an error,
+aac_probe_one() goes down an error path that frees the memory pointed to
+by aac_dev::queues, resulting.in a double-free.
+
+Reported-by: Michael Gordon <m.gordon.zelenoborsky@gmail.com>
+Link: https://bugs.debian.org/1075855
+Fixes: 8e0c5ebde82b ("[SCSI] aacraid: Newer adapter communication iterface support")
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Link: https://lore.kernel.org/r/ZsZvfqlQMveoL5KQ@decadent.org.uk
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/comminit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
+index d4fcfa1e54e02..8849eca08a494 100644
+--- a/drivers/scsi/aacraid/comminit.c
++++ b/drivers/scsi/aacraid/comminit.c
+@@ -638,6 +638,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
+ 
+ 	if (aac_comm_init(dev)<0){
+ 		kfree(dev->queues);
++		dev->queues = NULL;
+ 		return NULL;
+ 	}
+ 	/*
+@@ -645,6 +646,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
+ 	 */
+ 	if (aac_fib_setup(dev) < 0) {
+ 		kfree(dev->queues);
++		dev->queues = NULL;
+ 		return NULL;
+ 	}
+ 		
+-- 
+2.43.0
+
diff --git a/queue-5.4/series b/queue-5.4/series
index 08356a4d08d..7bb41ee7eb2 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -131,3 +131,4 @@ usb-dwc3-st-fix-probed-platform-device-ref-count-on-probe-error-path.patch
 usb-dwc3-st-add-missing-depopulate-in-probe-error-path.patch
 usb-core-sysfs-unmerge-usb3_hardware_lpm_attr_group-in-remove_power_attributes.patch
 net-dsa-mv8e6xxx-fix-stub-function-parameters.patch
+scsi-aacraid-fix-double-free-on-probe-failure.patch