1. Patchew
  2. linux
  3. View series

[PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix

jackysliu posted 1 patch 3 months, 2 weeks ago 
drivers/scsi/bfa/bfad_im.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix
Posted by jackysliu 3 months, 2 weeks ago 
In the QLogic BR-series Fibre Channel driver (bfad),
there exists a double-free vulnerability.
When the bfad_im_probe() function fails during initialization,
the memory pointed to by bfad->im is freed without
 setting bfad->im to NULL.
Subsequently, during driver uninstallation,
when the state machine enters the bfad_sm_stopping state
and calls the bfad_im_probe_undo() function,
it attempts to free the memory pointed to by bfad->im again,
thereby triggering a double-free vulnerability.

Signed-off-by: jackysliu <1972843537@qq.com>
---
 drivers/scsi/bfa/bfad_im.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
index a719a18f0fbc..c21210064fbd 100644
--- a/drivers/scsi/bfa/bfad_im.c
+++ b/drivers/scsi/bfa/bfad_im.c
@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad)
 
 	if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
 		kfree(im);
+		bfad->im = NULL;
 		return BFA_STATUS_FAILED;
 	}
 
-- 
2.43.5
Re: [PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix
Posted by Krzysztof Kozlowski 2 months, 3 weeks ago 
On 24/06/2025 13:58, jackysliu wrote:
> In the QLogic BR-series Fibre Channel driver (bfad),
> there exists a double-free vulnerability.
> When the bfad_im_probe() function fails during initialization,
> the memory pointed to by bfad->im is freed without
>  setting bfad->im to NULL.
> Subsequently, during driver uninstallation,
> when the state machine enters the bfad_sm_stopping state
> and calls the bfad_im_probe_undo() function,
> it attempts to free the memory pointed to by bfad->im again,
> thereby triggering a double-free vulnerability.
> 
> Signed-off-by: jackysliu <1972843537@qq.com>
> ---
>  drivers/scsi/bfa/bfad_im.c | 1 +
>  1 file changed, 1 insertion(+)


You should disclose that you used some AI tool for that... and that
other report(s) was really fake finding.  People should know you
generated it with AI, so they could make informed decision whether to
even allocate time here.

Best regards,
Krzysztof
Re: [PATCH] scsi:bfa: Double-free vulnerability fix
Posted by jackysliu 2 months, 3 weeks ago 
On Tue, Jul 15 2025 12:45:00 +0200 Krzysztof Kozlowski wrote:
>You should disclose that you used some AI tool for that... and that
>other report(s) was really fake finding.  People should know you
>generated it with AI, so they could make informed decision whether to
>even allocate time here.

Although this problem was detected with the help of ai and static methods,
I checked the trigger path by myself and verified this problem. 
I'll describe the ways of detection if I find other issues in the future.
Anyway, thanks for your review.

Siyang Liu

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.