Re: [PATCH] scsi: qedf: Fix a UAF bug in __qedf_probe

From: Martin K. Petersen
Date: Thu Sep 15 2022 - 23:02:29 EST

On Fri, 12 Nov 2021 20:06:41 +0800, Letu Ren wrote:

> In __qedf_probe, if `qedf->cdev` is NULL which means
> qed_ops->common->probe() failed, then the program will goto label err1,
> scsi_host_put() will free `lport->host` pointer. Because the memory `qedf`
> points to is allocated by libfc_host_alloc(), it will be freed by
> scsi_host_put(). However, the if statement below label err0 only checks
> whether qedf is NULL but doesn't check whether the memory has been freed.
> So a UAF bug occurred.
> [...]

Applied to 6.0/scsi-fixes, thanks!

[1/1] scsi: qedf: Fix a UAF bug in __qedf_probe

Martin K. Petersen Oracle Linux Engineering