[PATCH] scsi: megaraid_sas: fix a use-after-free in megasas_alloc_cmdlist_fusion

[Dinghao Liu <dinghao.liu@xxxxxxxxxx>]

When kzalloc() fails, megasas_alloc_cmdlist_fusion will free
fusion->cmd_list and its array elements. However, the caller
megasas_alloc_cmds_fusion() will call megasas_free_cmds_fusion()
on the same failure, which tries to free fusion->cmd_list again
and leads to a use-after-free. Fix this by setting
fusion->cmd_list to NULL after kfree().

Fixes: 70c54e210ee9 ("scsi: megaraid_sas: fix memleak in megasas_alloc_cmdlist_fusion")
Signed-off-by: Dinghao Liu <dinghao.liu@xxxxxxxxxx>
---
 drivers/scsi/megaraid/megaraid_sas_fusion.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
index c60014e07b44..a47735e64624 100644
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -613,6 +613,7 @@ megasas_alloc_cmdlist_fusion(struct megasas_instance *instance)
 			for (j = 0; j < i; j++)
 				kfree(fusion->cmd_list[j]);
 			kfree(fusion->cmd_list);
+			fusion->cmd_list = NULL;
 			dev_err(&instance->pdev->dev,
 				"Failed from %s %d\n",  __func__, __LINE__);
 			return -ENOMEM;
-- 
2.17.1