From: Fedor Pchelkin <pchelkin@ispras.ru>
To: Don Brace <don.brace@microchip.com>
Cc: Fedor Pchelkin <pchelkin@ispras.ru>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Alex Chiang <achiang@hp.com>,
Mike Miller <mikem@beardog.cce.hp.com>,
"Stephen M. Cameron" <scameron@beardog.cce.hp.com>,
storagedev@microchip.com, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
lvc-project@linuxtesting.org
Subject: [PATCH] scsi: hpsa: prevent memory leak in hpsa_big_passthru_ioctl
Date: Sat, 9 Dec 2023 14:18:56 +0300 [thread overview]
Message-ID: <20231209111857.19393-1-pchelkin@ispras.ru> (raw)
In case copy_from_user() fails during the buffers allocating loop inside
hpsa_big_passthru_ioctl(), the last allocated buffer (accessed by sg_used
index) is not freed on cleanup1 error path as sg_used index has not been
incremented yet.
Free the last allocated buffer directly if copy_from_user() fails.
Found by Linux Verification Center (linuxtesting.org).
Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
drivers/scsi/hpsa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index af18d20f3079..897f9ee3c004 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -6536,6 +6536,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h,
if (ioc->Request.Type.Direction & XFER_WRITE) {
if (copy_from_user(buff[sg_used], data_ptr, sz)) {
status = -EFAULT;
+ kfree(buff[sg_used]);
goto cleanup1;
}
} else
--
2.43.0
reply other threads:[~2023-12-09 11:25 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231209111857.19393-1-pchelkin@ispras.ru \
--to=pchelkin@ispras.ru \
--cc=achiang@hp.com \
--cc=don.brace@microchip.com \
--cc=jejb@linux.ibm.com \
--cc=khoroshilov@ispras.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=martin.petersen@oracle.com \
--cc=mikem@beardog.cce.hp.com \
--cc=scameron@beardog.cce.hp.com \
--cc=storagedev@microchip.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.