[artful/linux,trusty/linux,1/1] scsi: libsas: fix memory leak in sas_smp_get_phy_events()
diff mbox series

Message ID 20180524105643.10428-2-apw@canonical.com
State New
Headers show
Series
  • [artful/linux,trusty/linux,1/1] scsi: libsas: fix memory leak in sas_smp_get_phy_events()
Related show

Commit Message

Andy Whitcroft May 24, 2018, 10:56 a.m. UTC
From: Jason Yan <yanaijie@huawei.com>

We've got a memory leak with the following producer:

while true;
do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
done

The buffer req is allocated and not freed after we return. Fix it.

Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Signed-off-by: Jason Yan <yanaijie@huawei.com>
CC: John Garry <john.garry@huawei.com>
CC: chenqilin <chenqilin2@huawei.com>
CC: chenxiang <chenxiang66@hisilicon.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

(cherry picked from commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4)
CVE-2018-7757
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 drivers/scsi/libsas/sas_expander.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Stefan Bader June 4, 2018, 10:06 p.m. UTC | #1
On 24.05.2018 03:56, Andy Whitcroft wrote:
> From: Jason Yan <yanaijie@huawei.com>
> 
> We've got a memory leak with the following producer:
> 
> while true;
> do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
> done
> 
> The buffer req is allocated and not freed after we return. Fix it.
> 
> Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
> Signed-off-by: Jason Yan <yanaijie@huawei.com>
> CC: John Garry <john.garry@huawei.com>
> CC: chenqilin <chenqilin2@huawei.com>
> CC: chenxiang <chenxiang66@hisilicon.com>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Reviewed-by: Hannes Reinecke <hare@suse.com>
> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
> 
> (cherry picked from commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4)
> CVE-2018-7757
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Acked-by: Stefan Bader <stefan.bader@canonical.com>

> ---
>  drivers/scsi/libsas/sas_expander.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
> index 570b2cb2da43..1ecbea8db010 100644
> --- a/drivers/scsi/libsas/sas_expander.c
> +++ b/drivers/scsi/libsas/sas_expander.c
> @@ -684,6 +684,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
>  	phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
>  
>   out:
> +	kfree(req);
>  	kfree(resp);
>  	return res;
>  
>

Patch
diff mbox series

diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
index 570b2cb2da43..1ecbea8db010 100644
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -684,6 +684,7 @@  int sas_smp_get_phy_events(struct sas_phy *phy)
 	phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
 
  out:
+	kfree(req);
 	kfree(resp);
 	return res;