In case copy_from_user() fails during the buffers allocating loop inside hpsa_big_passthru_ioctl(), the last allocated buffer (accessed by sg_used index) is not freed on cleanup1 error path as sg_used index has not been incremented yet. Free the last allocated buffer directly if copy_from_user() fails. Found by Linux Verification Center (linuxtesting.org). Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.") Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx> --- drivers/scsi/hpsa.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index af18d20f3079..897f9ee3c004 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -6536,6 +6536,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, if (ioc->Request.Type.Direction & XFER_WRITE) { if (copy_from_user(buff[sg_used], data_ptr, sz)) { status = -EFAULT; + kfree(buff[sg_used]); goto cleanup1; } } else -- 2.43.0