PING!
Any chance we could get this patch merged? Any objections?
/Jesper Juhl
On Thu, 6 Jan 2011, Jesper Juhl wrote:
>
> We leak in drivers/scsi/aacraid/commctrl.c::aac_send_raw_srb().
>
> We allocate memory:
> ...
> struct user_sgmap* usg;
> usg = kmalloc(actual_fibsize - sizeof(struct aac_srb)
> + sizeof(struct sgmap), GFP_KERNEL);
> and then neglect to free it:
> ...
> for (i = 0; i < usg->count; i++) {
> u64 addr;
> void* p;
> if (usg->sg[i].count >
> ((dev->adapter_info.options &
> AAC_OPT_NEW_COMM) ?
> (dev->scsi_host_ptr->max_sectors << 9) :
> 65536)) {
> rcode = -EINVAL;
> goto cleanup;
> ... this 'goto' makes 'usg' go out of scope and leak the memory we
> allocated.
> Other exits properly kfree(usg), it's just here it is
> neglected.
>
>
> Signed-off-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
> ---
> commctrl.c | 1 +
> 1 file changed, 1 insertion(+)
>
> Compile tested only, I don't have a way to test this properly, but I
> think it's fairly obvious.
>
> diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
> index 645ddd9..33370fb 100644
> --- a/drivers/scsi/aacraid/commctrl.c
> +++ b/drivers/scsi/aacraid/commctrl.c
> @@ -649,6 +649,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
> AAC_OPT_NEW_COMM) ?
> (dev->scsi_host_ptr->max_sectors << 9) :
> 65536)) {
> + kfree(usg);
> rcode = -EINVAL;
> goto cleanup;
> }
>
>
>
>
--
Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
Plain text mails only, please.
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
