public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Oleg Drokin <green@linuxhacker.ru>
To: alan@redhat.com, linux-kernel@vger.kernel.org, Matt_Domsch@Dell.com
Subject: [2.4] Memleak/unchecked user access in Megaraid driver?
Date: Wed, 12 Mar 2003 23:59:35 +0300	[thread overview]
Message-ID: <20030312205935.GA28556@linuxhacker.ru> (raw)

Hello!

   Seems there is a memleak on exit path and unchecked user addresses access
   in megaraid driver from 2.4-current.

   Probably something like following patch should be applied (probably
   somebody should review it first anyway, I do not have ability to test it,
   but it looks correct to me).

   Found with help of smatch + enhanced unfree script.

Bye,
    Oleg

===== drivers/scsi/megaraid.c 1.21 vs edited =====
--- 1.21/drivers/scsi/megaraid.c	Fri Dec 13 12:29:59 2002
+++ edited/drivers/scsi/megaraid.c	Wed Mar 12 23:59:09 2003
@@ -4895,19 +4895,18 @@
 
 			if( kvaddr == NULL ) {
 				printk(KERN_WARNING "megaraid:allocation failed\n");
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0)	/*0x20400 */
-				kfree(scsicmd);
-#else
-				scsi_init_free((char *)scsicmd, sizeof(Scsi_Cmnd));
-#endif
-				return -ENOMEM;
+				ret = -ENOMEM;
+				goto out;
 			}
 
 			ioc.ui.fcs.buffer = kvaddr;
 
 			if (inlen) {
 				/* copyin the user data */
-				copy_from_user(kvaddr, (char *)uaddr, length );
+				if (copy_from_user(kvaddr, (char *)uaddr, length )) {
+					ret = -EFAULT;
+					goto out;
+				}
 			}
 		}
 
@@ -4925,7 +4924,8 @@
 
 		if( !scsicmd->result && outlen ) {
 			if (copy_to_user(uaddr, kvaddr, length))
-				return -EFAULT;
+				ret = -EFAULT;
+				goto out;
 		}
 
 		/*
@@ -4944,6 +4944,7 @@
 			put_user (scsicmd->result, &uioc->mbox[17]);
 		}
 
+out:
 		if (kvaddr) {
 			dma_free_consistent(pdevp, length, kvaddr, dma_addr);
 		}

                 reply	other threads:[~2003-03-12 20:52 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030312205935.GA28556@linuxhacker.ru \
    --to=green@linuxhacker.ru \
    --cc=Matt_Domsch@Dell.com \
    --cc=alan@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox