* [PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
@ 2025-09-19 9:26 Thorsten Blum
2025-09-24 13:43 ` Don.Brace
2025-09-25 1:28 ` Martin K. Petersen
0 siblings, 2 replies; 3+ messages in thread
From: Thorsten Blum @ 2025-09-19 9:26 UTC (permalink / raw)
To: Don Brace, James E.J. Bottomley, Martin K. Petersen, Mike Miller,
James Bottomley, Andrew Morton, Alex Chiang, Stephen M. Cameron
Cc: Thorsten Blum, stable, storagedev, linux-scsi, linux-kernel
Replace kmalloc() followed by copy_from_user() with memdup_user() to fix
a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and
the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using
memdup_user() avoids this by freeing the memory internally.
Since memdup_user() already allocates memory, use kzalloc() in the else
branch instead of manually zeroing 'buff[sg_used]' using memset(0).
Cc: stable@vger.kernel.org
Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
drivers/scsi/hpsa.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index c73a71ac3c29..1c6161d0b85c 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -6522,18 +6522,21 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h,
while (left) {
sz = (left > ioc->malloc_size) ? ioc->malloc_size : left;
buff_size[sg_used] = sz;
- buff[sg_used] = kmalloc(sz, GFP_KERNEL);
- if (buff[sg_used] == NULL) {
- status = -ENOMEM;
- goto cleanup1;
- }
+
if (ioc->Request.Type.Direction & XFER_WRITE) {
- if (copy_from_user(buff[sg_used], data_ptr, sz)) {
- status = -EFAULT;
+ buff[sg_used] = memdup_user(data_ptr, sz);
+ if (IS_ERR(buff[sg_used])) {
+ status = PTR_ERR(buff[sg_used]);
goto cleanup1;
}
- } else
- memset(buff[sg_used], 0, sz);
+ } else {
+ buff[sg_used] = kzalloc(sz, GFP_KERNEL);
+ if (!buff[sg_used]) {
+ status = -ENOMEM;
+ goto cleanup1;
+ }
+ }
+
left -= sz;
data_ptr += sz;
sg_used++;
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
2025-09-19 9:26 [PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Thorsten Blum
@ 2025-09-24 13:43 ` Don.Brace
2025-09-25 1:28 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Don.Brace @ 2025-09-24 13:43 UTC (permalink / raw)
To: thorsten.blum, James.Bottomley, martin.petersen, mikem,
James.Bottomley, akpm, achiang, scameron
Cc: stable, storagedev, linux-scsi, linux-kernel
________________________________________
From: Thorsten Blum <thorsten.blum@linux.dev>
Sent: Friday, September 19, 2025 4:26 AM
To: Don Brace - C33706 <Don.Brace@microchip.com>; James E.J. Bottomley <James.Bottomley@HansenPartnership.com>; Martin K. Petersen <martin.petersen@oracle.com>; Mike Miller <mikem@beardog.cce.hp.com>; James Bottomley <James.Bottomley@suse.de>; Andrew Morton <akpm@linux-foundation.org>; Alex Chiang <achiang@hp.com>; Stephen M. Cameron <scameron@beardog.cce.hp.com>
Cc: Thorsten Blum <thorsten.blum@linux.dev>; stable@vger.kernel.org <stable@vger.kernel.org>; storagedev <storagedev@microchip.com>; linux-scsi@vger.kernel.org <linux-scsi@vger.kernel.org>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>
Subject: [PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe
Replace kmalloc() followed by copy_from_user() with memdup_user() to fix
a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and
the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using
memdup_user() avoids this by freeing the memory internally.
Since memdup_user() already allocates memory, use kzalloc() in the else
branch instead of manually zeroing 'buff[sg_used]' using memset(0).
Cc: stable@vger.kernel.org
Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-By: Don Brace <don.brace@microchip.com>
Thanks for your patch.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
2025-09-19 9:26 [PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Thorsten Blum
2025-09-24 13:43 ` Don.Brace
@ 2025-09-25 1:28 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2025-09-25 1:28 UTC (permalink / raw)
To: Thorsten Blum
Cc: Don Brace, James E.J. Bottomley, Martin K. Petersen, Mike Miller,
James Bottomley, Andrew Morton, Alex Chiang, Stephen M. Cameron,
stable, storagedev, linux-scsi, linux-kernel
Thorsten,
> Replace kmalloc() followed by copy_from_user() with memdup_user() to
> fix a memory leak that occurs when copy_from_user(buff[sg_used],,)
> fails and the 'cleanup1:' path does not free the memory for
> 'buff[sg_used]'. Using memdup_user() avoids this by freeing the memory
> internally.
>
> Since memdup_user() already allocates memory, use kzalloc() in the
> else branch instead of manually zeroing 'buff[sg_used]' using
> memset(0).
Applied to 6.18/scsi-staging, thanks!
--
Martin K. Petersen
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-09-25 1:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-19 9:26 [PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Thorsten Blum
2025-09-24 13:43 ` Don.Brace
2025-09-25 1:28 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).