[artful/linux trusty/linux 1/1] scsi: libsas: fix memory leak in sas_smp_get_phy_events()
Andy Whitcroft
apw at canonical.com
Thu May 24 10:56:43 UTC 2018
From: Jason Yan <yanaijie at huawei.com>
We've got a memory leak with the following producer:
while true;
do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null;
done
The buffer req is allocated and not freed after we return. Fix it.
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Signed-off-by: Jason Yan <yanaijie at huawei.com>
CC: John Garry <john.garry at huawei.com>
CC: chenqilin <chenqilin2 at huawei.com>
CC: chenxiang <chenxiang66 at hisilicon.com>
Reviewed-by: Christoph Hellwig <hch at lst.de>
Reviewed-by: Hannes Reinecke <hare at suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
(cherry picked from commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4)
CVE-2018-7757
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
drivers/scsi/libsas/sas_expander.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
index 570b2cb2da43..1ecbea8db010 100644
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -684,6 +684,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
out:
+ kfree(req);
kfree(resp);
return res;
--
2.17.0
More information about the kernel-team
mailing list