| Message ID | 20200920075722.376644-1-christophe.jaillet@wanadoo.fr (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | scsi: pmcraid: Fix memory allocation in 'pmcraid_alloc_sglist()' | expand |
> When the scatter list is allocated in 'pmcraid_alloc_sglist()', the > corresponding pointer should be stored in 'scatterlist' within the > 'pmcraid_sglist' structure. Otherwise, 'scatterlist' is NULL. > > This leads to a potential memory leak and NULL pointer dereference. > Fixes: ed4414cef2ad ("scsi: pmcraid: Use sgl_alloc_order() and sgl_free_order()") This does indeed look odd. Bart?
diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c index d99568fdf4af..00e155c88f03 100644 --- a/drivers/scsi/pmcraid.c +++ b/drivers/scsi/pmcraid.c @@ -3230,8 +3230,9 @@ static struct pmcraid_sglist *pmcraid_alloc_sglist(int buflen) return NULL; sglist->order = order; - sgl_alloc_order(buflen, order, false, - GFP_KERNEL | GFP_DMA | __GFP_ZERO, &sglist->num_sg); + sglist->scatterlist = sgl_alloc_order(buflen, order, false, + GFP_KERNEL | GFP_DMA | __GFP_ZERO, + &sglist->num_sg); return sglist; }
When the scatter list is allocated in 'pmcraid_alloc_sglist()', the corresponding pointer should be stored in 'scatterlist' within the 'pmcraid_sglist' structure. Otherwise, 'scatterlist' is NULL. This leads to a potential memory leak and NULL pointer dereference. Fixes: ed4414cef2ad ("scsi: pmcraid: Use sgl_alloc_order() and sgl_free_order()") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> --- This patch is completely speculative and untested. Should it be correct, I think that their should be some trouble somewhere. Either NULL pointer dereference or incorrect behavior. The patch that introduced this potential bug is 2 years 1/2 old. This should have been spotted earlier. So unless this driver is mostly unused, this looks odd to me. Feedback appreciated. --- drivers/scsi/pmcraid.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)