From patchwork Tue Mar 7 16:58:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 13164308 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1015C6FD1B for ; Tue, 7 Mar 2023 17:50:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232287AbjCGRus (ORCPT ); Tue, 7 Mar 2023 12:50:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231922AbjCGRuY (ORCPT ); Tue, 7 Mar 2023 12:50:24 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31808A0296; Tue, 7 Mar 2023 09:45:24 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C2FC5614E8; Tue, 7 Mar 2023 17:45:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B75CEC433EF; Tue, 7 Mar 2023 17:45:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1678211123; bh=eZhh6BSFQ1k6BW1csQ0X36HHVeHgWxg0M5U+VtotJqY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b1RXqCRggUynjMgz4L0pMspKQhydFmiEEDLdbxFZYVX+ACrpts+KdfanYIp4ZNDbW QSWuoGibFBKLsS/A1r28uTbJlGkELrXpTa8Y7Ov+HjSxvL7vG+cSQ5Qh6OZCUgly25 X5MWPiSPs5TGjkS7iKwwRh3PIVCG14yDaD4hA7Ts= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Karan Tilak Kumar , Sesidhar Baddela , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Sasha Levin Subject: [PATCH 6.2 0729/1001] scsi: snic: Fix memory leak with using debugfs_lookup() Date: Tue, 7 Mar 2023 17:58:21 +0100 Message-Id: <20230307170053.340405583@linuxfoundation.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230307170022.094103862@linuxfoundation.org> References: <20230307170022.094103862@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org From: Greg Kroah-Hartman [ Upstream commit ad0e4e2fab928477f74d742e6e77d79245d3d3e7 ] When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic at once. Link: https://lore.kernel.org/r/20230202141009.2290380-1-gregkh@linuxfoundation.org Cc: Karan Tilak Kumar Cc: Sesidhar Baddela Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/snic/snic_debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/snic/snic_debugfs.c b/drivers/scsi/snic/snic_debugfs.c index 57bdc3ba49d9c..9dd975b36b5bd 100644 --- a/drivers/scsi/snic/snic_debugfs.c +++ b/drivers/scsi/snic/snic_debugfs.c @@ -437,6 +437,6 @@ void snic_trc_debugfs_init(void) void snic_trc_debugfs_term(void) { - debugfs_remove(debugfs_lookup(TRC_FILE, snic_glob->trc_root)); - debugfs_remove(debugfs_lookup(TRC_ENABLE_FILE, snic_glob->trc_root)); + debugfs_lookup_and_remove(TRC_FILE, snic_glob->trc_root); + debugfs_lookup_and_remove(TRC_ENABLE_FILE, snic_glob->trc_root); } From patchwork Tue Mar 7 17:02:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 13164400 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD689C678DB for ; Tue, 7 Mar 2023 18:02:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231539AbjCGSC4 (ORCPT ); Tue, 7 Mar 2023 13:02:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38088 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230336AbjCGSCW (ORCPT ); Tue, 7 Mar 2023 13:02:22 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EAE839E674; Tue, 7 Mar 2023 09:55:34 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 80B03B819BB; Tue, 7 Mar 2023 17:55:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A2E18C4339C; Tue, 7 Mar 2023 17:55:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1678211731; bh=/xNUOV8MXagFoEZDWelMGgjc9KitwzbVM0aTRRWUHOI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JeEZCUSfbb3glFIkFssjZxDq0R7pLpMqtBvuvEVKolaVhwYMCHygT6zDHPMpIRHHD r+Yxu79kZcd+iLsWF3g6Ck3tOlBEpDvKcUgCNQE6yUnlIFWyMaJS1cOLRcd1SDgiXV r0e8m015E7sDHckXMLmCsfwkBWKwh+y6pjmYcN00= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Bart Van Assche , Hannes Reinecke , Himanshu Madhani , Adaptec OEM Raid Solutions , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, Kees Cook , Vegard Nossum Subject: [PATCH 6.2 0956/1001] scsi: aacraid: Allocate cmd_priv with scsicmd Date: Tue, 7 Mar 2023 18:02:08 +0100 Message-Id: <20230307170103.651083148@linuxfoundation.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230307170022.094103862@linuxfoundation.org> References: <20230307170022.094103862@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org From: Kees Cook commit 7ab734fc759828707dae22fe48b1eb4dcf70beea upstream. The aac_priv() helper assumes that the private cmd area immediately follows struct scsi_cmnd. Allocate this space as part of scsicmd, else there is a risk of heap overflow. Seen with GCC 13: ../drivers/scsi/aacraid/aachba.c: In function 'aac_probe_container': ../drivers/scsi/aacraid/aachba.c:841:26: warning: array subscript 16 is outside array bounds of 'void[392]' [-Warray-bounds=] 841 | status = cmd_priv->status; | ^~ In file included from ../include/linux/resource_ext.h:11, from ../include/linux/pci.h:40, from ../drivers/scsi/aacraid/aachba.c:22: In function 'kmalloc', inlined from 'kzalloc' at ../include/linux/slab.h:720:9, inlined from 'aac_probe_container' at ../drivers/scsi/aacraid/aachba.c:821:30: ../include/linux/slab.h:580:24: note: at offset 392 into object of size 392 allocated by 'kmalloc_trace' 580 | return kmalloc_trace( | ^~~~~~~~~~~~~~ 581 | kmalloc_caches[kmalloc_type(flags)][index], | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 582 | flags, size); | ~~~~~~~~~~~~ Fixes: 76a3451b64c6 ("scsi: aacraid: Move the SCSI pointer to private command data") Link: https://lore.kernel.org/r/20230128000409.never.976-kees@kernel.org Cc: Bart Van Assche Cc: Hannes Reinecke Cc: Himanshu Madhani Cc: Adaptec OEM Raid Solutions Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Vegard Nossum Reviewed-by: Hannes Reinecke Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/aacraid/aachba.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/drivers/scsi/aacraid/aachba.c +++ b/drivers/scsi/aacraid/aachba.c @@ -818,8 +818,8 @@ static void aac_probe_container_scsi_don int aac_probe_container(struct aac_dev *dev, int cid) { - struct scsi_cmnd *scsicmd = kzalloc(sizeof(*scsicmd), GFP_KERNEL); - struct aac_cmd_priv *cmd_priv = aac_priv(scsicmd); + struct aac_cmd_priv *cmd_priv; + struct scsi_cmnd *scsicmd = kzalloc(sizeof(*scsicmd) + sizeof(*cmd_priv), GFP_KERNEL); struct scsi_device *scsidev = kzalloc(sizeof(*scsidev), GFP_KERNEL); int status; @@ -838,6 +838,7 @@ int aac_probe_container(struct aac_dev * while (scsicmd->device == scsidev) schedule(); kfree(scsidev); + cmd_priv = aac_priv(scsicmd); status = cmd_priv->status; kfree(scsicmd); return status;