| Message ID | 20221122015751.87284-1-yuancan@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | scsi: hpsa: Fix possible memory leak in hpsa_init_one() | expand |
On Tue, Nov 22, 2022 at 01:57:51AM +0000, Yuan Can wrote: > The hpda_alloc_ctlr_info() allocates h and its field reply_map, however in > hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to > clean1 directly, which frees h and leaks the h->reply_map. > Fix by calling hpda_free_ctlr_info() to release h->replay_map and h > instead free h directly. > > Fixes: 8b834bff1b73 ("scsi: hpsa: fix selection of reply queue") > Signed-off-by: Yuan Can <yuancan@huawei.com> > --- > drivers/scsi/hpsa.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c > index f8e832b1bc46..e5cbc97a5ea4 100644 > --- a/drivers/scsi/hpsa.c > +++ b/drivers/scsi/hpsa.c > @@ -8925,7 +8925,7 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) > destroy_workqueue(h->monitor_ctlr_wq); > h->monitor_ctlr_wq = NULL; > } > - kfree(h); > + hpda_free_ctlr_info(h); Reviewed-by: Ming Lei <ming.lei@redhat.com> Thanks, Ming
On Tue, 22 Nov 2022 01:57:51 +0000, Yuan Can wrote: > The hpda_alloc_ctlr_info() allocates h and its field reply_map, however in > hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to > clean1 directly, which frees h and leaks the h->reply_map. > Fix by calling hpda_free_ctlr_info() to release h->replay_map and h > instead free h directly. > > > [...] Applied to 6.2/scsi-queue, thanks! [1/1] scsi: hpsa: Fix possible memory leak in hpsa_init_one() https://git.kernel.org/mkp/scsi/c/9c9ff300e0de
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index f8e832b1bc46..e5cbc97a5ea4 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -8925,7 +8925,7 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) destroy_workqueue(h->monitor_ctlr_wq); h->monitor_ctlr_wq = NULL; } - kfree(h); + hpda_free_ctlr_info(h); return rc; }
The hpda_alloc_ctlr_info() allocates h and its field reply_map, however in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly. Fixes: 8b834bff1b73 ("scsi: hpsa: fix selection of reply queue") Signed-off-by: Yuan Can <yuancan@huawei.com> --- drivers/scsi/hpsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)