From: Thorsten Blum Date: Fri, 19 Sep 2025 09:26:37 +0000 (+0200) Subject: scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() X-Git-Tag: v6.18-rc1~100^2~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b81296591c567b12d3873b05a37b975707959b94;p=thirdparty%2Fkernel%2Fstable.git scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Replace kmalloc() followed by copy_from_user() with memdup_user() to fix a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using memdup_user() avoids this by freeing the memory internally. Since memdup_user() already allocates memory, use kzalloc() in the else branch instead of manually zeroing 'buff[sg_used]' using memset(0). Cc: stable@vger.kernel.org Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.") Signed-off-by: Thorsten Blum Acked-by: Don Brace Signed-off-by: Martin K. Petersen --- diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index 8738ad7572354..1f917e882ae45 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -6517,18 +6517,21 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, while (left) { sz = (left > ioc->malloc_size) ? ioc->malloc_size : left; buff_size[sg_used] = sz; - buff[sg_used] = kmalloc(sz, GFP_KERNEL); - if (buff[sg_used] == NULL) { - status = -ENOMEM; - goto cleanup1; - } + if (ioc->Request.Type.Direction & XFER_WRITE) { - if (copy_from_user(buff[sg_used], data_ptr, sz)) { - status = -EFAULT; + buff[sg_used] = memdup_user(data_ptr, sz); + if (IS_ERR(buff[sg_used])) { + status = PTR_ERR(buff[sg_used]); goto cleanup1; } - } else - memset(buff[sg_used], 0, sz); + } else { + buff[sg_used] = kzalloc(sz, GFP_KERNEL); + if (!buff[sg_used]) { + status = -ENOMEM; + goto cleanup1; + } + } + left -= sz; data_ptr += sz; sg_used++;