Commit b8129659 authored Sep 19, 2025 by Thorsten Blum Committed by Martin K. Petersen Sep 24, 2025

scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()

Replace kmalloc() followed by copy_from_user() with memdup_user() to fix
a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and
the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using
memdup_user() avoids this by freeing the memory internally.

Since memdup_user() already allocates memory, use kzalloc() in the else
branch instead of manually zeroing 'buff[sg_used]' using memset(0).

Cc: stable@vger.kernel.org
Fixes: edd16368 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-by: Don Brace <don.brace@microchip.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent 88e8acff

drivers/scsi/hpsa.c

+12 −9

Original line number	Diff line number	Diff line
		@@ -6517,18 +6517,21 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h,
		while (left) {
		sz = (left > ioc->malloc_size) ? ioc->malloc_size : left;
		buff_size[sg_used] = sz;
		buff[sg_used] = kmalloc(sz, GFP_KERNEL);
		if (buff[sg_used] == NULL) {
		status = -ENOMEM;

		if (ioc->Request.Type.Direction & XFER_WRITE) {
		buff[sg_used] = memdup_user(data_ptr, sz);
		if (IS_ERR(buff[sg_used])) {
		status = PTR_ERR(buff[sg_used]);
		goto cleanup1;
		}
		if (ioc->Request.Type.Direction & XFER_WRITE) {
		if (copy_from_user(buff[sg_used], data_ptr, sz)) {
		status = -EFAULT;
		} else {
		buff[sg_used] = kzalloc(sz, GFP_KERNEL);
		if (!buff[sg_used]) {
		status = -ENOMEM;
		goto cleanup1;
		}
		} else
		memset(buff[sg_used], 0, sz);
		}

		left -= sz;
		data_ptr += sz;
		sg_used++;