diff options
author | Ben Widawsky <ben.widawsky@intel.com> | 2021-02-21 04:58:46 +0100 |
---|---|---|
committer | Dan Williams <dan.j.williams@intel.com> | 2021-02-22 23:44:39 +0100 |
commit | 88ff5d466c0250259818f3153dbdc4af1f8615dd (patch) | |
tree | 4ba72658fc8d8862b8b28188dc7d8ccf51e4c6d2 /drivers/cxl/mem.c | |
parent | cxl/mem: Return -EFAULT if copy_to_user() fails (diff) | |
download | linux-88ff5d466c0250259818f3153dbdc4af1f8615dd.tar.xz linux-88ff5d466c0250259818f3153dbdc4af1f8615dd.zip |
cxl/mem: Fix potential memory leak
When submitting a command for userspace, input and output payload bounce
buffers are allocated. For a given command, both input and output
buffers may exist and so when allocation of the input buffer fails, the
output buffer must be freed too.
As far as I can tell, userspace can't easily exploit the leak to OOM a
machine unless the machine was already near OOM state.
Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")
Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Link: https://lore.kernel.org/r/20210221035846.680145-1-ben.widawsky@intel.com
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Diffstat (limited to 'drivers/cxl/mem.c')
-rw-r--r-- | drivers/cxl/mem.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c index df895bcca63a..244cb7d89678 100644 --- a/drivers/cxl/mem.c +++ b/drivers/cxl/mem.c @@ -514,8 +514,10 @@ static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm, if (cmd->info.size_in) { mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload), cmd->info.size_in); - if (IS_ERR(mbox_cmd.payload_in)) + if (IS_ERR(mbox_cmd.payload_in)) { + kvfree(mbox_cmd.payload_out); return PTR_ERR(mbox_cmd.payload_in); + } } rc = cxl_mem_mbox_get(cxlm); |