summaryrefslogtreecommitdiffstats
path: root/drivers/cxl/mem.c
diff options
context:
space:
mode:
authorBen Widawsky <ben.widawsky@intel.com>2021-02-21 04:58:46 +0100
committerDan Williams <dan.j.williams@intel.com>2021-02-22 23:44:39 +0100
commit88ff5d466c0250259818f3153dbdc4af1f8615dd (patch)
tree4ba72658fc8d8862b8b28188dc7d8ccf51e4c6d2 /drivers/cxl/mem.c
parentcxl/mem: Return -EFAULT if copy_to_user() fails (diff)
downloadlinux-88ff5d466c0250259818f3153dbdc4af1f8615dd.tar.xz
linux-88ff5d466c0250259818f3153dbdc4af1f8615dd.zip
cxl/mem: Fix potential memory leak
When submitting a command for userspace, input and output payload bounce buffers are allocated. For a given command, both input and output buffers may exist and so when allocation of the input buffer fails, the output buffer must be freed too. As far as I can tell, userspace can't easily exploit the leak to OOM a machine unless the machine was already near OOM state. Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface") Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Ben Widawsky <ben.widawsky@intel.com> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Link: https://lore.kernel.org/r/20210221035846.680145-1-ben.widawsky@intel.com Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Diffstat (limited to 'drivers/cxl/mem.c')
-rw-r--r--drivers/cxl/mem.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
index df895bcca63a..244cb7d89678 100644
--- a/drivers/cxl/mem.c
+++ b/drivers/cxl/mem.c
@@ -514,8 +514,10 @@ static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm,
if (cmd->info.size_in) {
mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload),
cmd->info.size_in);
- if (IS_ERR(mbox_cmd.payload_in))
+ if (IS_ERR(mbox_cmd.payload_in)) {
+ kvfree(mbox_cmd.payload_out);
return PTR_ERR(mbox_cmd.payload_in);
+ }
}
rc = cxl_mem_mbox_get(cxlm);