| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Apr 2012 12:14:25 -0400
From: David Jeffery <dhjeffery@...il.com>
To: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] scsi: memory leak with 1MB tape I/O
There is a memory leak in the st driver when sending large enough reads or
writes using st's direct I/O path. As part of mapping the application's
memory, a buffer to hold page pointers is allocated and the count of mapped
pages is stored in field do_dio. A non-zero do_dio marks that direct I/O is
in use.
But do_dio is only 1 byte in size. Mapping 256 4k pages overflows
do_dio and causes it to be set to 0, like direct I/O option was not
used. When the I/O completes, the buffer to hold the page pointers is
not freed, and the page counts of the mapped pages are not reduced.
Every I/O of this size then leaks memory.
The size of do_dio needs to be increased to prevent it wrapping around.
signed-off-by: David Jeffery <djeffery@...hat.com>
---
--- a/drivers/scsi/st.h 2012-04-10 13:21:30.000000000 -0400
+++ b/drivers/scsi/st.h 2012-04-10 14:55:43.000000000 -0400
@@ -35,8 +35,8 @@
/* The tape buffer descriptor. */
struct st_buffer {
unsigned char dma; /* DMA-able buffer */
- unsigned char do_dio; /* direct i/o set up? */
unsigned char cleared; /* internal buffer cleared after open? */
+ unsigned short do_dio; /* direct i/o set up? */
int buffer_size;
int buffer_blocks;
int buffer_bytes;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists