lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 May 2019 21:06:26 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org, Yufen Yu <yuyufen@...wei.com>, Martin Wilck <mwilck@...e.com>, Mike Snitzer <snitzer@...hat.com> Subject: [PATCH 5.0 098/139] dm mpath: always free attached_handler_name in parse_path() From: Martin Wilck <mwilck@...e.com> commit 940bc471780b004a5277c1931f52af363c2fc9da upstream. Commit b592211c33f7 ("dm mpath: fix attached_handler_name leak and dangling hw_handler_name pointer") fixed a memory leak for the case where setup_scsi_dh() returns failure. But setup_scsi_dh may return success and not "use" attached_handler_name if the retain_attached_hwhandler flag is not set on the map. As setup_scsi_sh properly "steals" the pointer by nullifying it, freeing it unconditionally in parse_path() is safe. Fixes: b592211c33f7 ("dm mpath: fix attached_handler_name leak and dangling hw_handler_name pointer") Cc: stable@...r.kernel.org Reported-by: Yufen Yu <yuyufen@...wei.com> Signed-off-by: Martin Wilck <mwilck@...e.com> Signed-off-by: Mike Snitzer <snitzer@...hat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> --- drivers/md/dm-mpath.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/md/dm-mpath.c +++ b/drivers/md/dm-mpath.c @@ -882,6 +882,7 @@ static struct pgpath *parse_path(struct if (attached_handler_name || m->hw_handler_name) { INIT_DELAYED_WORK(&p->activate_path, activate_path_work); r = setup_scsi_dh(p->path.dev->bdev, m, &attached_handler_name, &ti->error); + kfree(attached_handler_name); if (r) { dm_put_device(ti, p->path.dev); goto bad; @@ -896,7 +897,6 @@ static struct pgpath *parse_path(struct return p; bad: - kfree(attached_handler_name); free_pgpath(p); return ERR_PTR(r); }
Powered by blists - more mailing lists