| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210311103717.7523-1-colin.king@canonical.com>
Date: Thu, 11 Mar 2021 10:37:17 +0000
From: Colin King <colin.king@...onical.com>
To: Doug Gilbert <dgilbert@...erlog.com>,
"James E . J . Bottomley" <jejb@...ux.ibm.com>,
"Martin K . Petersen" <martin.petersen@...cle.com>,
Hannes Reinecke <hare@...e.de>, linux-scsi@...r.kernel.org
Cc: kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH][next] scsi: sg: Fix use of pointer sfp after it has been kfree'd
From: Colin Ian King <colin.king@...onical.com>
Currently SG_LOG is referencing sfp after it has been kfree'd which
is probably a bad thing to do. Fix this by kfree'ing sfp after
SG_LOG.
Addresses-Coverity: ("Use after free")
Fixes: af1fc95db445 ("scsi: sg: Replace rq array with xarray")
Signed-off-by: Colin Ian King <colin.king@...onical.com>
---
drivers/scsi/sg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 2d4bbc1a1727..79f05afa4407 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -3799,10 +3799,10 @@ sg_add_sfp(struct sg_device *sdp)
if (rbuf_len > 0) {
srp = sg_build_reserve(sfp, rbuf_len);
if (IS_ERR(srp)) {
- kfree(sfp);
err = PTR_ERR(srp);
SG_LOG(1, sfp, "%s: build reserve err=%ld\n", __func__,
-err);
+ kfree(sfp);
return ERR_PTR(err);
}
if (srp->sgat_h.buflen < rbuf_len) {
--
2.30.2
Powered by blists - more mailing lists