[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240904045820.5510-1-riyandhiman14@gmail.com>
Date: Wed, 4 Sep 2024 10:28:18 +0530
From: Riyan Dhiman <riyandhiman14@...il.com>
To: bvanassche@....org,
aacraid@...rosemi.com,
James.Bottomley@...senPartnership.com,
martin.petersen@...cle.com
Cc: linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] scsi: aacraid: Fix memory leak in open_getadapter_fib function
>>> Just above the copy_to_user() call there is the following statement:
>>>
>>> list_add_tail(&fibctx->next, &dev->fib_list);
>>>
>>> Does that mean that the above kfree() will cause list corruption?
>>
>> Yes, you are correct. I overlooked that fibctx is part of a list, and freeing the
>> memory without removing the list entry would corrupt the list.
>> The list entry should be deleted before freeing the memory if copy_to_user() fails.
>
> Are you sure that this is what the code should do?
If copy_to_user function fails that means data was not copied to args successfully, which can leads to
issue as args might remain unchanged or in an uninteded state. Since we are returning an -EFAULT error,
we should free fibctx and remove the list entry in the case of an error. If there are any other methods,
additional checks, or potential issues with this approach that I should consider,
please let me know, and I'll make the necessary adjustments promptly.
Regards,
Riyan Dhiman
Powered by blists - more mailing lists