projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a4af460)
[SCSI] hpsa: fix memory leak in CCISS_BIG_PASSTHRU ioctl
authorStephen M. Cameron <scameron@beardog.cce.hp.com>
Mon, 23 Sep 2013 18:33:51 +0000 (13:33 -0500)
committerJames Bottomley <JBottomley@Parallels.com>
Mon, 16 Dec 2013 18:57:53 +0000 (10:57 -0800)
We were leaking a command buffer if a DMA mapping error was
encountered in the CCISS_BIG_PASSTHRU ioctl.

Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
drivers/scsi/hpsa.c patch | blob | history

diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index bb3ee8f..f12f556 100644 (file)
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -3170,7 +3170,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
                                hpsa_pci_unmap(h->pdev, c, i,
                                        PCI_DMA_BIDIRECTIONAL);
                                status = -ENOMEM;
-                               goto cleanup1;
+                               goto cleanup0;
                        }
                        c->SG[i].Addr.lower = temp64.val32.lower;
                        c->SG[i].Addr.upper = temp64.val32.upper;
@@ -3186,24 +3186,23 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
        /* Copy the error information out */
        memcpy(&ioc->error_info, c->err_info, sizeof(ioc->error_info));
        if (copy_to_user(argp, ioc, sizeof(*ioc))) {
-               cmd_special_free(h, c);
                status = -EFAULT;
-               goto cleanup1;
+               goto cleanup0;
        }
        if (ioc->Request.Type.Direction == XFER_READ && ioc->buf_size > 0) {
                /* Copy the data out of the buffer we created */
                BYTE __user *ptr = ioc->buf;
                for (i = 0; i < sg_used; i++) {
                        if (copy_to_user(ptr, buff[i], buff_size[i])) {
-                               cmd_special_free(h, c);
                                status = -EFAULT;
-                               goto cleanup1;
+                               goto cleanup0;
                        }
                        ptr += buff_size[i];
                }
        }
-       cmd_special_free(h, c);
        status = 0;
+cleanup0:
+       cmd_special_free(h, c);
 cleanup1:
        if (buff) {
                for (i = 0; i < sg_used; i++)
Domain: System / Kernel;