Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
None
-
3
-
9223372036854775807
Description
It looks like tgt_checksum_niobuf_t10pi() can leak memory if we ever set rc to nonzero, some of the conditions appear to set it without any visible warnings:
req = cfs_crypto_hash_init(cfs_alg, NULL, 0);
if (IS_ERR(req)) {
CERROR("%s: unable to initialize checksum hash %s\n",
tgt_name(tgt), cfs_crypto_hash_name(cfs_alg));
return PTR_ERR(req);
}
...
if (use_t10_grd) {
used = DIV_ROUND_UP(local_nb[i].lnb_len, sector_size);
if (used > (guard_number - used_number)) {
rc = -E2BIG;
break;
}
...
if (rc)
GOTO(out, rc);
...
rc = cfs_crypto_hash_final(req, (unsigned char *)&cksum, &bufsize);
if (rc == 0)
*check_sum = cksum;
out:
__free_page(__page);
return rc;
}
This not only leads to leaking the req, but also the allocated page might be tied in the crypto hash calcs I imagine (passed in as sg buffer with a reference to be potentially freed in the final?)
