New subject: [PATCH 2/2] scsi: sg: add sg_remove_request in sg_write

13 May 2020

From: Miaohe Lin linmiaohe@huawei.com
mainline inclusion
from mainline-v5.6-rc4
commit d80b64ff297e40c2b6f7d7abc1b3eba70d22a068
category: bugfix
bugzilla: 13690
CVE: CVE-2020-12768
-------------------------------------------------
When kmalloc memory for sd->sev_vmcbs failed, we forget to free the page
held by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually
the only possible outcome here.
Reviewed-by: Liran Alon liran.alon@oracle.com
Reviewed-by: Vitaly Kuznetsov vkuznets@redhat.com
Signed-off-by: Miaohe Lin linmiaohe@huawei.com
Signed-off-by: Paolo Bonzini pbonzini@redhat.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
Reviewed-by: Jason Yan yanaijie@huawei.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
---
 arch/x86/kvm/svm.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index df22744..226db3dc 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -998,33 +998,32 @@ static void svm_cpu_uninit(int cpu)
 static int svm_cpu_init(int cpu)
 {
    struct svm_cpu_data *sd;
-	int r;
sd = kzalloc(sizeof(struct svm_cpu_data), GFP_KERNEL);
    if (!sd)
    	return -ENOMEM;
    sd->cpu = cpu;
-	r = -ENOMEM;
    sd->save_area = alloc_page(GFP_KERNEL);
    if (!sd->save_area)
-		goto err_1;
+		goto free_cpu_data;
if (svm_sev_enabled()) {
-		r = -ENOMEM;
    	sd->sev_vmcbs = kmalloc_array(max_sev_asid + 1,
    				      sizeof(void *),
    				      GFP_KERNEL);
    	if (!sd->sev_vmcbs)
-			goto err_1;
+			goto free_save_area;
    }
per_cpu(svm_data, cpu) = sd;
return 0;
-err_1:
+free_save_area:
+	__free_page(sd->save_area);
+free_cpu_data:
    kfree(sd);
-	return r;
+	return -ENOMEM;
}
-- 
1.8.3

    

[PATCH 1/2] KVM: SVM: Fix potential memory leak in svm_cpu_init()