From 710e87a383d141453e416d71d895efd372f23e36 Mon Sep 17 00:00:00 2001 From: Navid Emamdoost Date: Thu, 21 Nov 2019 13:34:46 +0800 Subject: [PATCH] ipmi: Fix memory leak in __ipmi_bmc_register mainline inclusion from mainline-v5.5 commit 4aa7afb0ee20a97fbf0c5bab3df028d5fb85fdab category: bugfix bugzilla: 13690 CVE: CVE-2019-19046 ------------------------------------------------- In the impelementation of __ipmi_bmc_register() the allocated memory for bmc should be released in case ida_simple_get() fails. Fixes: 68e7e50f195f ("ipmi: Don't use BMC product/dev ids in the BMC name") Signed-off-by: Navid Emamdoost Message-Id: <20191021200649.1511-1-navid.emamdoost@gmail.com> Signed-off-by: Corey Minyard Signed-off-by: Yang Yingliang Reviewed-by: Hanjun Guo Signed-off-by: Yang Yingliang --- drivers/char/ipmi/ipmi_msghandler.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index bdf99a30937e..25faf9703526 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -2947,8 +2947,11 @@ static int __ipmi_bmc_register(struct ipmi_smi *intf, bmc->pdev.name = "ipmi_bmc"; rv = ida_simple_get(&ipmi_bmc_ida, 0, 0, GFP_KERNEL); - if (rv < 0) + if (rv < 0) { + kfree(bmc); goto out; + } + bmc->pdev.dev.driver = &ipmidriver.driver; bmc->pdev.id = rv; bmc->pdev.dev.release = release_bmc_device; -- GitLab