CVE-2022-50646

Vulnerability

In the Linux kernel's SCSI hpsa driver, the function hpsa_init_one() allocates a controller structure h and its reply_map field via hpda_alloc_ctlr_info(). If the subsequent alloc_percpu() call fails, the error path jumps to clean1, which frees h directly but does not release the previously allocated h->reply_map, causing a memory leak [1].

Exploitation

This vulnerability is triggered during driver initialization when memory allocation fails. An attacker would need to induce memory pressure on the system to cause alloc_percpu() to fail, then trigger the driver probe path. No special privileges are required beyond the ability to cause the driver to load (e.g., via hotplug or system boot).

Impact

A local attacker could exhaust kernel memory by repeatedly triggering the leak, leading to a denial-of-service condition. The leak is small per occurrence but can accumulate over time.

Mitigation

The fix replaces the direct kfree(h) with a call to hpda_free_ctlr_info(), which properly frees both h and h->reply_map. The patch has been applied to the stable kernel trees [2][3]. Users should update to a kernel containing the fix.