Linux Kernel SCSI LPFC Memory Leak Vulnerability in Port Creation Function

A memory leak vulnerability has been identified in the Linux kernel's SCSI LPFC driver, specifically within the 'lpfc_create_port' function. This issue arises from improper handling of VMID resource allocations, which were introduced in a previous commit. When the VMID allocations fail, the function returns NULL without releasing the allocated resources, leading to a memory leak. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a memory leak, where allocated resources are not properly released, potentially causing increased memory usage and degradation of system performance over time.

Reproduction

The vulnerability can be reproduced by invoking the 'lpfc_create_port' function in the SCSI LPFC driver with a scenario that triggers a failure in the VMID resource allocation. This can be done by modifying the driver's behavior to simulate a VMID allocation failure, such as by exhausting available VMID resources or introducing a fault that causes the allocation to fail. Once the allocation fails, the function will return NULL without freeing the previously allocated VMID resources, creating a memory leak.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patch can be downloaded from the Linux kernel Git repository.