Message ID | 20221018075213.736562-1-yangyingliang@huawei.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp1833337wrs; Tue, 18 Oct 2022 01:08:35 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4/4bxYPXvkbj7BcgDJoJZbcc3ovf7jlT4Iu/slAxthIVZ3pDYfzqNbbm3XhqqG7+39vO03 X-Received: by 2002:a17:907:7f02:b0:73d:dffa:57b3 with SMTP id qf2-20020a1709077f0200b0073ddffa57b3mr1453955ejc.19.1666080515560; Tue, 18 Oct 2022 01:08:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666080515; cv=none; d=google.com; s=arc-20160816; b=ciuu3l5paz4kJBAE8uSdKN1wtap0siDqL5Fq2RTuUkCtFdkR0B5+jslsu6sD31kUKI PZLHvJZ+SDTPlmdRfK4hOzJqShnOKE38K4fby6hL4113MDMOCDyRvehLXGRJJKnombvS re1aKtyGPCBHdt4uGT0KWeSU4g2XRzD0V8k4WjUIikW+wKYSiIr4ZyfY2QYqYKByzKVe zq1OPYXW+FNz6JRC2zFwMl4DScu/1KeOze+TXNorbbOT2YQid373Ej5c8U3gloNOImsg q5cDIw3aCb1Yt/bhyzyadGGyvlXzX547YD0zgoaIlkpmNVuCtu8Z/lS+DSVRLqk9Lojx FE0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=B/ZiQaJbvztSWxJPCSyprjjoawqeRMSZKekxm3MJB3k=; b=Ii5tWTmlDh40g8Do7+HxAmHeQ+hxUBRAcEWtjdcvOHG96EdSagNBWdtSAESD7KNLQT Y8ULRDe/4okLpPdCAWcIUPEa4tmDx4pHEGzG4+cLszOng5j3wcQek4dlh3xPmoWgDZuZ 4kjUIpMZD5OVMRhLSntEPxzU7CzYcVjrnf0EIu9BMmnRdyBgWFChi2wOjaLlRjrnRA6e DKYgwsr1N71HZS8wu5EHkLfFuiyJYT+fT9Z2ANqSaQdJLkkK46zi1zEnz0OY4mb9xngA ySpbKKhm8uouZXtufle/VEc7XMqa5V6ILMekgQ89canPhdpsaPfSeibY85XPGmO7CFoe UG9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mp30-20020a1709071b1e00b0078e27ef9510si9740511ejc.747.2022.10.18.01.08.10; Tue, 18 Oct 2022 01:08:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229896AbiJRHxI (ORCPT <rfc822;carlos.wei.hk@gmail.com> + 99 others); Tue, 18 Oct 2022 03:53:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229845AbiJRHxG (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 18 Oct 2022 03:53:06 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C6D332EC0 for <linux-kernel@vger.kernel.org>; Tue, 18 Oct 2022 00:53:05 -0700 (PDT) Received: from dggpemm500020.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4Ms5Zh1XWSzVhx5; Tue, 18 Oct 2022 15:48:28 +0800 (CST) Received: from dggpemm500007.china.huawei.com (7.185.36.183) by dggpemm500020.china.huawei.com (7.185.36.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 18 Oct 2022 15:53:02 +0800 Received: from huawei.com (10.175.103.91) by dggpemm500007.china.huawei.com (7.185.36.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 18 Oct 2022 15:53:02 +0800 From: Yang Yingliang <yangyingliang@huawei.com> To: <linux-kernel@vger.kernel.org>, <ocfs2-devel@oss.oracle.com> CC: <mark@fasheh.com>, <jlbec@evilplan.org>, <joseph.qi@linux.alibaba.com>, <gregkh@linuxfoundation.org>, <akpm@linux-foundation.org> Subject: [PATCH] ocfs2: possible memory leak in mlog_sys_init() Date: Tue, 18 Oct 2022 15:52:13 +0800 Message-ID: <20221018075213.736562-1-yangyingliang@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.103.91] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm500007.china.huawei.com (7.185.36.183) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747012042630007903?= X-GMAIL-MSGID: =?utf-8?q?1747012042630007903?= |
Series |
ocfs2: possible memory leak in mlog_sys_init()
|
|
Commit Message
Yang Yingliang
Oct. 18, 2022, 7:52 a.m. UTC
Inject fault while probing module, kset_register() may fail,
if it fails, but the refcount of kobject is not decreased to
0, the name allocated in kobject_set_name() is leaked. Fix
this by calling kset_put(), so that name can be freed in
callback function kobject_cleanup().
unreferenced object 0xffff888100da9348 (size 8):
comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s)
hex dump (first 8 bytes):
6c 6f 67 6d 61 73 6b 00 logmask.
backtrace:
[<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0
[<000000007c491a9e>] kstrdup+0x3a/0x70
[<0000000015719a3b>] kstrdup_const+0x63/0x80
[<0000000084e458ea>] kvasprintf_const+0x149/0x180
[<0000000091302b42>] kobject_set_name_vargs+0x56/0x150
[<000000005f48eeac>] kobject_set_name+0xab/0xe0
Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
fs/ocfs2/cluster/masklog.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Comments
Hi, On 10/18/22 3:52 PM, Yang Yingliang wrote: > Inject fault while probing module, kset_register() may fail, > if it fails, but the refcount of kobject is not decreased to > 0, the name allocated in kobject_set_name() is leaked. Fix > this by calling kset_put(), so that name can be freed in > callback function kobject_cleanup(). > > unreferenced object 0xffff888100da9348 (size 8): > comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) > hex dump (first 8 bytes): > 6c 6f 67 6d 61 73 6b 00 logmask. > backtrace: > [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 > [<000000007c491a9e>] kstrdup+0x3a/0x70 > [<0000000015719a3b>] kstrdup_const+0x63/0x80 > [<0000000084e458ea>] kvasprintf_const+0x149/0x180 > [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 > [<000000005f48eeac>] kobject_set_name+0xab/0xe0 > > Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > fs/ocfs2/cluster/masklog.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c > index 563881ddbf00..7f9ba816d955 100644 > --- a/fs/ocfs2/cluster/masklog.c > +++ b/fs/ocfs2/cluster/masklog.c > @@ -156,6 +156,7 @@ static struct kset mlog_kset = { > int mlog_sys_init(struct kset *o2cb_kset) > { > int i = 0; > + int ret; > > while (mlog_attrs[i].attr.mode) { > mlog_default_attrs[i] = &mlog_attrs[i].attr; > @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) > > kobject_set_name(&mlog_kset.kobj, "logmask"); > mlog_kset.kobj.kset = o2cb_kset; > - return kset_register(&mlog_kset); > + ret = kset_register(&mlog_kset); If register fails, it will call unregister in o2cb_sys_init(), which will put kobject. Thanks, Joseph > + if (ret) > + kset_put(&mlog_kset); > + > + return ret; > } > > void mlog_sys_shutdown(void)
Hi, On 2022/10/18 17:02, Joseph Qi wrote: > Hi, > > On 10/18/22 3:52 PM, Yang Yingliang wrote: >> Inject fault while probing module, kset_register() may fail, >> if it fails, but the refcount of kobject is not decreased to >> 0, the name allocated in kobject_set_name() is leaked. Fix >> this by calling kset_put(), so that name can be freed in >> callback function kobject_cleanup(). >> >> unreferenced object 0xffff888100da9348 (size 8): >> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >> hex dump (first 8 bytes): >> 6c 6f 67 6d 61 73 6b 00 logmask. >> backtrace: >> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >> [<000000007c491a9e>] kstrdup+0x3a/0x70 >> [<0000000015719a3b>] kstrdup_const+0x63/0x80 >> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >> >> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >> --- >> fs/ocfs2/cluster/masklog.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >> index 563881ddbf00..7f9ba816d955 100644 >> --- a/fs/ocfs2/cluster/masklog.c >> +++ b/fs/ocfs2/cluster/masklog.c >> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >> int mlog_sys_init(struct kset *o2cb_kset) >> { >> int i = 0; >> + int ret; >> >> while (mlog_attrs[i].attr.mode) { >> mlog_default_attrs[i] = &mlog_attrs[i].attr; >> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >> >> kobject_set_name(&mlog_kset.kobj, "logmask"); >> mlog_kset.kobj.kset = o2cb_kset; >> - return kset_register(&mlog_kset); >> + ret = kset_register(&mlog_kset); > If register fails, it will call unregister in o2cb_sys_init(), which > will put kobject. They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference refcounts. Thanks, Yang > > Thanks, > Joseph > >> + if (ret) >> + kset_put(&mlog_kset); >> + >> + return ret; >> } >> >> void mlog_sys_shutdown(void) > .
On 10/18/22 6:33 PM, Yang Yingliang wrote: > Hi, > > On 2022/10/18 17:02, Joseph Qi wrote: >> Hi, >> >> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>> Inject fault while probing module, kset_register() may fail, >>> if it fails, but the refcount of kobject is not decreased to >>> 0, the name allocated in kobject_set_name() is leaked. Fix >>> this by calling kset_put(), so that name can be freed in >>> callback function kobject_cleanup(). >>> >>> unreferenced object 0xffff888100da9348 (size 8): >>> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>> hex dump (first 8 bytes): >>> 6c 6f 67 6d 61 73 6b 00 logmask. >>> backtrace: >>> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>> [<000000007c491a9e>] kstrdup+0x3a/0x70 >>> [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>> >>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >>> --- >>> fs/ocfs2/cluster/masklog.c | 7 ++++++- >>> 1 file changed, 6 insertions(+), 1 deletion(-) >>> >>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>> index 563881ddbf00..7f9ba816d955 100644 >>> --- a/fs/ocfs2/cluster/masklog.c >>> +++ b/fs/ocfs2/cluster/masklog.c >>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>> int mlog_sys_init(struct kset *o2cb_kset) >>> { >>> int i = 0; >>> + int ret; >>> while (mlog_attrs[i].attr.mode) { >>> mlog_default_attrs[i] = &mlog_attrs[i].attr; >>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>> kobject_set_name(&mlog_kset.kobj, "logmask"); >>> mlog_kset.kobj.kset = o2cb_kset; >>> - return kset_register(&mlog_kset); >>> + ret = kset_register(&mlog_kset); >> If register fails, it will call unregister in o2cb_sys_init(), which >> will put kobject. > They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the > kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference > refcounts. > Yes, you are right. I've mixed the two ksets up. In theory, kset_register() may return error because of a NULL kset, so here we may not call kset_put() directly, I'm not sure if a static checker will happy. Though this can't happen since it's already statically allocated... Thanks, Joseph
On 2022/10/18 21:39, Joseph Qi wrote: > > On 10/18/22 6:33 PM, Yang Yingliang wrote: >> Hi, >> >> On 2022/10/18 17:02, Joseph Qi wrote: >>> Hi, >>> >>> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>>> Inject fault while probing module, kset_register() may fail, >>>> if it fails, but the refcount of kobject is not decreased to >>>> 0, the name allocated in kobject_set_name() is leaked. Fix >>>> this by calling kset_put(), so that name can be freed in >>>> callback function kobject_cleanup(). >>>> >>>> unreferenced object 0xffff888100da9348 (size 8): >>>> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>>> hex dump (first 8 bytes): >>>> 6c 6f 67 6d 61 73 6b 00 logmask. >>>> backtrace: >>>> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>>> [<000000007c491a9e>] kstrdup+0x3a/0x70 >>>> [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>>> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>>> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>>> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>>> >>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >>>> --- >>>> fs/ocfs2/cluster/masklog.c | 7 ++++++- >>>> 1 file changed, 6 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>>> index 563881ddbf00..7f9ba816d955 100644 >>>> --- a/fs/ocfs2/cluster/masklog.c >>>> +++ b/fs/ocfs2/cluster/masklog.c >>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>>> int mlog_sys_init(struct kset *o2cb_kset) >>>> { >>>> int i = 0; >>>> + int ret; >>>> while (mlog_attrs[i].attr.mode) { >>>> mlog_default_attrs[i] = &mlog_attrs[i].attr; >>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>>> kobject_set_name(&mlog_kset.kobj, "logmask"); >>>> mlog_kset.kobj.kset = o2cb_kset; >>>> - return kset_register(&mlog_kset); >>>> + ret = kset_register(&mlog_kset); >>> If register fails, it will call unregister in o2cb_sys_init(), which >>> will put kobject. >> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the >> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference >> refcounts. >> Yes, you are right. I've mixed the two ksets up. > In theory, kset_register() may return error because of a NULL kset, so > here we may not call kset_put() directly, I'm not sure if a static > checker will happy. > Though this can't happen since it's already statically allocated... kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is built in kernel, the name is constant, it won't cause a leak), so the name can be leaked. Thanks, Yang > > Thanks, > Joseph > > .
On 10/18/22 10:28 PM, Yang Yingliang wrote: > > On 2022/10/18 21:39, Joseph Qi wrote: >> >> On 10/18/22 6:33 PM, Yang Yingliang wrote: >>> Hi, >>> >>> On 2022/10/18 17:02, Joseph Qi wrote: >>>> Hi, >>>> >>>> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>>>> Inject fault while probing module, kset_register() may fail, >>>>> if it fails, but the refcount of kobject is not decreased to >>>>> 0, the name allocated in kobject_set_name() is leaked. Fix >>>>> this by calling kset_put(), so that name can be freed in >>>>> callback function kobject_cleanup(). >>>>> >>>>> unreferenced object 0xffff888100da9348 (size 8): >>>>> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>>>> hex dump (first 8 bytes): >>>>> 6c 6f 67 6d 61 73 6b 00 logmask. >>>>> backtrace: >>>>> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>>>> [<000000007c491a9e>] kstrdup+0x3a/0x70 >>>>> [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>>>> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>>>> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>>>> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>>>> >>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >>>>> --- >>>>> fs/ocfs2/cluster/masklog.c | 7 ++++++- >>>>> 1 file changed, 6 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>>>> index 563881ddbf00..7f9ba816d955 100644 >>>>> --- a/fs/ocfs2/cluster/masklog.c >>>>> +++ b/fs/ocfs2/cluster/masklog.c >>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>>>> int mlog_sys_init(struct kset *o2cb_kset) >>>>> { >>>>> int i = 0; >>>>> + int ret; >>>>> while (mlog_attrs[i].attr.mode) { >>>>> mlog_default_attrs[i] = &mlog_attrs[i].attr; >>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>>>> kobject_set_name(&mlog_kset.kobj, "logmask"); >>>>> mlog_kset.kobj.kset = o2cb_kset; >>>>> - return kset_register(&mlog_kset); >>>>> + ret = kset_register(&mlog_kset); >>>> If register fails, it will call unregister in o2cb_sys_init(), which >>>> will put kobject. >>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the >>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference >>> refcounts. >>> Yes, you are right. I've mixed the two ksets up. >> In theory, kset_register() may return error because of a NULL kset, so >> here we may not call kset_put() directly, I'm not sure if a static >> checker will happy. >> Though this can't happen since it's already statically allocated... > kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name > "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is > built in kernel, the name is constant, it won't cause a leak), so the name can be leaked. What I mean is kset_register() may fail with many reasons, or even without kset_init(). I wonder if we have to handle this internal kset_register(), but not leave it to caller. This may benefit other callers as well. Something like: err = kobject_add_internal(&k->kobj); if (err) { kset_put(k); return err; } Thanks, Joseph
On 2022/10/19 10:26, Joseph Qi wrote: > > On 10/18/22 10:28 PM, Yang Yingliang wrote: >> On 2022/10/18 21:39, Joseph Qi wrote: >>> On 10/18/22 6:33 PM, Yang Yingliang wrote: >>>> Hi, >>>> >>>> On 2022/10/18 17:02, Joseph Qi wrote: >>>>> Hi, >>>>> >>>>> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>>>>> Inject fault while probing module, kset_register() may fail, >>>>>> if it fails, but the refcount of kobject is not decreased to >>>>>> 0, the name allocated in kobject_set_name() is leaked. Fix >>>>>> this by calling kset_put(), so that name can be freed in >>>>>> callback function kobject_cleanup(). >>>>>> >>>>>> unreferenced object 0xffff888100da9348 (size 8): >>>>>> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>>>>> hex dump (first 8 bytes): >>>>>> 6c 6f 67 6d 61 73 6b 00 logmask. >>>>>> backtrace: >>>>>> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>>>>> [<000000007c491a9e>] kstrdup+0x3a/0x70 >>>>>> [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>>>>> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>>>>> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>>>>> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>>>>> >>>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>>>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >>>>>> --- >>>>>> fs/ocfs2/cluster/masklog.c | 7 ++++++- >>>>>> 1 file changed, 6 insertions(+), 1 deletion(-) >>>>>> >>>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>>>>> index 563881ddbf00..7f9ba816d955 100644 >>>>>> --- a/fs/ocfs2/cluster/masklog.c >>>>>> +++ b/fs/ocfs2/cluster/masklog.c >>>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>>>>> int mlog_sys_init(struct kset *o2cb_kset) >>>>>> { >>>>>> int i = 0; >>>>>> + int ret; >>>>>> while (mlog_attrs[i].attr.mode) { >>>>>> mlog_default_attrs[i] = &mlog_attrs[i].attr; >>>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>>>>> kobject_set_name(&mlog_kset.kobj, "logmask"); >>>>>> mlog_kset.kobj.kset = o2cb_kset; >>>>>> - return kset_register(&mlog_kset); >>>>>> + ret = kset_register(&mlog_kset); >>>>> If register fails, it will call unregister in o2cb_sys_init(), which >>>>> will put kobject. >>>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the >>>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference >>>> refcounts. >>>> Yes, you are right. I've mixed the two ksets up. >>> In theory, kset_register() may return error because of a NULL kset, so >>> here we may not call kset_put() directly, I'm not sure if a static >>> checker will happy. >>> Though this can't happen since it's already statically allocated... >> kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name >> "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is >> built in kernel, the name is constant, it won't cause a leak), so the name can be leaked. > What I mean is kset_register() may fail with many reasons, or even > without kset_init(). > I wonder if we have to handle this internal kset_register(), but not > leave it to caller. This may benefit other callers as well. > > Something like: > err = kobject_add_internal(&k->kobj); > if (err) { > kset_put(k); > return err; > } I had think about this method to fix this, but some kset is allocated dynamically in driver and it's freed in callback function which is called after kset_put() and in error path in driver will free it again, it leads double free in some drivers. I think kset_register() is similar with device_register(), if it fails need another put function to give up reference in driver. Thanks, Yang > > Thanks, > Joseph > > .
On 10/19/22 10:57 AM, Yang Yingliang wrote: > > On 2022/10/19 10:26, Joseph Qi wrote: >> >> On 10/18/22 10:28 PM, Yang Yingliang wrote: >>> On 2022/10/18 21:39, Joseph Qi wrote: >>>> On 10/18/22 6:33 PM, Yang Yingliang wrote: >>>>> Hi, >>>>> >>>>> On 2022/10/18 17:02, Joseph Qi wrote: >>>>>> Hi, >>>>>> >>>>>> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>>>>>> Inject fault while probing module, kset_register() may fail, >>>>>>> if it fails, but the refcount of kobject is not decreased to >>>>>>> 0, the name allocated in kobject_set_name() is leaked. Fix >>>>>>> this by calling kset_put(), so that name can be freed in >>>>>>> callback function kobject_cleanup(). >>>>>>> >>>>>>> unreferenced object 0xffff888100da9348 (size 8): >>>>>>> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>>>>>> hex dump (first 8 bytes): >>>>>>> 6c 6f 67 6d 61 73 6b 00 logmask. >>>>>>> backtrace: >>>>>>> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>>>>>> [<000000007c491a9e>] kstrdup+0x3a/0x70 >>>>>>> [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>>>>>> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>>>>>> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>>>>>> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>>>>>> >>>>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>>>>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >>>>>>> --- >>>>>>> fs/ocfs2/cluster/masklog.c | 7 ++++++- >>>>>>> 1 file changed, 6 insertions(+), 1 deletion(-) >>>>>>> >>>>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>>>>>> index 563881ddbf00..7f9ba816d955 100644 >>>>>>> --- a/fs/ocfs2/cluster/masklog.c >>>>>>> +++ b/fs/ocfs2/cluster/masklog.c >>>>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>>>>>> int mlog_sys_init(struct kset *o2cb_kset) >>>>>>> { >>>>>>> int i = 0; >>>>>>> + int ret; >>>>>>> while (mlog_attrs[i].attr.mode) { >>>>>>> mlog_default_attrs[i] = &mlog_attrs[i].attr; >>>>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>>>>>> kobject_set_name(&mlog_kset.kobj, "logmask"); >>>>>>> mlog_kset.kobj.kset = o2cb_kset; >>>>>>> - return kset_register(&mlog_kset); >>>>>>> + ret = kset_register(&mlog_kset); >>>>>> If register fails, it will call unregister in o2cb_sys_init(), which >>>>>> will put kobject. >>>>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the >>>>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference >>>>> refcounts. >>>>> Yes, you are right. I've mixed the two ksets up. >>>> In theory, kset_register() may return error because of a NULL kset, so >>>> here we may not call kset_put() directly, I'm not sure if a static >>>> checker will happy. >>>> Though this can't happen since it's already statically allocated... >>> kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name >>> "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is >>> built in kernel, the name is constant, it won't cause a leak), so the name can be leaked. >> What I mean is kset_register() may fail with many reasons, or even >> without kset_init(). >> I wonder if we have to handle this internal kset_register(), but not >> leave it to caller. This may benefit other callers as well. >> >> Something like: >> err = kobject_add_internal(&k->kobj); >> if (err) { >> kset_put(k); >> return err; >> } > I had think about this method to fix this, but some kset is allocated dynamically in driver and > it's freed in callback function which is called after kset_put() and in error path in driver will free > it again, it leads double free in some drivers. > I don't think it's good idea that caller has to take care part of the internal logic of kset_register() in case of error. Hi Greg, what do you think? Thanks, Joseph > I think kset_register() is similar with device_register(), if it fails need another put function to give > up reference in driver. >
On Thu, Oct 20, 2022 at 10:06:48AM +0800, Joseph Qi wrote: > > > On 10/19/22 10:57 AM, Yang Yingliang wrote: > > > > On 2022/10/19 10:26, Joseph Qi wrote: > >> > >> On 10/18/22 10:28 PM, Yang Yingliang wrote: > >>> On 2022/10/18 21:39, Joseph Qi wrote: > >>>> On 10/18/22 6:33 PM, Yang Yingliang wrote: > >>>>> Hi, > >>>>> > >>>>> On 2022/10/18 17:02, Joseph Qi wrote: > >>>>>> Hi, > >>>>>> > >>>>>> On 10/18/22 3:52 PM, Yang Yingliang wrote: > >>>>>>> Inject fault while probing module, kset_register() may fail, > >>>>>>> if it fails, but the refcount of kobject is not decreased to > >>>>>>> 0, the name allocated in kobject_set_name() is leaked. Fix > >>>>>>> this by calling kset_put(), so that name can be freed in > >>>>>>> callback function kobject_cleanup(). > >>>>>>> > >>>>>>> unreferenced object 0xffff888100da9348 (size 8): > >>>>>>> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) > >>>>>>> hex dump (first 8 bytes): > >>>>>>> 6c 6f 67 6d 61 73 6b 00 logmask. > >>>>>>> backtrace: > >>>>>>> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 > >>>>>>> [<000000007c491a9e>] kstrdup+0x3a/0x70 > >>>>>>> [<0000000015719a3b>] kstrdup_const+0x63/0x80 > >>>>>>> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 > >>>>>>> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 > >>>>>>> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 > >>>>>>> > >>>>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") > >>>>>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > >>>>>>> --- > >>>>>>> fs/ocfs2/cluster/masklog.c | 7 ++++++- > >>>>>>> 1 file changed, 6 insertions(+), 1 deletion(-) > >>>>>>> > >>>>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c > >>>>>>> index 563881ddbf00..7f9ba816d955 100644 > >>>>>>> --- a/fs/ocfs2/cluster/masklog.c > >>>>>>> +++ b/fs/ocfs2/cluster/masklog.c > >>>>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { > >>>>>>> int mlog_sys_init(struct kset *o2cb_kset) > >>>>>>> { > >>>>>>> int i = 0; > >>>>>>> + int ret; > >>>>>>> while (mlog_attrs[i].attr.mode) { > >>>>>>> mlog_default_attrs[i] = &mlog_attrs[i].attr; > >>>>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) > >>>>>>> kobject_set_name(&mlog_kset.kobj, "logmask"); > >>>>>>> mlog_kset.kobj.kset = o2cb_kset; > >>>>>>> - return kset_register(&mlog_kset); > >>>>>>> + ret = kset_register(&mlog_kset); > >>>>>> If register fails, it will call unregister in o2cb_sys_init(), which > >>>>>> will put kobject. > >>>>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the > >>>>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference > >>>>> refcounts. > >>>>> Yes, you are right. I've mixed the two ksets up. > >>>> In theory, kset_register() may return error because of a NULL kset, so > >>>> here we may not call kset_put() directly, I'm not sure if a static > >>>> checker will happy. > >>>> Though this can't happen since it's already statically allocated... > >>> kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name > >>> "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is > >>> built in kernel, the name is constant, it won't cause a leak), so the name can be leaked. > >> What I mean is kset_register() may fail with many reasons, or even > >> without kset_init(). > >> I wonder if we have to handle this internal kset_register(), but not > >> leave it to caller. This may benefit other callers as well. > >> > >> Something like: > >> err = kobject_add_internal(&k->kobj); > >> if (err) { > >> kset_put(k); > >> return err; > >> } > > I had think about this method to fix this, but some kset is allocated dynamically in driver and > > it's freed in callback function which is called after kset_put() and in error path in driver will free > > it again, it leads double free in some drivers. > > > I don't think it's good idea that caller has to take care part of the > internal logic of kset_register() in case of error. > Hi Greg, what do you think? I think if you are messing around with raw ksets, you have to handle them properly :) For some driver and kobject core functions, once you call register, you have to call put() to handle an error because the driver core can not know what you are doing with that memory at times. But, maybe for ksets this is not needed and the kobject core can properly clean up from an error here. Yang, can you please look into this? That might make this much simpler. Either way, the documentation for kset_register() needs to be fixed up first, so that people have a chance to know what to do here and THEN we can fix up the callers like this. Yang, can you do this all as one long series that I can take through the driver core tree. No need to scatter it all across a bunch of different subsystems. thanks, greg k-h
On 2022/10/20 18:18, Greg Kroah-Hartman wrote: > On Thu, Oct 20, 2022 at 10:06:48AM +0800, Joseph Qi wrote: >> >> On 10/19/22 10:57 AM, Yang Yingliang wrote: >>> On 2022/10/19 10:26, Joseph Qi wrote: >>>> On 10/18/22 10:28 PM, Yang Yingliang wrote: >>>>> On 2022/10/18 21:39, Joseph Qi wrote: >>>>>> On 10/18/22 6:33 PM, Yang Yingliang wrote: >>>>>>> Hi, >>>>>>> >>>>>>> On 2022/10/18 17:02, Joseph Qi wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>>>>>>>> Inject fault while probing module, kset_register() may fail, >>>>>>>>> if it fails, but the refcount of kobject is not decreased to >>>>>>>>> 0, the name allocated in kobject_set_name() is leaked. Fix >>>>>>>>> this by calling kset_put(), so that name can be freed in >>>>>>>>> callback function kobject_cleanup(). >>>>>>>>> >>>>>>>>> unreferenced object 0xffff888100da9348 (size 8): >>>>>>>>> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>>>>>>>> hex dump (first 8 bytes): >>>>>>>>> 6c 6f 67 6d 61 73 6b 00 logmask. >>>>>>>>> backtrace: >>>>>>>>> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>>>>>>>> [<000000007c491a9e>] kstrdup+0x3a/0x70 >>>>>>>>> [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>>>>>>>> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>>>>>>>> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>>>>>>>> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>>>>>>>> >>>>>>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>>>>>>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >>>>>>>>> --- >>>>>>>>> fs/ocfs2/cluster/masklog.c | 7 ++++++- >>>>>>>>> 1 file changed, 6 insertions(+), 1 deletion(-) >>>>>>>>> >>>>>>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>>>>>>>> index 563881ddbf00..7f9ba816d955 100644 >>>>>>>>> --- a/fs/ocfs2/cluster/masklog.c >>>>>>>>> +++ b/fs/ocfs2/cluster/masklog.c >>>>>>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>>>>>>>> int mlog_sys_init(struct kset *o2cb_kset) >>>>>>>>> { >>>>>>>>> int i = 0; >>>>>>>>> + int ret; >>>>>>>>> while (mlog_attrs[i].attr.mode) { >>>>>>>>> mlog_default_attrs[i] = &mlog_attrs[i].attr; >>>>>>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>>>>>>>> kobject_set_name(&mlog_kset.kobj, "logmask"); >>>>>>>>> mlog_kset.kobj.kset = o2cb_kset; >>>>>>>>> - return kset_register(&mlog_kset); >>>>>>>>> + ret = kset_register(&mlog_kset); >>>>>>>> If register fails, it will call unregister in o2cb_sys_init(), which >>>>>>>> will put kobject. >>>>>>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the >>>>>>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference >>>>>>> refcounts. >>>>>>> Yes, you are right. I've mixed the two ksets up. >>>>>> In theory, kset_register() may return error because of a NULL kset, so >>>>>> here we may not call kset_put() directly, I'm not sure if a static >>>>>> checker will happy. >>>>>> Though this can't happen since it's already statically allocated... >>>>> kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name >>>>> "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is >>>>> built in kernel, the name is constant, it won't cause a leak), so the name can be leaked. >>>> What I mean is kset_register() may fail with many reasons, or even >>>> without kset_init(). >>>> I wonder if we have to handle this internal kset_register(), but not >>>> leave it to caller. This may benefit other callers as well. >>>> >>>> Something like: >>>> err = kobject_add_internal(&k->kobj); >>>> if (err) { >>>> kset_put(k); >>>> return err; >>>> } >>> I had think about this method to fix this, but some kset is allocated dynamically in driver and >>> it's freed in callback function which is called after kset_put() and in error path in driver will free >>> it again, it leads double free in some drivers. >>> >> I don't think it's good idea that caller has to take care part of the >> internal logic of kset_register() in case of error. >> Hi Greg, what do you think? > I think if you are messing around with raw ksets, you have to handle > them properly :) > > For some driver and kobject core functions, once you call register, you > have to call put() to handle an error because the driver core can not > know what you are doing with that memory at times. > > But, maybe for ksets this is not needed and the kobject core can > properly clean up from an error here. Yang, can you please look into > this? That might make this much simpler. OK, I will look into this to see how to make it simpler for drivers. > > Either way, the documentation for kset_register() needs to be fixed up > first, so that people have a chance to know what to do here and THEN we > can fix up the callers like this. > > Yang, can you do this all as one long series that I can take through the > driver core tree. No need to scatter it all across a bunch of different > subsystems. OK, I will fix all these in one series. Thanks, Yang > > thanks, > > greg k-h > .
diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c index 563881ddbf00..7f9ba816d955 100644 --- a/fs/ocfs2/cluster/masklog.c +++ b/fs/ocfs2/cluster/masklog.c @@ -156,6 +156,7 @@ static struct kset mlog_kset = { int mlog_sys_init(struct kset *o2cb_kset) { int i = 0; + int ret; while (mlog_attrs[i].attr.mode) { mlog_default_attrs[i] = &mlog_attrs[i].attr; @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) kobject_set_name(&mlog_kset.kobj, "logmask"); mlog_kset.kobj.kset = o2cb_kset; - return kset_register(&mlog_kset); + ret = kset_register(&mlog_kset); + if (ret) + kset_put(&mlog_kset); + + return ret; } void mlog_sys_shutdown(void)