Message ID | 20221025071549.1280528-1-yangyingliang@huawei.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp857690wru; Tue, 25 Oct 2022 00:26:56 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4Eqgx1sUsxTy5/8ZkAKBe4SKMp3IJ/Mgg3VPDcO94nwcs/sA8pOJM8t31UnCuAPYQ8Lw6l X-Received: by 2002:a17:906:4bd3:b0:731:3bdf:b95c with SMTP id x19-20020a1709064bd300b007313bdfb95cmr31576775ejv.677.1666682815776; Tue, 25 Oct 2022 00:26:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666682815; cv=none; d=google.com; s=arc-20160816; b=FT/KysgkhPj8w1yF3DpyjeccgqBXyKnsAz7it8PFDX1m5biDRdlHUNaFZ6j1Y58/I4 iygOBESCXTcVQ2/h11zknZ1YHXRw6V0L7Clnk3w/Hn7UGHeZUni7p+ZiyWLaDVUrSvEy Ny0isY6lnGAPntlSCmXURD+ZVZatMFgGwQsC3dpeM0K+j3CUQurXjl9i5SOuHKE/7+a/ pVUQz7KHc/7gPN5rrrfpVi8WWSTwERXjqLLRTD73p7G/zfinEopJgC804oOQOhCind2z V7+KO0jCT4l7LKhyCAZrozttOBISnrxKC8OLas3p82s81jtpxOT0fQZ80wWDdXJ5Sxmp 24ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=wRTSFlr55ch9LuRQISuy1nxKwJSSQ/4GOUCz44Bq18k=; b=GlVa3iEM3GVLiMQ2NjeRsDY4LrXlJW6MonG3hI6mzNAnCZALJJPVOdrQDKVAcmd8Qf KFBkjeOs5PaMc4gMJ7VCNGNUk5bFKVMcqwWaHO4iYD8E3GshOtI6QHE1bhW7VKu9Cmt/ ZETRQYqKxYl4xOuy7/xqQxhJ4y0MmeAWp6+P3dPAp8EJl1fx7Y3paSSFKXFU0Pw3DR7p KS1vCNZyM/0qr1OKz4GVnqGmjjfSFY6YTrJ4JRGjHvLPySboqLzG7nwLaBwbFsqReTW9 a6BcFD1n3dr6Afi8OjzW7AC+o3jsFcWHSIkIajFdTnp4pe3AX9gu0OCzYmsIZ2Gi31EI yLIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hg4-20020a1709072cc400b00770d9e664f8si1969324ejc.152.2022.10.25.00.26.31; Tue, 25 Oct 2022 00:26:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231469AbiJYHQr (ORCPT <rfc822;pwkd43@gmail.com> + 99 others); Tue, 25 Oct 2022 03:16:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229950AbiJYHQo (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 25 Oct 2022 03:16:44 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88FA227CC8 for <linux-kernel@vger.kernel.org>; Tue, 25 Oct 2022 00:16:42 -0700 (PDT) Received: from dggpemm500022.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MxNR81GpYzmVK5; Tue, 25 Oct 2022 15:11:48 +0800 (CST) Received: from dggpemm500007.china.huawei.com (7.185.36.183) by dggpemm500022.china.huawei.com (7.185.36.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 25 Oct 2022 15:16:39 +0800 Received: from huawei.com (10.175.103.91) by dggpemm500007.china.huawei.com (7.185.36.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 25 Oct 2022 15:16:38 +0800 From: Yang Yingliang <yangyingliang@huawei.com> To: <linux-kernel@vger.kernel.org>, <qemu-devel@nongnu.org>, <linux-f2fs-devel@lists.sourceforge.net>, <linux-erofs@lists.ozlabs.org>, <ocfs2-devel@oss.oracle.com>, <linux-mtd@lists.infradead.org>, <amd-gfx@lists.freedesktop.org> CC: <gregkh@linuxfoundation.org>, <rafael@kernel.org>, <somlo@cmu.edu>, <mst@redhat.com>, <jaegeuk@kernel.org>, <chao@kernel.org>, <hsiangkao@linux.alibaba.com>, <huangjianan@oppo.com>, <mark@fasheh.com>, <jlbec@evilplan.org>, <joseph.qi@linux.alibaba.com>, <akpm@linux-foundation.org>, <alexander.deucher@amd.com>, <luben.tuikov@amd.com>, <richard@nod.at>, <liushixin2@huawei.com>, <yangyingliang@huawei.com> Subject: [PATCH v3] kset: fix memory leak when kset_register() returns error Date: Tue, 25 Oct 2022 15:15:49 +0800 Message-ID: <20221025071549.1280528-1-yangyingliang@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.103.91] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To dggpemm500007.china.huawei.com (7.185.36.183) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747643599941903502?= X-GMAIL-MSGID: =?utf-8?q?1747643599941903502?= |
Series |
[v3] kset: fix memory leak when kset_register() returns error
|
|
Commit Message
Yang Yingliang
Oct. 25, 2022, 7:15 a.m. UTC
Inject fault while loading module, kset_register() may fail.
If it fails, the kset.kobj.name allocated by kobject_set_name()
which must be called before a call to kset_register() may be
leaked, since refcount of kobj was set in kset_init().
To mitigate this, we free the name in kset_register() when an
error is encountered, i.e. when kset_register() returns an error.
A kset may be embedded in a larger structure which may be dynamically
allocated in callers, it needs to be freed in ktype.release() or error
path in callers, in this case, we can not call kset_put() in kset_register(),
or it will cause double free, so just call kfree_const() to free the
name and set it to NULL to avoid accessing bad pointer in callers.
With this fix, the callers don't need care about freeing the name
and may call kset_put() if kset_register() fails.
Suggested-by: Luben Tuikov <luben.tuikov@amd.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
v2 -> v3:
Update commit message and comment of kset_register().
v1 -> v2:
Free name inside of kset_register() instead of calling kset_put()
in drivers.
---
lib/kobject.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Comments
On 2022-10-25 03:15, Yang Yingliang wrote: > Inject fault while loading module, kset_register() may fail. > If it fails, the kset.kobj.name allocated by kobject_set_name() > which must be called before a call to kset_register() may be > leaked, since refcount of kobj was set in kset_init(). Technically, this is saying "If it fails, the kset.kobj.name may be leaked." We want then to clarify that this is "allocated by kobj_set_name() which must be called before a call to kset_register", so that needs to be surrounded by commas (like a literary segue): "If kset_register() fails, the kset.kobj.name allocated by kobject_set_name(), which must be called before a call to kset_register(), may be leaked." I don't feel that the reason for the leak is "refcount of kobj was set in kset_init()". It's a true statement, but not the reason for the leak--the reason for the leak is that no one frees it on the error path. > To mitigate this, we free the name in kset_register() when an > error is encountered, i.e. when kset_register() returns an error. > > A kset may be embedded in a larger structure which may be dynamically > allocated in callers, it needs to be freed in ktype.release() or error "_by_ callers", since it's something they _do_: allocate. > path in callers, in this case, we can not call kset_put() in kset_register(), > or it will cause double free, so just call kfree_const() to free the > name and set it to NULL to avoid accessing bad pointer in callers. That's good. > With this fix, the callers don't need care about freeing the name > and may call kset_put() if kset_register() fails. "don't need to care about freeing the name" --> "don't need to free the name" > Suggested-by: Luben Tuikov <luben.tuikov@amd.com> > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > v2 -> v3: > Update commit message and comment of kset_register(). > > v1 -> v2: > Free name inside of kset_register() instead of calling kset_put() > in drivers. > --- > lib/kobject.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/lib/kobject.c b/lib/kobject.c > index a0b2dbfcfa23..3cd19b9ca5ab 100644 > --- a/lib/kobject.c > +++ b/lib/kobject.c > @@ -834,6 +834,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); > /** > * kset_register() - Initialize and add a kset. > * @k: kset. > + * > + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() > + * is freed, it can not be used any more. There's no need for "NOTE:"--it's just natural explanation of what's happening, and what's expected in the doc comment to a function. Drop it. "is freed" is correct--that's a good change. With these fixed, this patch is Reviewed-by: <luben.tuikov@amd.com> Regards, Luben > */ > int kset_register(struct kset *k) > { > @@ -844,8 +847,12 @@ int kset_register(struct kset *k) > > kset_init(k); > err = kobject_add_internal(&k->kobj); > - if (err) > + if (err) { > + kfree_const(k->kobj.name); > + /* Set it to NULL to avoid accessing bad pointer in callers. */ > + k->kobj.name = NULL; > return err; > + } > kobject_uevent(&k->kobj, KOBJ_ADD); > return 0; > }
On Tue, Oct 25, 2022 at 03:15:49PM +0800, Yang Yingliang wrote: > Inject fault while loading module, kset_register() may fail. > If it fails, the kset.kobj.name allocated by kobject_set_name() > which must be called before a call to kset_register() may be > leaked, since refcount of kobj was set in kset_init(). > > To mitigate this, we free the name in kset_register() when an > error is encountered, i.e. when kset_register() returns an error. > > A kset may be embedded in a larger structure which may be dynamically > allocated in callers, it needs to be freed in ktype.release() or error > path in callers, in this case, we can not call kset_put() in kset_register(), > or it will cause double free, so just call kfree_const() to free the > name and set it to NULL to avoid accessing bad pointer in callers. > > With this fix, the callers don't need care about freeing the name > and may call kset_put() if kset_register() fails. > > Suggested-by: Luben Tuikov <luben.tuikov@amd.com> > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > v2 -> v3: > Update commit message and comment of kset_register(). > > v1 -> v2: > Free name inside of kset_register() instead of calling kset_put() > in drivers. Thank you for all of this, it's a much nicer and cleaner fix than forcing all callers to try to handle it instead. greg k-h
diff --git a/lib/kobject.c b/lib/kobject.c index a0b2dbfcfa23..3cd19b9ca5ab 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -834,6 +834,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); /** * kset_register() - Initialize and add a kset. * @k: kset. + * + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() + * is freed, it can not be used any more. */ int kset_register(struct kset *k) { @@ -844,8 +847,12 @@ int kset_register(struct kset *k) kset_init(k); err = kobject_add_internal(&k->kobj); - if (err) + if (err) { + kfree_const(k->kobj.name); + /* Set it to NULL to avoid accessing bad pointer in callers. */ + k->kobj.name = NULL; return err; + } kobject_uevent(&k->kobj, KOBJ_ADD); return 0; }