From patchwork Wed Jun 7 20:17:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 104716 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp496577vqr; Wed, 7 Jun 2023 14:37:29 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7PcFO653T+KX1gK1PbOl+t4TKcHA/FOky5IYNDkJIy8ZN1JP7LWN5vSQkeORoo7JJ3/8An X-Received: by 2002:a17:903:248:b0:1ad:f7d9:1ae2 with SMTP id j8-20020a170903024800b001adf7d91ae2mr3690248plh.55.1686173848870; Wed, 07 Jun 2023 14:37:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686173848; cv=none; d=google.com; s=arc-20160816; b=sdTicVcmi6D0lNmbSITBd/ozCI5QXBLZqS8LnsO1QsjMJTOYn7fMSPtR1MDFs0TiU0 HtWy0ItRMnoT40CZg3e6cWW00ylnKce8/4jcJTAKQfo0MXQuc5w+xyj8nQoBbTuxYQqr nh//gUYj1G1ZlgROONuCKwx+SnQR7PRGbb5msBjqqAJwlE1Amsnmx683Mx9wCB6bNtHM SRWVtr33sIFLFb1Dne0W0tcJr7c15VANPVijxj8lDncM+vhASOydT5GOchGIUk5N7Apg zAyPqsPXJ2yZMRwEcEmV6w7iCVbVUo1CNOmt7HAMBLL5EWfSsMx/uBDTNuTqEazelIEx UW8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=oO2siPxIHZHtG2vQEKv6P7N+829kp2grR9QYfPndDWA=; b=xVPOOVrM/Y1tAdKAEU39aNJJLDG9Kg72HgdO67LWJGnLDPy7ai3jsL8d/jAIJdj5zg CJ+ZNWtKtpCJ2jYTG6NPCXU0MTO+2DlTFCW02AzQ86ok7sRW12CGumGAQWAXAJ2+4whY 9Ua3BGvmTPxHTpprc8c2YJJ2IGpXExsJ6Qz+3T2skyemf1FbpXSsmwkyB4uTJY0J+DJ5 v1W7hSbgB8oxCn0Zl+wYWLo5l7UR777yYyiE4K9UKCPTZURcDvU2mtDS4hhxMKVpGbO7 5mcRlfZbKL9f6cDYzppSw9vncWX8/BMZoHtarb8uJOEnyFfY7/MSeyKXVTwNoOuCaZwN FJaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="uE3QizK/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n18-20020a170902d2d200b0019f33cb669asi9749296plc.615.2023.06.07.14.37.04; Wed, 07 Jun 2023 14:37:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="uE3QizK/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235224AbjFGUvt (ORCPT + 99 others); Wed, 7 Jun 2023 16:51:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235207AbjFGUvj (ORCPT ); Wed, 7 Jun 2023 16:51:39 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 375DA2688; Wed, 7 Jun 2023 13:51:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 179B363188; Wed, 7 Jun 2023 20:51:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F3B0AC433D2; Wed, 7 Jun 2023 20:51:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1686171084; bh=Dl4DDEJCwWXOnm/5mNrAnRjprwk0cp43lsOU4uP0rqE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uE3QizK/cbS/nz4yXUaWvFJOCIBFgtZuzf1F6DqwYaJ7vJePXi+lVxXo0NCSCmWUx t/CZbw8MbigZzaVhSnz9LEcULx2Stg+qs9yPztmers7eY2CX5SERl3YTApV3/7ivga EPMAte8MzG9I6zAxiILeKePFQK3yTQEZersNb8bM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mirsad Goran Todorovac , Dan Carpenter , Takashi Iwai , Luis Chamberlain , Russ Weight , Tianfei zhang , Christophe JAILLET , Zhengchao Shao , Colin Ian King , linux-kernel@vger.kernel.org, Kees Cook , Scott Branden , linux-kselftest@vger.kernel.org Subject: [PATCH 5.10 105/120] test_firmware: fix the memory leak of the allocated firmware buffer Date: Wed, 7 Jun 2023 22:17:01 +0200 Message-ID: <20230607200904.227581241@linuxfoundation.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230607200900.915613242@linuxfoundation.org> References: <20230607200900.915613242@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1768081429921225548?= X-GMAIL-MSGID: =?utf-8?q?1768081429921225548?= From: Mirsad Goran Todorovac commit 48e156023059e57a8fc68b498439832f7600ffff upstream. The following kernel memory leak was noticed after running tools/testing/selftests/firmware/fw_run_tests.sh: [root@pc-mtodorov firmware]# cat /sys/kernel/debug/kmemleak . . . unreferenced object 0xffff955389bc3400 (size 1024): comm "test_firmware-0", pid 5451, jiffies 4294944822 (age 65.652s) hex dump (first 32 bytes): 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] slab_post_alloc_hook+0x8c/0x3c0 [] __kmem_cache_alloc_node+0x184/0x240 [] kmalloc_trace+0x2e/0xc0 [] test_fw_run_batch_request+0x9d/0x180 [] kthread+0x10b/0x140 [] ret_from_fork+0x29/0x50 unreferenced object 0xffff9553c334b400 (size 1024): comm "test_firmware-1", pid 5452, jiffies 4294944822 (age 65.652s) hex dump (first 32 bytes): 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] slab_post_alloc_hook+0x8c/0x3c0 [] __kmem_cache_alloc_node+0x184/0x240 [] kmalloc_trace+0x2e/0xc0 [] test_fw_run_batch_request+0x9d/0x180 [] kthread+0x10b/0x140 [] ret_from_fork+0x29/0x50 unreferenced object 0xffff9553c334f000 (size 1024): comm "test_firmware-2", pid 5453, jiffies 4294944822 (age 65.652s) hex dump (first 32 bytes): 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] slab_post_alloc_hook+0x8c/0x3c0 [] __kmem_cache_alloc_node+0x184/0x240 [] kmalloc_trace+0x2e/0xc0 [] test_fw_run_batch_request+0x9d/0x180 [] kthread+0x10b/0x140 [] ret_from_fork+0x29/0x50 unreferenced object 0xffff9553c3348400 (size 1024): comm "test_firmware-3", pid 5454, jiffies 4294944822 (age 65.652s) hex dump (first 32 bytes): 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] slab_post_alloc_hook+0x8c/0x3c0 [] __kmem_cache_alloc_node+0x184/0x240 [] kmalloc_trace+0x2e/0xc0 [] test_fw_run_batch_request+0x9d/0x180 [] kthread+0x10b/0x140 [] ret_from_fork+0x29/0x50 [root@pc-mtodorov firmware]# Note that the size 1024 corresponds to the size of the test firmware buffer. The actual number of the buffers leaked is around 70-110, depending on the test run. The cause of the leak is the following: request_partial_firmware_into_buf() and request_firmware_into_buf() provided firmware buffer isn't released on release_firmware(), we have allocated it and we are responsible for deallocating it manually. This is introduced in a number of context where previously only release_firmware() was called, which was insufficient. Reported-by: Mirsad Goran Todorovac Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf") Cc: Greg Kroah-Hartman Cc: Dan Carpenter Cc: Takashi Iwai Cc: Luis Chamberlain Cc: Russ Weight Cc: Tianfei zhang Cc: Christophe JAILLET Cc: Zhengchao Shao Cc: Colin Ian King Cc: linux-kernel@vger.kernel.org Cc: Kees Cook Cc: Scott Branden Cc: Luis R. Rodriguez Cc: linux-kselftest@vger.kernel.org Cc: stable@vger.kernel.org # v5.4 Signed-off-by: Mirsad Goran Todorovac Link: https://lore.kernel.org/r/20230509084746.48259-3-mirsad.todorovac@alu.unizg.hr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- lib/test_firmware.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) --- a/lib/test_firmware.c +++ b/lib/test_firmware.c @@ -41,6 +41,7 @@ struct test_batched_req { bool sent; const struct firmware *fw; const char *name; + const char *fw_buf; struct completion completion; struct task_struct *task; struct device *dev; @@ -143,8 +144,14 @@ static void __test_release_all_firmware( for (i = 0; i < test_fw_config->num_requests; i++) { req = &test_fw_config->reqs[i]; - if (req->fw) + if (req->fw) { + if (req->fw_buf) { + kfree_const(req->fw_buf); + req->fw_buf = NULL; + } release_firmware(req->fw); + req->fw = NULL; + } } vfree(test_fw_config->reqs); @@ -589,6 +596,8 @@ static ssize_t trigger_request_store(str mutex_lock(&test_fw_mutex); release_firmware(test_firmware); + if (test_fw_config->reqs) + __test_release_all_firmware(); test_firmware = NULL; rc = request_firmware(&test_firmware, name, dev); if (rc) { @@ -689,6 +698,8 @@ static ssize_t trigger_async_request_sto mutex_lock(&test_fw_mutex); release_firmware(test_firmware); test_firmware = NULL; + if (test_fw_config->reqs) + __test_release_all_firmware(); rc = request_firmware_nowait(THIS_MODULE, 1, name, dev, GFP_KERNEL, NULL, trigger_async_request_cb); if (rc) { @@ -731,6 +742,8 @@ static ssize_t trigger_custom_fallback_s mutex_lock(&test_fw_mutex); release_firmware(test_firmware); + if (test_fw_config->reqs) + __test_release_all_firmware(); test_firmware = NULL; rc = request_firmware_nowait(THIS_MODULE, FW_ACTION_NOHOTPLUG, name, dev, GFP_KERNEL, NULL, @@ -793,6 +806,8 @@ static int test_fw_run_batch_request(voi test_fw_config->buf_size); if (!req->fw) kfree(test_buf); + else + req->fw_buf = test_buf; } else { req->rc = test_fw_config->req_firmware(&req->fw, req->name, @@ -848,6 +863,7 @@ static ssize_t trigger_batched_requests_ req->fw = NULL; req->idx = i; req->name = test_fw_config->name; + req->fw_buf = NULL; req->dev = dev; init_completion(&req->completion); req->task = kthread_run(test_fw_run_batch_request, req, @@ -947,6 +963,7 @@ ssize_t trigger_batched_requests_async_s for (i = 0; i < test_fw_config->num_requests; i++) { req = &test_fw_config->reqs[i]; req->name = test_fw_config->name; + req->fw_buf = NULL; req->fw = NULL; req->idx = i; init_completion(&req->completion);