Joseph Qi
2022-Oct-19 02:26 UTC
[Ocfs2-devel] [PATCH] ocfs2: possible memory leak in mlog_sys_init()
On 10/18/22 10:28 PM, Yang Yingliang wrote:> > On 2022/10/18 21:39, Joseph Qi wrote: >> >> On 10/18/22 6:33 PM, Yang Yingliang wrote: >>> Hi, >>> >>> On 2022/10/18 17:02, Joseph Qi wrote: >>>> Hi, >>>> >>>> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>>>> Inject fault while probing module, kset_register() may fail, >>>>> if it fails, but the refcount of kobject is not decreased to >>>>> 0, the name allocated in kobject_set_name() is leaked. Fix >>>>> this by calling kset_put(), so that name can be freed in >>>>> callback function kobject_cleanup(). >>>>> >>>>> unreferenced object 0xffff888100da9348 (size 8): >>>>> ??? comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>>>> ??? hex dump (first 8 bytes): >>>>> ????? 6c 6f 67 6d 61 73 6b 00????????????????????????? logmask. >>>>> ??? backtrace: >>>>> ????? [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>>>> ????? [<000000007c491a9e>] kstrdup+0x3a/0x70 >>>>> ????? [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>>>> ????? [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>>>> ????? [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>>>> ????? [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>>>> >>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>>>> Signed-off-by: Yang Yingliang <yangyingliang at huawei.com> >>>>> --- >>>>> ?? fs/ocfs2/cluster/masklog.c | 7 ++++++- >>>>> ?? 1 file changed, 6 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>>>> index 563881ddbf00..7f9ba816d955 100644 >>>>> --- a/fs/ocfs2/cluster/masklog.c >>>>> +++ b/fs/ocfs2/cluster/masklog.c >>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>>>> ?? int mlog_sys_init(struct kset *o2cb_kset) >>>>> ?? { >>>>> ?????? int i = 0; >>>>> +??? int ret; >>>>> ?? ????? while (mlog_attrs[i].attr.mode) { >>>>> ?????????? mlog_default_attrs[i] = &mlog_attrs[i].attr; >>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>>>> ?? ????? kobject_set_name(&mlog_kset.kobj, "logmask"); >>>>> ?????? mlog_kset.kobj.kset = o2cb_kset; >>>>> -??? return kset_register(&mlog_kset); >>>>> +??? ret = kset_register(&mlog_kset); >>>> If register fails, it will call unregister in o2cb_sys_init(), which >>>> will put kobject. >>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the >>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference >>> refcounts. >>> Yes, you are right. I've mixed the two ksets up. >> In theory, kset_register() may return error because of a NULL kset, so >> here we may not call kset_put() directly, I'm not sure if a static >> checker will happy. >> Though this can't happen since it's already statically allocated... > kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name > "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is > built in kernel, the name is constant, it won't cause a leak), so the name can be leaked.What I mean is kset_register() may fail with many reasons, or even without kset_init(). I wonder if we have to handle this internal kset_register(), but not leave it to caller. This may benefit other callers as well. Something like: err = kobject_add_internal(&k->kobj); if (err) { kset_put(k); return err; } Thanks, Joseph
Yang Yingliang
2022-Oct-19 02:57 UTC
[Ocfs2-devel] [PATCH] ocfs2: possible memory leak in mlog_sys_init()
On 2022/10/19 10:26, Joseph Qi wrote:> > On 10/18/22 10:28 PM, Yang Yingliang wrote: >> On 2022/10/18 21:39, Joseph Qi wrote: >>> On 10/18/22 6:33 PM, Yang Yingliang wrote: >>>> Hi, >>>> >>>> On 2022/10/18 17:02, Joseph Qi wrote: >>>>> Hi, >>>>> >>>>> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>>>>> Inject fault while probing module, kset_register() may fail, >>>>>> if it fails, but the refcount of kobject is not decreased to >>>>>> 0, the name allocated in kobject_set_name() is leaked. Fix >>>>>> this by calling kset_put(), so that name can be freed in >>>>>> callback function kobject_cleanup(). >>>>>> >>>>>> unreferenced object 0xffff888100da9348 (size 8): >>>>>> ??? comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>>>>> ??? hex dump (first 8 bytes): >>>>>> ????? 6c 6f 67 6d 61 73 6b 00????????????????????????? logmask. >>>>>> ??? backtrace: >>>>>> ????? [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>>>>> ????? [<000000007c491a9e>] kstrdup+0x3a/0x70 >>>>>> ????? [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>>>>> ????? [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>>>>> ????? [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>>>>> ????? [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>>>>> >>>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>>>>> Signed-off-by: Yang Yingliang <yangyingliang at huawei.com> >>>>>> --- >>>>>> ?? fs/ocfs2/cluster/masklog.c | 7 ++++++- >>>>>> ?? 1 file changed, 6 insertions(+), 1 deletion(-) >>>>>> >>>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>>>>> index 563881ddbf00..7f9ba816d955 100644 >>>>>> --- a/fs/ocfs2/cluster/masklog.c >>>>>> +++ b/fs/ocfs2/cluster/masklog.c >>>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>>>>> ?? int mlog_sys_init(struct kset *o2cb_kset) >>>>>> ?? { >>>>>> ?????? int i = 0; >>>>>> +??? int ret; >>>>>> ?? ????? while (mlog_attrs[i].attr.mode) { >>>>>> ?????????? mlog_default_attrs[i] = &mlog_attrs[i].attr; >>>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>>>>> ?? ????? kobject_set_name(&mlog_kset.kobj, "logmask"); >>>>>> ?????? mlog_kset.kobj.kset = o2cb_kset; >>>>>> -??? return kset_register(&mlog_kset); >>>>>> +??? ret = kset_register(&mlog_kset); >>>>> If register fails, it will call unregister in o2cb_sys_init(), which >>>>> will put kobject. >>>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the >>>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference >>>> refcounts. >>>> Yes, you are right. I've mixed the two ksets up. >>> In theory, kset_register() may return error because of a NULL kset, so >>> here we may not call kset_put() directly, I'm not sure if a static >>> checker will happy. >>> Though this can't happen since it's already statically allocated... >> kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name >> "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is >> built in kernel, the name is constant, it won't cause a leak), so the name can be leaked. > What I mean is kset_register() may fail with many reasons, or even > without kset_init(). > I wonder if we have to handle this internal kset_register(), but not > leave it to caller. This may benefit other callers as well. > > Something like: > err = kobject_add_internal(&k->kobj); > if (err) { > kset_put(k); > return err; > }I had think about this method to fix this, but some kset is allocated dynamically in driver and it's freed in callback function which is called after kset_put() and in error path in driver will free it again, it leads double free in some drivers. I think kset_register() is similar with device_register(), if it fails need another put function to give up reference in driver. Thanks, Yang> > Thanks, > Joseph > > .