Yang Yingliang
2022-Oct-18 10:33 UTC
[Ocfs2-devel] [PATCH] ocfs2: possible memory leak in mlog_sys_init()
Hi, On 2022/10/18 17:02, Joseph Qi wrote:> Hi, > > On 10/18/22 3:52 PM, Yang Yingliang wrote: >> Inject fault while probing module, kset_register() may fail, >> if it fails, but the refcount of kobject is not decreased to >> 0, the name allocated in kobject_set_name() is leaked. Fix >> this by calling kset_put(), so that name can be freed in >> callback function kobject_cleanup(). >> >> unreferenced object 0xffff888100da9348 (size 8): >> comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >> hex dump (first 8 bytes): >> 6c 6f 67 6d 61 73 6b 00 logmask. >> backtrace: >> [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >> [<000000007c491a9e>] kstrdup+0x3a/0x70 >> [<0000000015719a3b>] kstrdup_const+0x63/0x80 >> [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >> [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >> [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >> >> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >> Signed-off-by: Yang Yingliang <yangyingliang at huawei.com> >> --- >> fs/ocfs2/cluster/masklog.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >> index 563881ddbf00..7f9ba816d955 100644 >> --- a/fs/ocfs2/cluster/masklog.c >> +++ b/fs/ocfs2/cluster/masklog.c >> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >> int mlog_sys_init(struct kset *o2cb_kset) >> { >> int i = 0; >> + int ret; >> >> while (mlog_attrs[i].attr.mode) { >> mlog_default_attrs[i] = &mlog_attrs[i].attr; >> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >> >> kobject_set_name(&mlog_kset.kobj, "logmask"); >> mlog_kset.kobj.kset = o2cb_kset; >> - return kset_register(&mlog_kset); >> + ret = kset_register(&mlog_kset); > If register fails, it will call unregister in o2cb_sys_init(), which > will put kobject.They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference refcounts. Thanks, Yang> > Thanks, > Joseph > >> + if (ret) >> + kset_put(&mlog_kset); >> + >> + return ret; >> } >> >> void mlog_sys_shutdown(void) > .
Joseph Qi
2022-Oct-18 13:39 UTC
[Ocfs2-devel] [PATCH] ocfs2: possible memory leak in mlog_sys_init()
On 10/18/22 6:33 PM, Yang Yingliang wrote:> Hi, > > On 2022/10/18 17:02, Joseph Qi wrote: >> Hi, >> >> On 10/18/22 3:52 PM, Yang Yingliang wrote: >>> Inject fault while probing module, kset_register() may fail, >>> if it fails, but the refcount of kobject is not decreased to >>> 0, the name allocated in kobject_set_name() is leaked. Fix >>> this by calling kset_put(), so that name can be freed in >>> callback function kobject_cleanup(). >>> >>> unreferenced object 0xffff888100da9348 (size 8): >>> ?? comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s) >>> ?? hex dump (first 8 bytes): >>> ???? 6c 6f 67 6d 61 73 6b 00????????????????????????? logmask. >>> ?? backtrace: >>> ???? [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0 >>> ???? [<000000007c491a9e>] kstrdup+0x3a/0x70 >>> ???? [<0000000015719a3b>] kstrdup_const+0x63/0x80 >>> ???? [<0000000084e458ea>] kvasprintf_const+0x149/0x180 >>> ???? [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150 >>> ???? [<000000005f48eeac>] kobject_set_name+0xab/0xe0 >>> >>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset") >>> Signed-off-by: Yang Yingliang <yangyingliang at huawei.com> >>> --- >>> ? fs/ocfs2/cluster/masklog.c | 7 ++++++- >>> ? 1 file changed, 6 insertions(+), 1 deletion(-) >>> >>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c >>> index 563881ddbf00..7f9ba816d955 100644 >>> --- a/fs/ocfs2/cluster/masklog.c >>> +++ b/fs/ocfs2/cluster/masklog.c >>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = { >>> ? int mlog_sys_init(struct kset *o2cb_kset) >>> ? { >>> ????? int i = 0; >>> +??? int ret; >>> ? ????? while (mlog_attrs[i].attr.mode) { >>> ????????? mlog_default_attrs[i] = &mlog_attrs[i].attr; >>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset) >>> ? ????? kobject_set_name(&mlog_kset.kobj, "logmask"); >>> ????? mlog_kset.kobj.kset = o2cb_kset; >>> -??? return kset_register(&mlog_kset); >>> +??? ret = kset_register(&mlog_kset); >> If register fails, it will call unregister in o2cb_sys_init(), which >> will put kobject. > They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the > kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference > refcounts. > Yes, you are right. I've mixed the two ksets up.In theory, kset_register() may return error because of a NULL kset, so here we may not call kset_put() directly, I'm not sure if a static checker will happy. Though this can't happen since it's already statically allocated... Thanks, Joseph