* [PATCH][next] vpda: Fix memory leaks of msg on error return paths
@ 2021-01-22 14:52 ` Colin King
0 siblings, 0 replies; 5+ messages in thread
From: Colin King @ 2021-01-22 14:52 UTC (permalink / raw)
To: Michael S . Tsirkin, Jason Wang, Parav Pandit, Eli Cohen, virtualization
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
There are two error return paths that neglect to free the allocated
object msg that lead to memory leaks. Fix this by adding an error
exit path that frees msg.
Addresses-Coverity: ("Resource leak")
Fixes: 39502d042a70 ("vdpa: Enable user to query vdpa device info")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/vdpa/vdpa.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 9700a0adcca0..eb1f5a514103 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -540,13 +540,15 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
if (!dev) {
mutex_unlock(&vdpa_dev_mutex);
NL_SET_ERR_MSG_MOD(info->extack, "device not found");
- return -ENODEV;
+ err = -ENODEV;
+ goto err;
}
vdev = container_of(dev, struct vdpa_device, dev);
if (!vdev->mdev) {
mutex_unlock(&vdpa_dev_mutex);
put_device(dev);
- return -EINVAL;
+ err = -EINVAL;
+ goto err;
}
err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack);
if (!err)
@@ -554,6 +556,7 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
put_device(dev);
mutex_unlock(&vdpa_dev_mutex);
+err:
if (err)
nlmsg_free(msg);
return err;
--
2.29.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH][next] vpda: Fix memory leaks of msg on error return paths
@ 2021-01-22 14:52 ` Colin King
0 siblings, 0 replies; 5+ messages in thread
From: Colin King @ 2021-01-22 14:52 UTC (permalink / raw)
To: Michael S . Tsirkin, Jason Wang, Parav Pandit, Eli Cohen, virtualization
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
There are two error return paths that neglect to free the allocated
object msg that lead to memory leaks. Fix this by adding an error
exit path that frees msg.
Addresses-Coverity: ("Resource leak")
Fixes: 39502d042a70 ("vdpa: Enable user to query vdpa device info")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/vdpa/vdpa.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 9700a0adcca0..eb1f5a514103 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -540,13 +540,15 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
if (!dev) {
mutex_unlock(&vdpa_dev_mutex);
NL_SET_ERR_MSG_MOD(info->extack, "device not found");
- return -ENODEV;
+ err = -ENODEV;
+ goto err;
}
vdev = container_of(dev, struct vdpa_device, dev);
if (!vdev->mdev) {
mutex_unlock(&vdpa_dev_mutex);
put_device(dev);
- return -EINVAL;
+ err = -EINVAL;
+ goto err;
}
err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack);
if (!err)
@@ -554,6 +556,7 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
put_device(dev);
mutex_unlock(&vdpa_dev_mutex);
+err:
if (err)
nlmsg_free(msg);
return err;
--
2.29.2
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH][next] vpda: Fix memory leaks of msg on error return paths
2021-01-22 14:52 ` Colin King
(?)
@ 2021-01-25 10:21 ` Stefano Garzarella
-1 siblings, 0 replies; 5+ messages in thread
From: Stefano Garzarella @ 2021-01-25 10:21 UTC (permalink / raw)
To: Colin King
Cc: Michael S . Tsirkin, Jason Wang, Parav Pandit, Eli Cohen,
virtualization, kernel-janitors, linux-kernel
On Fri, Jan 22, 2021 at 02:52:35PM +0000, Colin King wrote:
>From: Colin Ian King <colin.king@canonical.com>
>
>There are two error return paths that neglect to free the allocated
>object msg that lead to memory leaks. Fix this by adding an error
>exit path that frees msg.
>
>Addresses-Coverity: ("Resource leak")
>Fixes: 39502d042a70 ("vdpa: Enable user to query vdpa device info")
>Signed-off-by: Colin Ian King <colin.king@canonical.com>
>---
> drivers/vdpa/vdpa.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
>index 9700a0adcca0..eb1f5a514103 100644
>--- a/drivers/vdpa/vdpa.c
>+++ b/drivers/vdpa/vdpa.c
>@@ -540,13 +540,15 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
> if (!dev) {
> mutex_unlock(&vdpa_dev_mutex);
> NL_SET_ERR_MSG_MOD(info->extack, "device not found");
>- return -ENODEV;
>+ err = -ENODEV;
>+ goto err;
> }
> vdev = container_of(dev, struct vdpa_device, dev);
> if (!vdev->mdev) {
> mutex_unlock(&vdpa_dev_mutex);
> put_device(dev);
>- return -EINVAL;
>+ err = -EINVAL;
>+ goto err;
> }
> err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack);
> if (!err)
>@@ -554,6 +556,7 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
> put_device(dev);
> mutex_unlock(&vdpa_dev_mutex);
>
>+err:
> if (err)
> nlmsg_free(msg);
> return err;
The patch looks okay, but reviewing it I figure out that if
genlmsg_reply() returns an error, it also frees the sk_buff passed, so
IIUC calling nlmsg_free() when genlmsg_reply() fails should cause a
double free.
Maybe we should do something like this (not tested):
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 9700a0adcca0..920afcb4aa75 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -538,24 +538,29 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
mutex_lock(&vdpa_dev_mutex);
dev = bus_find_device(&vdpa_bus, NULL, devname, vdpa_name_match);
if (!dev) {
- mutex_unlock(&vdpa_dev_mutex);
NL_SET_ERR_MSG_MOD(info->extack, "device not found");
- return -ENODEV;
+ err= -ENODEV;
+ goto err_msg;
}
vdev = container_of(dev, struct vdpa_device, dev);
if (!vdev->mdev) {
- mutex_unlock(&vdpa_dev_mutex);
- put_device(dev);
- return -EINVAL;
+ err = -EINVAL;
+ goto err_dev;
}
err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack);
- if (!err)
- err = genlmsg_reply(msg, info);
+ if (err)
+ goto err_dev;
+
put_device(dev);
mutex_unlock(&vdpa_dev_mutex);
- if (err)
- nlmsg_free(msg);
+ return genlmsg_reply(msg, info);
+
+err_dev:
+ put_device(dev);
+err_msg:
+ mutex_unlock(&vdpa_dev_mutex);
+ nlmsg_free(msg);
return err;
}
Thanks,
Stefano
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH][next] vpda: Fix memory leaks of msg on error return paths
@ 2021-01-25 10:21 ` Stefano Garzarella
0 siblings, 0 replies; 5+ messages in thread
From: Stefano Garzarella @ 2021-01-25 10:21 UTC (permalink / raw)
To: Colin King
Cc: Michael S . Tsirkin, Jason Wang, Parav Pandit, Eli Cohen,
virtualization, kernel-janitors, linux-kernel
On Fri, Jan 22, 2021 at 02:52:35PM +0000, Colin King wrote:
>From: Colin Ian King <colin.king@canonical.com>
>
>There are two error return paths that neglect to free the allocated
>object msg that lead to memory leaks. Fix this by adding an error
>exit path that frees msg.
>
>Addresses-Coverity: ("Resource leak")
>Fixes: 39502d042a70 ("vdpa: Enable user to query vdpa device info")
>Signed-off-by: Colin Ian King <colin.king@canonical.com>
>---
> drivers/vdpa/vdpa.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
>index 9700a0adcca0..eb1f5a514103 100644
>--- a/drivers/vdpa/vdpa.c
>+++ b/drivers/vdpa/vdpa.c
>@@ -540,13 +540,15 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
> if (!dev) {
> mutex_unlock(&vdpa_dev_mutex);
> NL_SET_ERR_MSG_MOD(info->extack, "device not found");
>- return -ENODEV;
>+ err = -ENODEV;
>+ goto err;
> }
> vdev = container_of(dev, struct vdpa_device, dev);
> if (!vdev->mdev) {
> mutex_unlock(&vdpa_dev_mutex);
> put_device(dev);
>- return -EINVAL;
>+ err = -EINVAL;
>+ goto err;
> }
> err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack);
> if (!err)
>@@ -554,6 +556,7 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
> put_device(dev);
> mutex_unlock(&vdpa_dev_mutex);
>
>+err:
> if (err)
> nlmsg_free(msg);
> return err;
The patch looks okay, but reviewing it I figure out that if
genlmsg_reply() returns an error, it also frees the sk_buff passed, so
IIUC calling nlmsg_free() when genlmsg_reply() fails should cause a
double free.
Maybe we should do something like this (not tested):
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 9700a0adcca0..920afcb4aa75 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -538,24 +538,29 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
mutex_lock(&vdpa_dev_mutex);
dev = bus_find_device(&vdpa_bus, NULL, devname, vdpa_name_match);
if (!dev) {
- mutex_unlock(&vdpa_dev_mutex);
NL_SET_ERR_MSG_MOD(info->extack, "device not found");
- return -ENODEV;
+ err= -ENODEV;
+ goto err_msg;
}
vdev = container_of(dev, struct vdpa_device, dev);
if (!vdev->mdev) {
- mutex_unlock(&vdpa_dev_mutex);
- put_device(dev);
- return -EINVAL;
+ err = -EINVAL;
+ goto err_dev;
}
err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack);
- if (!err)
- err = genlmsg_reply(msg, info);
+ if (err)
+ goto err_dev;
+
put_device(dev);
mutex_unlock(&vdpa_dev_mutex);
- if (err)
- nlmsg_free(msg);
+ return genlmsg_reply(msg, info);
+
+err_dev:
+ put_device(dev);
+err_msg:
+ mutex_unlock(&vdpa_dev_mutex);
+ nlmsg_free(msg);
return err;
}
Thanks,
Stefano
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH][next] vpda: Fix memory leaks of msg on error return paths
@ 2021-01-25 10:21 ` Stefano Garzarella
0 siblings, 0 replies; 5+ messages in thread
From: Stefano Garzarella @ 2021-01-25 10:21 UTC (permalink / raw)
To: Colin King
Cc: Michael S . Tsirkin, kernel-janitors, linux-kernel,
virtualization, Eli Cohen
On Fri, Jan 22, 2021 at 02:52:35PM +0000, Colin King wrote:
>From: Colin Ian King <colin.king@canonical.com>
>
>There are two error return paths that neglect to free the allocated
>object msg that lead to memory leaks. Fix this by adding an error
>exit path that frees msg.
>
>Addresses-Coverity: ("Resource leak")
>Fixes: 39502d042a70 ("vdpa: Enable user to query vdpa device info")
>Signed-off-by: Colin Ian King <colin.king@canonical.com>
>---
> drivers/vdpa/vdpa.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
>index 9700a0adcca0..eb1f5a514103 100644
>--- a/drivers/vdpa/vdpa.c
>+++ b/drivers/vdpa/vdpa.c
>@@ -540,13 +540,15 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
> if (!dev) {
> mutex_unlock(&vdpa_dev_mutex);
> NL_SET_ERR_MSG_MOD(info->extack, "device not found");
>- return -ENODEV;
>+ err = -ENODEV;
>+ goto err;
> }
> vdev = container_of(dev, struct vdpa_device, dev);
> if (!vdev->mdev) {
> mutex_unlock(&vdpa_dev_mutex);
> put_device(dev);
>- return -EINVAL;
>+ err = -EINVAL;
>+ goto err;
> }
> err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack);
> if (!err)
>@@ -554,6 +556,7 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
> put_device(dev);
> mutex_unlock(&vdpa_dev_mutex);
>
>+err:
> if (err)
> nlmsg_free(msg);
> return err;
The patch looks okay, but reviewing it I figure out that if
genlmsg_reply() returns an error, it also frees the sk_buff passed, so
IIUC calling nlmsg_free() when genlmsg_reply() fails should cause a
double free.
Maybe we should do something like this (not tested):
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 9700a0adcca0..920afcb4aa75 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -538,24 +538,29 @@ static int vdpa_nl_cmd_dev_get_doit(struct sk_buff *skb, struct genl_info *info)
mutex_lock(&vdpa_dev_mutex);
dev = bus_find_device(&vdpa_bus, NULL, devname, vdpa_name_match);
if (!dev) {
- mutex_unlock(&vdpa_dev_mutex);
NL_SET_ERR_MSG_MOD(info->extack, "device not found");
- return -ENODEV;
+ err= -ENODEV;
+ goto err_msg;
}
vdev = container_of(dev, struct vdpa_device, dev);
if (!vdev->mdev) {
- mutex_unlock(&vdpa_dev_mutex);
- put_device(dev);
- return -EINVAL;
+ err = -EINVAL;
+ goto err_dev;
}
err = vdpa_dev_fill(vdev, msg, info->snd_portid, info->snd_seq, 0, info->extack);
- if (!err)
- err = genlmsg_reply(msg, info);
+ if (err)
+ goto err_dev;
+
put_device(dev);
mutex_unlock(&vdpa_dev_mutex);
- if (err)
- nlmsg_free(msg);
+ return genlmsg_reply(msg, info);
+
+err_dev:
+ put_device(dev);
+err_msg:
+ mutex_unlock(&vdpa_dev_mutex);
+ nlmsg_free(msg);
return err;
}
Thanks,
Stefano
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-26 19:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-22 14:52 [PATCH][next] vpda: Fix memory leaks of msg on error return paths Colin King
2021-01-22 14:52 ` Colin King
2021-01-25 10:21 ` Stefano Garzarella
2021-01-25 10:21 ` Stefano Garzarella
2021-01-25 10:21 ` Stefano Garzarella
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.