All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] rbd: fix possible memory leak in rbd_sysfs_init()
@ 2022-10-27  9:19 Yang Yingliang
  2022-10-27 12:12 ` Alex Elder
  2022-10-27 13:15 ` Jens Axboe
  0 siblings, 2 replies; 3+ messages in thread
From: Yang Yingliang @ 2022-10-27  9:19 UTC (permalink / raw)
  To: ceph-devel, linux-block
  Cc: idryomov, dongsheng.yang, axboe, yehuda, yangyingliang

If device_register() returns error in rbd_sysfs_init(), name of kobject
which is allocated in dev_set_name() called in device_add() is leaked.

As comment of device_add() says, it should call put_device() to drop
the reference count that was set in device_initialize() when it fails,
so the name can be freed in kobject_cleanup().

Fault injection test can trigger this problem:

unreferenced object 0xffff88810173aa78 (size 8):
  comm "modprobe", pid 247, jiffies 4294714278 (age 31.789s)
  hex dump (first 8 bytes):
    72 62 64 00 81 88 ff ff                          rbd.....
  backtrace:
    [<00000000f58fae56>] __kmalloc_node_track_caller+0x44/0x1b0
    [<00000000bdd44fe7>] kstrdup+0x3a/0x70
    [<00000000f7844d0b>] kstrdup_const+0x63/0x80
    [<000000001b0a0eeb>] kvasprintf_const+0x10b/0x190
    [<00000000a47bd894>] kobject_set_name_vargs+0x56/0x150
    [<00000000d5edbf18>] dev_set_name+0xab/0xe0
    [<00000000f5153e80>] device_add+0x106/0x1f20

Fixes: dfc5606dc513 ("rbd: replace the rbd sysfs interface")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/block/rbd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index f9e39301c4af..04453f4a319c 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -7222,8 +7222,10 @@ static int __init rbd_sysfs_init(void)
 	int ret;
 
 	ret = device_register(&rbd_root_dev);
-	if (ret < 0)
+	if (ret < 0) {
+		put_device(&rbd_root_dev);
 		return ret;
+	}
 
 	ret = bus_register(&rbd_bus_type);
 	if (ret < 0)
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] rbd: fix possible memory leak in rbd_sysfs_init()
  2022-10-27  9:19 [PATCH] rbd: fix possible memory leak in rbd_sysfs_init() Yang Yingliang
@ 2022-10-27 12:12 ` Alex Elder
  2022-10-27 13:15 ` Jens Axboe
  1 sibling, 0 replies; 3+ messages in thread
From: Alex Elder @ 2022-10-27 12:12 UTC (permalink / raw)
  To: Yang Yingliang, ceph-devel, linux-block
  Cc: idryomov, dongsheng.yang, axboe, yehuda

On 10/27/22 4:19 AM, Yang Yingliang wrote:
> If device_register() returns error in rbd_sysfs_init(), name of kobject
> which is allocated in dev_set_name() called in device_add() is leaked.
> 
> As comment of device_add() says, it should call put_device() to drop
> the reference count that was set in device_initialize() when it fails,
> so the name can be freed in kobject_cleanup().
> 
> Fault injection test can trigger this problem:
> 
> unreferenced object 0xffff88810173aa78 (size 8):
>    comm "modprobe", pid 247, jiffies 4294714278 (age 31.789s)
>    hex dump (first 8 bytes):
>      72 62 64 00 81 88 ff ff                          rbd.....
>    backtrace:
>      [<00000000f58fae56>] __kmalloc_node_track_caller+0x44/0x1b0
>      [<00000000bdd44fe7>] kstrdup+0x3a/0x70
>      [<00000000f7844d0b>] kstrdup_const+0x63/0x80
>      [<000000001b0a0eeb>] kvasprintf_const+0x10b/0x190
>      [<00000000a47bd894>] kobject_set_name_vargs+0x56/0x150
>      [<00000000d5edbf18>] dev_set_name+0xab/0xe0
>      [<00000000f5153e80>] device_add+0x106/0x1f20
> 
> Fixes: dfc5606dc513 ("rbd: replace the rbd sysfs interface")
> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

This looks right to me.

Reviewed-by: Alex Elder <elder@linaro.org>

> ---
>   drivers/block/rbd.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
> index f9e39301c4af..04453f4a319c 100644
> --- a/drivers/block/rbd.c
> +++ b/drivers/block/rbd.c
> @@ -7222,8 +7222,10 @@ static int __init rbd_sysfs_init(void)
>   	int ret;
>   
>   	ret = device_register(&rbd_root_dev);
> -	if (ret < 0)
> +	if (ret < 0) {
> +		put_device(&rbd_root_dev);
>   		return ret;
> +	}
>   
>   	ret = bus_register(&rbd_bus_type);
>   	if (ret < 0)


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] rbd: fix possible memory leak in rbd_sysfs_init()
  2022-10-27  9:19 [PATCH] rbd: fix possible memory leak in rbd_sysfs_init() Yang Yingliang
  2022-10-27 12:12 ` Alex Elder
@ 2022-10-27 13:15 ` Jens Axboe
  1 sibling, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2022-10-27 13:15 UTC (permalink / raw)
  To: ceph-devel, Yang Yingliang, linux-block; +Cc: yehuda, idryomov, dongsheng.yang

On Thu, 27 Oct 2022 17:19:18 +0800, Yang Yingliang wrote:
> If device_register() returns error in rbd_sysfs_init(), name of kobject
> which is allocated in dev_set_name() called in device_add() is leaked.
> 
> As comment of device_add() says, it should call put_device() to drop
> the reference count that was set in device_initialize() when it fails,
> so the name can be freed in kobject_cleanup().
> 
> [...]

Applied, thanks!

[1/1] rbd: fix possible memory leak in rbd_sysfs_init()
      (no commit info)

Best regards,
-- 
Jens Axboe



^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-27 13:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-27  9:19 [PATCH] rbd: fix possible memory leak in rbd_sysfs_init() Yang Yingliang
2022-10-27 12:12 ` Alex Elder
2022-10-27 13:15 ` Jens Axboe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.