From: Yang Yingliang <yangyingliang@huawei.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: <linux-kernel@vger.kernel.org>, <qemu-devel@nongnu.org>,
<linux-f2fs-devel@lists.sourceforge.net>,
<linux-erofs@lists.ozlabs.org>, <ocfs2-devel@oss.oracle.com>,
<linux-mtd@lists.infradead.org>, <amd-gfx@lists.freedesktop.org>,
<rafael@kernel.org>, <somlo@cmu.edu>, <mst@redhat.com>,
<jaegeuk@kernel.org>, <chao@kernel.org>,
<hsiangkao@linux.alibaba.com>, <huangjianan@oppo.com>,
<mark@fasheh.com>, <jlbec@evilplan.org>,
<joseph.qi@linux.alibaba.com>, <akpm@linux-foundation.org>,
<alexander.deucher@amd.com>, <luben.tuikov@amd.com>,
<richard@nod.at>, <liushixin2@huawei.com>,
<yangyingliang@huawei.com>
Subject: Re: [PATCH v2] kset: fix memory leak when kset_register() returns error
Date: Mon, 24 Oct 2022 23:10:00 +0800 [thread overview]
Message-ID: <87e4e75b-a26e-6b4b-4799-c56c0b8891c0@huawei.com> (raw)
In-Reply-To: <Y1am4mjS+obAbUTJ@kroah.com>
On 2022/10/24 22:53, Greg KH wrote:
> On Mon, Oct 24, 2022 at 10:39:44PM +0800, Yang Yingliang wrote:
>> On 2022/10/24 21:52, Greg KH wrote:
>>> On Mon, Oct 24, 2022 at 08:19:10PM +0800, Yang Yingliang wrote:
>>>> Inject fault while loading module, kset_register() may fail.
>>>> If it fails, the name allocated by kobject_set_name() which
>>>> is called before kset_register() is leaked, because refcount
>>>> of kobject is hold in kset_init().
>>>>
>>>> As a kset may be embedded in a larger structure which needs
>>>> be freed in release() function or error path in callers, we
>>>> can not call kset_put() in kset_register(), or it will cause
>>>> double free, so just call kfree_const() to free the name and
>>>> set it to NULL.
>>>>
>>>> With this fix, the callers don't need to care about the name
>>>> freeing and call an extra kset_put() if kset_register() fails.
>>>>
>>>> Suggested-by: Luben Tuikov <luben.tuikov@amd.com>
>>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
>>>> ---
>>>> v1 -> v2:
>>>> Free name inside of kset_register() instead of calling kset_put()
>>>> in drivers.
>>>> ---
>>>> lib/kobject.c | 8 +++++++-
>>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/lib/kobject.c b/lib/kobject.c
>>>> index a0b2dbfcfa23..3409a89c81e5 100644
>>>> --- a/lib/kobject.c
>>>> +++ b/lib/kobject.c
>>>> @@ -834,6 +834,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops);
>>>> /**
>>>> * kset_register() - Initialize and add a kset.
>>>> * @k: kset.
>>>> + *
>>>> + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name()
>>>> + * which is called before kset_register() in caller need be freed.
>>> This comment doesn't make any sense anymore. No caller needs to worry
>>> about this, right?
>> With this fix, the name is freed inside of kset_register(), it can not be
>> accessed,
> Agreed.
>
>> if it allocated dynamically, but callers don't know this if no comment here,
>> they may use it in error path (something like to print error message with
>> it),
>> so how about comment like this to tell callers not to use the name:
>>
>> NOTE: On error, the kset.kobj.name allocated by() kobj_set_name()
>> is freed, it can not be used any more.
> Sure, that's a better way to word it.
>
>>>> */
>>>> int kset_register(struct kset *k)
>>>> {
>>>> @@ -844,8 +847,11 @@ int kset_register(struct kset *k)
>>>> kset_init(k);
>>>> err = kobject_add_internal(&k->kobj);
>>>> - if (err)
>>>> + if (err) {
>>>> + kfree_const(k->kobj.name);
>>>> + k->kobj.name = NULL;
>>> Why are you setting the name here to NULL?
>> I set it to NULL to avoid accessing bad pointer in callers,
>> if callers use it in error path, current callers won't use this
>> name pointer in error path, so we can remove this assignment?
> Ah, I didn't think about using it on error paths. Ideally that would
> never happen, but that's good to set just to make it obvious. How about
> adding a small comment here saying why you are setting it so we all
> remember it in 5 years when we look at the code again.
OK, I can add it in v3.
Thanks,
Yang
>
> thanks,
>
> greg k-h
> .
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2022-10-24 15:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-24 12:19 [PATCH v2] kset: fix memory leak when kset_register() returns error Yang Yingliang
2022-10-24 13:52 ` Greg KH
2022-10-24 14:39 ` Yang Yingliang
2022-10-24 14:53 ` Greg KH
2022-10-24 15:10 ` Yang Yingliang [this message]
2022-10-24 21:06 ` Luben Tuikov
2022-10-24 21:25 ` Luben Tuikov
2022-10-25 2:16 ` Yang Yingliang
2022-10-25 2:53 ` Luben Tuikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87e4e75b-a26e-6b4b-4799-c56c0b8891c0@huawei.com \
--to=yangyingliang@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=chao@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=hsiangkao@linux.alibaba.com \
--cc=huangjianan@oppo.com \
--cc=jaegeuk@kernel.org \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=liushixin2@huawei.com \
--cc=luben.tuikov@amd.com \
--cc=mark@fasheh.com \
--cc=mst@redhat.com \
--cc=ocfs2-devel@oss.oracle.com \
--cc=qemu-devel@nongnu.org \
--cc=rafael@kernel.org \
--cc=richard@nod.at \
--cc=somlo@cmu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).