* [PATCH] xen/blkback: do not leak mode property
@ 2012-12-03 19:32 Olaf Hering
2012-12-04 10:30 ` Jan Beulich
0 siblings, 1 reply; 4+ messages in thread
From: Olaf Hering @ 2012-12-03 19:32 UTC (permalink / raw)
To: konrad.wilk; +Cc: linux-kernel, xen-devel, jbeulich, Olaf Hering
be->mode is obtained from xenbus_read, which does a kmalloc for the
message body. The short string is never released, so do it on blkbk
remove.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
---
!! Not compile tested !!
drivers/block/xen-blkback/xenbus.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c
index f58434c..a6585a4 100644
--- a/drivers/block/xen-blkback/xenbus.c
+++ b/drivers/block/xen-blkback/xenbus.c
@@ -366,6 +366,7 @@ static int xen_blkbk_remove(struct xenbus_device *dev)
be->blkif = NULL;
}
+ kfree(be->mode);
kfree(be);
dev_set_drvdata(&dev->dev, NULL);
return 0;
--
1.8.0.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] xen/blkback: do not leak mode property
2012-12-03 19:32 [PATCH] xen/blkback: do not leak mode property Olaf Hering
@ 2012-12-04 10:30 ` Jan Beulich
2012-12-04 18:21 ` Olaf Hering
0 siblings, 1 reply; 4+ messages in thread
From: Jan Beulich @ 2012-12-04 10:30 UTC (permalink / raw)
To: Olaf Hering, konrad.wilk; +Cc: xen-devel, linux-kernel
>>> On 03.12.12 at 20:32, Olaf Hering <olaf@aepfle.de> wrote:
> be->mode is obtained from xenbus_read, which does a kmalloc for the
> message body. The short string is never released, so do it on blkbk
> remove.
>
> Signed-off-by: Olaf Hering <olaf@aepfle.de>
> ---
>
> !! Not compile tested !!
>
> drivers/block/xen-blkback/xenbus.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/block/xen-blkback/xenbus.c
> b/drivers/block/xen-blkback/xenbus.c
> index f58434c..a6585a4 100644
> --- a/drivers/block/xen-blkback/xenbus.c
> +++ b/drivers/block/xen-blkback/xenbus.c
> @@ -366,6 +366,7 @@ static int xen_blkbk_remove(struct xenbus_device *dev)
> be->blkif = NULL;
> }
>
> + kfree(be->mode);
This looks necessary but insufficient - there's nothing really
preventing backend_changed() from being called more than once
for a given device (is simply the handler of xenbus watch). Hence
I think either that function needs to be guarded against multiple
execution (e.g. by removing the watch from that function itself,
if that's permitted by xenbus), or to properly deal with the
effects this has (including but probably not limited to the leaking
of be->mode).
Jan
> kfree(be);
> dev_set_drvdata(&dev->dev, NULL);
> return 0;
> --
> 1.8.0.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] xen/blkback: do not leak mode property
2012-12-04 10:30 ` Jan Beulich
@ 2012-12-04 18:21 ` Olaf Hering
2012-12-05 8:00 ` Jan Beulich
0 siblings, 1 reply; 4+ messages in thread
From: Olaf Hering @ 2012-12-04 18:21 UTC (permalink / raw)
To: Jan Beulich; +Cc: konrad.wilk, xen-devel, linux-kernel
On Tue, Dec 04, Jan Beulich wrote:
> This looks necessary but insufficient - there's nothing really
> preventing backend_changed() from being called more than once
> for a given device (is simply the handler of xenbus watch). Hence
> I think either that function needs to be guarded against multiple
> execution (e.g. by removing the watch from that function itself,
> if that's permitted by xenbus), or to properly deal with the
> effects this has (including but probably not limited to the leaking
> of be->mode).
If another watch does really trigger after the kfree(be) in
xen_blkbk_remove(), wouldnt backend_changed access stale memory?
So if that can really happen in practice, shouldnt the backend_watch be
a separate allocation instead being contained within backend_info?
Looking at unregister_xenbus_watch, it clears removes the watch from the
list, so that process_msg will not see it anymore.
Olaf
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] xen/blkback: do not leak mode property
2012-12-04 18:21 ` Olaf Hering
@ 2012-12-05 8:00 ` Jan Beulich
0 siblings, 0 replies; 4+ messages in thread
From: Jan Beulich @ 2012-12-05 8:00 UTC (permalink / raw)
To: Olaf Hering; +Cc: xen-devel, konrad.wilk, linux-kernel
>>> On 04.12.12 at 19:21, Olaf Hering <olaf@aepfle.de> wrote:
> On Tue, Dec 04, Jan Beulich wrote:
>
>> This looks necessary but insufficient - there's nothing really
>> preventing backend_changed() from being called more than once
>> for a given device (is simply the handler of xenbus watch). Hence
>> I think either that function needs to be guarded against multiple
>> execution (e.g. by removing the watch from that function itself,
>> if that's permitted by xenbus), or to properly deal with the
>> effects this has (including but probably not limited to the leaking
>> of be->mode).
>
> If another watch does really trigger after the kfree(be) in
> xen_blkbk_remove(), wouldnt backend_changed access stale memory?
> So if that can really happen in practice, shouldnt the backend_watch be
> a separate allocation instead being contained within backend_info?
>
> Looking at unregister_xenbus_watch, it clears removes the watch from the
> list, so that process_msg will not see it anymore.
That's not the scenario I was talking about: I'm concerned about
multiple calls to backend_changed() to similarly leak "mode" (and
possibly cause other bad stuff to happen) while the device is still
alive - after all it overwrites "mode" without checking what's in
there.
Jan
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-12-05 8:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-12-03 19:32 [PATCH] xen/blkback: do not leak mode property Olaf Hering
2012-12-04 10:30 ` Jan Beulich
2012-12-04 18:21 ` Olaf Hering
2012-12-05 8:00 ` Jan Beulich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).