* [PATCH] cgroup: Fix memory leak when parsing multiple source parameters
@ 2020-12-09 12:13 Qinglang Miao
2020-12-09 13:59 ` kernel test robot
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Qinglang Miao @ 2020-12-09 12:13 UTC (permalink / raw)
To: Tejun Heo, Li Zefan, Johannes Weiner; +Cc: cgroups, linux-kernel, Qinglang Miao
A memory leak is found in cgroup1_parse_param() when multiple source
parameters overwrite fc->source in the fs_context struct without free.
unreferenced object 0xffff888100d930e0 (size 16):
comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
hex dump (first 16 bytes):
74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
backtrace:
[<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
[<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
[<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
[<000000000f750198>] path_mount+0xee1/0x1820
[<0000000004756de2>] do_mount+0xea/0x100
[<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
Fix this bug by permitting a single source parameter and rejecting with
an error all subsequent ones.
Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
---
kernel/cgroup/cgroup-v1.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 191c329e4..1fd7d3d18 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -908,6 +908,9 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
if (opt == -ENOPARAM) {
if (strcmp(param->key, "source") == 0) {
+ if (fc->source)
+ return invalf(fc, "Multiple sources not
+ supported");
fc->source = param->string;
param->string = NULL;
return 0;
--
2.23.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] cgroup: Fix memory leak when parsing multiple source parameters
2020-12-09 12:13 [PATCH] cgroup: Fix memory leak when parsing multiple source parameters Qinglang Miao
@ 2020-12-09 13:59 ` kernel test robot
2020-12-09 15:33 ` kernel test robot
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: kernel test robot @ 2020-12-09 13:59 UTC (permalink / raw)
To: Qinglang Miao, Tejun Heo, Li Zefan, Johannes Weiner
Cc: kbuild-all, cgroups, linux-kernel, Qinglang Miao
[-- Attachment #1: Type: text/plain, Size: 7307 bytes --]
Hi Qinglang,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on cgroup/for-next]
[also build test WARNING on v5.10-rc7 next-20201208]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Qinglang-Miao/cgroup-Fix-memory-leak-when-parsing-multiple-source-parameters/20201209-201041
base: https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-next
config: x86_64-randconfig-s031-20201209 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.3-179-ga00755aa-dirty
# https://github.com/0day-ci/linux/commit/f80ce6cc8c1bde7ecab3fed9f9a514091cec6f56
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Qinglang-Miao/cgroup-Fix-memory-leak-when-parsing-multiple-source-parameters/20201209-201041
git checkout f80ce6cc8c1bde7ecab3fed9f9a514091cec6f56
# save the attached .config to linux build tree
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
kernel/cgroup/cgroup-v1.c: In function 'cgroup1_parse_param':
>> kernel/cgroup/cgroup-v1.c:912:23: warning: missing terminating " character
912 | return invalf(fc, "Multiple sources not
| ^
kernel/cgroup/cgroup-v1.c:913:18: warning: missing terminating " character
913 | supported");
| ^
kernel/cgroup/cgroup-v1.c:1276: error: unterminated argument list invoking macro "invalf"
1276 | __setup("cgroup_no_v1=", cgroup_no_v1);
|
kernel/cgroup/cgroup-v1.c:912:12: error: 'invalf' undeclared (first use in this function)
912 | return invalf(fc, "Multiple sources not
| ^~~~~~
kernel/cgroup/cgroup-v1.c:912:12: note: each undeclared identifier is reported only once for each function it appears in
kernel/cgroup/cgroup-v1.c:912:18: error: expected ';' at end of input
912 | return invalf(fc, "Multiple sources not
| ^
| ;
......
1276 | __setup("cgroup_no_v1=", cgroup_no_v1);
|
kernel/cgroup/cgroup-v1.c:1276: note: '-Wmisleading-indentation' is disabled from this point onwards, since column-tracking was disabled due to the size of the code/headers
1276 | __setup("cgroup_no_v1=", cgroup_no_v1);
|
kernel/cgroup/cgroup-v1.c:912:5: error: expected declaration or statement at end of input
912 | return invalf(fc, "Multiple sources not
| ^~~~~~
kernel/cgroup/cgroup-v1.c:912:5: error: expected declaration or statement at end of input
kernel/cgroup/cgroup-v1.c:912:5: error: expected declaration or statement at end of input
kernel/cgroup/cgroup-v1.c:906:11: warning: unused variable 'i' [-Wunused-variable]
906 | int opt, i;
| ^
kernel/cgroup/cgroup-v1.c:904:24: warning: unused variable 'ss' [-Wunused-variable]
904 | struct cgroup_subsys *ss;
| ^~
kernel/cgroup/cgroup-v1.c:903:28: warning: unused variable 'ctx' [-Wunused-variable]
903 | struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
| ^~~
kernel/cgroup/cgroup-v1.c:1276: error: control reaches end of non-void function [-Werror=return-type]
1276 | __setup("cgroup_no_v1=", cgroup_no_v1);
|
At top level:
kernel/cgroup/cgroup-v1.c:849:12: warning: 'cgroup1_show_options' defined but not used [-Wunused-function]
849 | static int cgroup1_show_options(struct seq_file *seq, struct kernfs_root *kf_root)
| ^~~~~~~~~~~~~~~~~~~~
kernel/cgroup/cgroup-v1.c:817:12: warning: 'cgroup1_rename' defined but not used [-Wunused-function]
817 | static int cgroup1_rename(struct kernfs_node *kn, struct kernfs_node *new_parent,
| ^~~~~~~~~~~~~~
kernel/cgroup/cgroup-v1.c:33:13: warning: 'cgroup_no_v1_named' defined but not used [-Wunused-variable]
33 | static bool cgroup_no_v1_named;
| ^~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +912 kernel/cgroup/cgroup-v1.c
900
901 int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
902 {
903 struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
904 struct cgroup_subsys *ss;
905 struct fs_parse_result result;
906 int opt, i;
907
908 opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
909 if (opt == -ENOPARAM) {
910 if (strcmp(param->key, "source") == 0) {
911 if (fc->source)
> 912 return invalf(fc, "Multiple sources not
913 supported");
914 fc->source = param->string;
915 param->string = NULL;
916 return 0;
917 }
918 for_each_subsys(ss, i) {
919 if (strcmp(param->key, ss->legacy_name))
920 continue;
921 ctx->subsys_mask |= (1 << i);
922 return 0;
923 }
924 return invalfc(fc, "Unknown subsys name '%s'", param->key);
925 }
926 if (opt < 0)
927 return opt;
928
929 switch (opt) {
930 case Opt_none:
931 /* Explicitly have no subsystems */
932 ctx->none = true;
933 break;
934 case Opt_all:
935 ctx->all_ss = true;
936 break;
937 case Opt_noprefix:
938 ctx->flags |= CGRP_ROOT_NOPREFIX;
939 break;
940 case Opt_clone_children:
941 ctx->cpuset_clone_children = true;
942 break;
943 case Opt_cpuset_v2_mode:
944 ctx->flags |= CGRP_ROOT_CPUSET_V2_MODE;
945 break;
946 case Opt_xattr:
947 ctx->flags |= CGRP_ROOT_XATTR;
948 break;
949 case Opt_release_agent:
950 /* Specifying two release agents is forbidden */
951 if (ctx->release_agent)
952 return invalfc(fc, "release_agent respecified");
953 ctx->release_agent = param->string;
954 param->string = NULL;
955 break;
956 case Opt_name:
957 /* blocked by boot param? */
958 if (cgroup_no_v1_named)
959 return -ENOENT;
960 /* Can't specify an empty name */
961 if (!param->size)
962 return invalfc(fc, "Empty name");
963 if (param->size > MAX_CGROUP_ROOT_NAMELEN - 1)
964 return invalfc(fc, "Name too long");
965 /* Must match [\w.-]+ */
966 for (i = 0; i < param->size; i++) {
967 char c = param->string[i];
968 if (isalnum(c))
969 continue;
970 if ((c == '.') || (c == '-') || (c == '_'))
971 continue;
972 return invalfc(fc, "Invalid name");
973 }
974 /* Specifying two names is forbidden */
975 if (ctx->name)
976 return invalfc(fc, "name respecified");
977 ctx->name = param->string;
978 param->string = NULL;
979 break;
980 }
981 return 0;
982 }
983
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 36640 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] cgroup: Fix memory leak when parsing multiple source parameters
2020-12-09 12:13 [PATCH] cgroup: Fix memory leak when parsing multiple source parameters Qinglang Miao
2020-12-09 13:59 ` kernel test robot
@ 2020-12-09 15:33 ` kernel test robot
2020-12-10 1:29 ` [PATCH v2] " Qinglang Miao
2020-12-15 8:39 ` [PATCH] " Zefan Li
3 siblings, 0 replies; 7+ messages in thread
From: kernel test robot @ 2020-12-09 15:33 UTC (permalink / raw)
To: Qinglang Miao, Tejun Heo, Li Zefan, Johannes Weiner
Cc: kbuild-all, clang-built-linux, cgroups, linux-kernel, Qinglang Miao
[-- Attachment #1: Type: text/plain, Size: 6218 bytes --]
Hi Qinglang,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on cgroup/for-next]
[also build test WARNING on v5.10-rc7 next-20201209]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Qinglang-Miao/cgroup-Fix-memory-leak-when-parsing-multiple-source-parameters/20201209-201041
base: https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-next
config: x86_64-randconfig-a004-20201209 (attached as .config)
compiler: clang version 12.0.0 (https://github.com/llvm/llvm-project 1968804ac726e7674d5de22bc2204b45857da344)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install x86_64 cross compiling tool for clang build
# apt-get install binutils-x86-64-linux-gnu
# https://github.com/0day-ci/linux/commit/f80ce6cc8c1bde7ecab3fed9f9a514091cec6f56
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Qinglang-Miao/cgroup-Fix-memory-leak-when-parsing-multiple-source-parameters/20201209-201041
git checkout f80ce6cc8c1bde7ecab3fed9f9a514091cec6f56
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> kernel/cgroup/cgroup-v1.c:912:23: warning: missing terminating '"' character [-Winvalid-pp-token]
return invalf(fc, "Multiple sources not
^
kernel/cgroup/cgroup-v1.c:913:18: warning: missing terminating '"' character [-Winvalid-pp-token]
supported");
^
kernel/cgroup/cgroup-v1.c:912:12: error: unterminated function-like macro invocation
return invalf(fc, "Multiple sources not
^
include/linux/fs_context.h:241:9: note: macro 'invalf' defined here
#define invalf(fc, fmt, ...) (errorf(fc, fmt, ## __VA_ARGS__), -EINVAL)
^
kernel/cgroup/cgroup-v1.c:1276:40: error: expected expression
__setup("cgroup_no_v1=", cgroup_no_v1);
^
kernel/cgroup/cgroup-v1.c:1276:40: error: expected '}'
kernel/cgroup/cgroup-v1.c:910:42: note: to match this '{'
if (strcmp(param->key, "source") == 0) {
^
kernel/cgroup/cgroup-v1.c:1276:40: error: expected '}'
__setup("cgroup_no_v1=", cgroup_no_v1);
^
kernel/cgroup/cgroup-v1.c:909:24: note: to match this '{'
if (opt == -ENOPARAM) {
^
kernel/cgroup/cgroup-v1.c:1276:40: error: expected '}'
__setup("cgroup_no_v1=", cgroup_no_v1);
^
kernel/cgroup/cgroup-v1.c:902:1: note: to match this '{'
{
^
2 warnings and 5 errors generated.
vim +912 kernel/cgroup/cgroup-v1.c
900
901 int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
902 {
903 struct cgroup_fs_context *ctx = cgroup_fc2context(fc);
904 struct cgroup_subsys *ss;
905 struct fs_parse_result result;
906 int opt, i;
907
908 opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
909 if (opt == -ENOPARAM) {
910 if (strcmp(param->key, "source") == 0) {
911 if (fc->source)
> 912 return invalf(fc, "Multiple sources not
913 supported");
914 fc->source = param->string;
915 param->string = NULL;
916 return 0;
917 }
918 for_each_subsys(ss, i) {
919 if (strcmp(param->key, ss->legacy_name))
920 continue;
921 ctx->subsys_mask |= (1 << i);
922 return 0;
923 }
924 return invalfc(fc, "Unknown subsys name '%s'", param->key);
925 }
926 if (opt < 0)
927 return opt;
928
929 switch (opt) {
930 case Opt_none:
931 /* Explicitly have no subsystems */
932 ctx->none = true;
933 break;
934 case Opt_all:
935 ctx->all_ss = true;
936 break;
937 case Opt_noprefix:
938 ctx->flags |= CGRP_ROOT_NOPREFIX;
939 break;
940 case Opt_clone_children:
941 ctx->cpuset_clone_children = true;
942 break;
943 case Opt_cpuset_v2_mode:
944 ctx->flags |= CGRP_ROOT_CPUSET_V2_MODE;
945 break;
946 case Opt_xattr:
947 ctx->flags |= CGRP_ROOT_XATTR;
948 break;
949 case Opt_release_agent:
950 /* Specifying two release agents is forbidden */
951 if (ctx->release_agent)
952 return invalfc(fc, "release_agent respecified");
953 ctx->release_agent = param->string;
954 param->string = NULL;
955 break;
956 case Opt_name:
957 /* blocked by boot param? */
958 if (cgroup_no_v1_named)
959 return -ENOENT;
960 /* Can't specify an empty name */
961 if (!param->size)
962 return invalfc(fc, "Empty name");
963 if (param->size > MAX_CGROUP_ROOT_NAMELEN - 1)
964 return invalfc(fc, "Name too long");
965 /* Must match [\w.-]+ */
966 for (i = 0; i < param->size; i++) {
967 char c = param->string[i];
968 if (isalnum(c))
969 continue;
970 if ((c == '.') || (c == '-') || (c == '_'))
971 continue;
972 return invalfc(fc, "Invalid name");
973 }
974 /* Specifying two names is forbidden */
975 if (ctx->name)
976 return invalfc(fc, "name respecified");
977 ctx->name = param->string;
978 param->string = NULL;
979 break;
980 }
981 return 0;
982 }
983
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 40544 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] cgroup: Fix memory leak when parsing multiple source parameters
2020-12-09 12:13 [PATCH] cgroup: Fix memory leak when parsing multiple source parameters Qinglang Miao
2020-12-09 13:59 ` kernel test robot
2020-12-09 15:33 ` kernel test robot
@ 2020-12-10 1:29 ` Qinglang Miao
2020-12-15 8:50 ` Zefan Li
2020-12-16 15:11 ` Tejun Heo
2020-12-15 8:39 ` [PATCH] " Zefan Li
3 siblings, 2 replies; 7+ messages in thread
From: Qinglang Miao @ 2020-12-10 1:29 UTC (permalink / raw)
To: Tejun Heo, Li Zefan, Johannes Weiner; +Cc: cgroups, linux-kernel, Qinglang Miao
A memory leak is found in cgroup1_parse_param() when multiple source
parameters overwrite fc->source in the fs_context struct without free.
unreferenced object 0xffff888100d930e0 (size 16):
comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
hex dump (first 16 bytes):
74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
backtrace:
[<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
[<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
[<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
[<000000000f750198>] path_mount+0xee1/0x1820
[<0000000004756de2>] do_mount+0xea/0x100
[<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
Fix this bug by permitting a single source parameter and rejecting with
an error all subsequent ones.
Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
---
v1->v2: fix compile problems caused by superfluous LF in err message.
kernel/cgroup/cgroup-v1.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 191c329e4..32596fdbc 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -908,6 +908,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
if (opt == -ENOPARAM) {
if (strcmp(param->key, "source") == 0) {
+ if (fc->source)
+ return invalf(fc, "Multiple sources not supported");
fc->source = param->string;
param->string = NULL;
return 0;
--
2.23.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] cgroup: Fix memory leak when parsing multiple source parameters
2020-12-09 12:13 [PATCH] cgroup: Fix memory leak when parsing multiple source parameters Qinglang Miao
` (2 preceding siblings ...)
2020-12-10 1:29 ` [PATCH v2] " Qinglang Miao
@ 2020-12-15 8:39 ` Zefan Li
3 siblings, 0 replies; 7+ messages in thread
From: Zefan Li @ 2020-12-15 8:39 UTC (permalink / raw)
To: Qinglang Miao, Tejun Heo, Johannes Weiner; +Cc: cgroups, linux-kernel
On 2020/12/9 20:13, Qinglang Miao wrote:
> A memory leak is found in cgroup1_parse_param() when multiple source
> parameters overwrite fc->source in the fs_context struct without free.
>
> unreferenced object 0xffff888100d930e0 (size 16):
> comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
> hex dump (first 16 bytes):
> 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
> backtrace:
> [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
> [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
> [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
> [<000000000f750198>] path_mount+0xee1/0x1820
> [<0000000004756de2>] do_mount+0xea/0x100
> [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
>
> Fix this bug by permitting a single source parameter and rejecting with
> an error all subsequent ones.
>
> Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
> ---
> kernel/cgroup/cgroup-v1.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
> index 191c329e4..1fd7d3d18 100644
> --- a/kernel/cgroup/cgroup-v1.c
> +++ b/kernel/cgroup/cgroup-v1.c
> @@ -908,6 +908,9 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
> opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
> if (opt == -ENOPARAM) {
> if (strcmp(param->key, "source") == 0) {
> + if (fc->source)
> + return invalf(fc, "Multiple sources not
> + supported");
"never break user-visible strings such as printk messages because
that breaks the ability to grep for them.", quoted from CodingStyle.
Please fix this and you can add
Reviewed-by: Zefan Li <lizefan@huawei.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] cgroup: Fix memory leak when parsing multiple source parameters
2020-12-10 1:29 ` [PATCH v2] " Qinglang Miao
@ 2020-12-15 8:50 ` Zefan Li
2020-12-16 15:11 ` Tejun Heo
1 sibling, 0 replies; 7+ messages in thread
From: Zefan Li @ 2020-12-15 8:50 UTC (permalink / raw)
To: Qinglang Miao, Tejun Heo, Johannes Weiner; +Cc: cgroups, linux-kernel
(didn't notice you've sent v2 with the printk msg fixed)
On 2020/12/10 9:29, Qinglang Miao wrote:
> A memory leak is found in cgroup1_parse_param() when multiple source
> parameters overwrite fc->source in the fs_context struct without free.
>
> unreferenced object 0xffff888100d930e0 (size 16):
> comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
> hex dump (first 16 bytes):
> 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
> backtrace:
> [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
> [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
> [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
> [<000000000f750198>] path_mount+0xee1/0x1820
> [<0000000004756de2>] do_mount+0xea/0x100
> [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
>
> Fix this bug by permitting a single source parameter and rejecting with
> an error all subsequent ones.
>
> Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
> ---
> v1->v2: fix compile problems caused by superfluous LF in err message.
> kernel/cgroup/cgroup-v1.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
> index 191c329e4..32596fdbc 100644
> --- a/kernel/cgroup/cgroup-v1.c
> +++ b/kernel/cgroup/cgroup-v1.c
> @@ -908,6 +908,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
> opt = fs_parse(fc, cgroup1_fs_parameters, param, &result);
> if (opt == -ENOPARAM) {
> if (strcmp(param->key, "source") == 0) {
> + if (fc->source)
> + return invalf(fc, "Multiple sources not supported");
Reviewed-by: Zefan Li <lizefan@huawei.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] cgroup: Fix memory leak when parsing multiple source parameters
2020-12-10 1:29 ` [PATCH v2] " Qinglang Miao
2020-12-15 8:50 ` Zefan Li
@ 2020-12-16 15:11 ` Tejun Heo
1 sibling, 0 replies; 7+ messages in thread
From: Tejun Heo @ 2020-12-16 15:11 UTC (permalink / raw)
To: Qinglang Miao; +Cc: Li Zefan, Johannes Weiner, cgroups, linux-kernel
On Thu, Dec 10, 2020 at 09:29:43AM +0800, Qinglang Miao wrote:
> A memory leak is found in cgroup1_parse_param() when multiple source
> parameters overwrite fc->source in the fs_context struct without free.
>
> unreferenced object 0xffff888100d930e0 (size 16):
> comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
> hex dump (first 16 bytes):
> 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
> backtrace:
> [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
> [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
> [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
> [<000000000f750198>] path_mount+0xee1/0x1820
> [<0000000004756de2>] do_mount+0xea/0x100
> [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
>
> Fix this bug by permitting a single source parameter and rejecting with
> an error all subsequent ones.
>
> Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
Applied to cgroup/for-5.11.
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-12-16 15:12 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-09 12:13 [PATCH] cgroup: Fix memory leak when parsing multiple source parameters Qinglang Miao
2020-12-09 13:59 ` kernel test robot
2020-12-09 15:33 ` kernel test robot
2020-12-10 1:29 ` [PATCH v2] " Qinglang Miao
2020-12-15 8:50 ` Zefan Li
2020-12-16 15:11 ` Tejun Heo
2020-12-15 8:39 ` [PATCH] " Zefan Li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).