2003-09-21 22:58:41

by Oleg Drokin

[permalink] [raw]
Subject: [PATCH] [2.4] fix LVM memleaks.

Hello!

There are two error patchs in lvm code, that leads to leaking memory.
One if creating too many volume gropups and one if incorrect
buffer from userspace was passed.
Fixes are trivial. Please apply.

Found with help of smatch.


===== drivers/md/lvm.c 1.20 vs edited =====
--- 1.20/drivers/md/lvm.c Mon Mar 10 17:55:46 2003
+++ edited/drivers/md/lvm.c Mon Sep 22 02:53:54 2003
@@ -1584,8 +1584,10 @@
minor = vg_ptr->vg_number;

/* check limits */
- if (minor >= ABS_MAX_VG)
+ if (minor >= ABS_MAX_VG) {
+ kfree(vg_ptr);
return -EFAULT;
+ }

/* Validate it */
if (vg[VG_CHR(minor)] != NULL) {
@@ -1653,8 +1655,7 @@
P_IOCTL
("ERROR: copying LV ptr %p (%d bytes)\n",
lvp, sizeof(lv_t));
- lvm_do_vg_remove(minor);
- return -EFAULT;
+ goto copy_fault;
}
if (lv.lv_access & LV_SNAPSHOT) {
snap_lv_ptr[ls] = lvp;
@@ -1665,8 +1666,7 @@
vg_ptr->lv[l] = NULL;
/* only create original logical volumes for now */
if (lvm_do_lv_create(minor, lv.lv_name, &lv) != 0) {
- lvm_do_vg_remove(minor);
- return -EFAULT;
+ goto copy_fault;
}
}
}
@@ -1676,12 +1676,10 @@
for (l = 0; l < ls; l++) {
lv_t *lvp = snap_lv_ptr[l];
if (copy_from_user(&lv, lvp, sizeof(lv_t)) != 0) {
- lvm_do_vg_remove(minor);
- return -EFAULT;
+ goto copy_fault;
}
if (lvm_do_lv_create(minor, lv.lv_name, &lv) != 0) {
- lvm_do_vg_remove(minor);
- return -EFAULT;
+ goto copy_fault;
}
}

@@ -1696,6 +1694,10 @@
vg_ptr->vg_status |= VG_ACTIVE;

return 0;
+copy_fault:
+ lvm_do_vg_remove(minor);
+ vfree(snap_lv_ptr);
+ return -EFAULT;
} /* lvm_do_vg_create() */