V1->V2:
In jffs2_scan_medium,
if s = kzalloc(sizeof(struct jffs2_summary), GFP_KERNEL);
returns error, go to "out" to do clear. Null pointer dereference
occurs when if (s->sum_list_head) is executed in "out".
V2->V3:
Sorry for the noise, but there seems to be a more elegant way to
fix the memory leak in jffs2_scan_medium. When memory allocation
fails or CONFIG_JFFS2_SUMMARY is N, s is NULL.For the former case,
add the new tag "out_buf" to avoid it.In the latter case,
jffs2_sum_reset_collected is also an empty function and does nothing.
Baokun Li (2):
jffs2: fix memory leak in jffs2_do_mount_fs
jffs2: fix memory leak in jffs2_scan_medium
fs/jffs2/build.c | 4 +++-
fs/jffs2/scan.c | 6 ++++--
2 files changed, 7 insertions(+), 3 deletions(-)
--
2.31.1
If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,
we can observe the following kmemleak report:
--------------------------------------------
unreferenced object 0xffff88811b25a640 (size 64):
comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffffa493be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffa5423a06>] jffs2_sum_init+0x86/0x130
[<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
[<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
[...]
unreferenced object 0xffff88812c760000 (size 65536):
comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
hex dump (first 32 bytes):
bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
backtrace:
[<ffffffffa493a449>] __kmalloc+0x6b9/0x910
[<ffffffffa5423a57>] jffs2_sum_init+0xd7/0x130
[<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
[<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
[...]
--------------------------------------------
This is because the resources allocated in jffs2_sum_init() are not
released. Call jffs2_sum_exit() to release these resources to solve
the problem.
Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: [email protected]
Signed-off-by: Baokun Li <[email protected]>
---
fs/jffs2/build.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/jffs2/build.c b/fs/jffs2/build.c
index b288c8ae1236..837cd55fd4c5 100644
--- a/fs/jffs2/build.c
+++ b/fs/jffs2/build.c
@@ -415,13 +415,15 @@ int jffs2_do_mount_fs(struct jffs2_sb_info *c)
jffs2_free_ino_caches(c);
jffs2_free_raw_node_refs(c);
ret = -EIO;
- goto out_free;
+ goto out_sum_exit;
}
jffs2_calc_trigger_levels(c);
return 0;
+ out_sum_exit:
+ jffs2_sum_exit(c);
out_free:
kvfree(c->blocks);
--
2.31.1
If an error is returned in jffs2_scan_eraseblock() and some memory
has been added to the jffs2_summary *s, we can observe the following
kmemleak report:
--------------------------------------------
unreferenced object 0xffff88812b889c40 (size 64):
comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
hex dump (first 32 bytes):
40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.
00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................
backtrace:
[<ffffffffae93a3a3>] __kmalloc+0x613/0x910
[<ffffffffaf423b9c>] jffs2_sum_add_dirent_mem+0x5c/0xa0
[<ffffffffb0f3afa8>] jffs2_scan_medium.cold+0x36e5/0x4794
[<ffffffffb0f3dbe1>] jffs2_do_mount_fs.cold+0xa7/0x2267
[<ffffffffaf40acf3>] jffs2_do_fill_super+0x383/0xc30
[<ffffffffaf40c00a>] jffs2_fill_super+0x2ea/0x4c0
[<ffffffffb0315d64>] mtd_get_sb+0x254/0x400
[<ffffffffb0315f5f>] mtd_get_sb_by_nr+0x4f/0xd0
[<ffffffffb0316478>] get_tree_mtd+0x498/0x840
[<ffffffffaf40bd15>] jffs2_get_tree+0x25/0x30
[<ffffffffae9f358d>] vfs_get_tree+0x8d/0x2e0
[<ffffffffaea7a98f>] path_mount+0x50f/0x1e50
[<ffffffffaea7c3d7>] do_mount+0x107/0x130
[<ffffffffaea7c5c5>] __se_sys_mount+0x1c5/0x2f0
[<ffffffffaea7c917>] __x64_sys_mount+0xc7/0x160
[<ffffffffb10142f5>] do_syscall_64+0x45/0x70
unreferenced object 0xffff888114b54840 (size 32):
comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
hex dump (first 32 bytes):
c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............
00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423b04>] jffs2_sum_add_inode_mem+0x54/0x90
[<ffffffffb0f3bd44>] jffs2_scan_medium.cold+0x4481/0x4794
[...]
unreferenced object 0xffff888114b57280 (size 32):
comm "mount", pid 692, jiffies 4294838393 (age 34.357s)
hex dump (first 32 bytes):
10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............
00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423c34>] jffs2_sum_add_xattr_mem+0x54/0x90
[<ffffffffb0f3a24f>] jffs2_scan_medium.cold+0x298c/0x4794
[...]
unreferenced object 0xffff8881116cd510 (size 16):
comm "mount", pid 692, jiffies 4294838395 (age 34.355s)
hex dump (first 16 bytes):
00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.
backtrace:
[<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
[<ffffffffaf423cc4>] jffs2_sum_add_xref_mem+0x54/0x90
[<ffffffffb0f3b2e3>] jffs2_scan_medium.cold+0x3a20/0x4794
[...]
--------------------------------------------
Therefore, we should call jffs2_sum_reset_collected(s) on exit to
release the memory added in s. In addition, a new tag "out_buf" is
added to prevent the NULL pointer reference caused by s being NULL.
(thanks to Zhang Yi for this analysis)
Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
Cc: [email protected]
Co-developed-with: Zhihao Cheng <[email protected]>
Signed-off-by: Baokun Li <[email protected]>
---
fs/jffs2/scan.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c
index b676056826be..29671e33a171 100644
--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -136,7 +136,7 @@ int jffs2_scan_medium(struct jffs2_sb_info *c)
if (!s) {
JFFS2_WARNING("Can't allocate memory for summary\n");
ret = -ENOMEM;
- goto out;
+ goto out_buf;
}
}
@@ -275,13 +275,15 @@ int jffs2_scan_medium(struct jffs2_sb_info *c)
}
ret = 0;
out:
+ jffs2_sum_reset_collected(s);
+ kfree(s);
+ out_buf:
if (buf_size)
kfree(flashbuf);
#ifndef __ECOS
else
mtd_unpoint(c->mtd, 0, c->mtd->size);
#endif
- kfree(s);
return ret;
}
--
2.31.1
?? 2022/1/14 18:28, Baokun Li д??:
ping
> V1->V2:
> In jffs2_scan_medium,
> if s = kzalloc(sizeof(struct jffs2_summary), GFP_KERNEL);
> returns error, go to "out" to do clear. Null pointer dereference
> occurs when if (s->sum_list_head) is executed in "out".
>
> V2->V3:
> Sorry for the noise, but there seems to be a more elegant way to
> fix the memory leak in jffs2_scan_medium. When memory allocation
> fails or CONFIG_JFFS2_SUMMARY is N, s is NULL.For the former case,
> add the new tag "out_buf" to avoid it.In the latter case,
> jffs2_sum_reset_collected is also an empty function and does nothing.
>
> Baokun Li (2):
> jffs2: fix memory leak in jffs2_do_mount_fs
> jffs2: fix memory leak in jffs2_scan_medium
>
> fs/jffs2/build.c | 4 +++-
> fs/jffs2/scan.c | 6 ++++--
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
A gentle ping, sorry for the noise.
在 2022/1/14 18:28, Baokun Li 写道:
> V1->V2:
> In jffs2_scan_medium,
> if s = kzalloc(sizeof(struct jffs2_summary), GFP_KERNEL);
> returns error, go to "out" to do clear. Null pointer dereference
> occurs when if (s->sum_list_head) is executed in "out".
>
> V2->V3:
> Sorry for the noise, but there seems to be a more elegant way to
> fix the memory leak in jffs2_scan_medium. When memory allocation
> fails or CONFIG_JFFS2_SUMMARY is N, s is NULL.For the former case,
> add the new tag "out_buf" to avoid it.In the latter case,
> jffs2_sum_reset_collected is also an empty function and does nothing.
>
> Baokun Li (2):
> jffs2: fix memory leak in jffs2_do_mount_fs
> jffs2: fix memory leak in jffs2_scan_medium
>
> fs/jffs2/build.c | 4 +++-
> fs/jffs2/scan.c | 6 ++++--
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
--
With Best Regards,
Baokun Li
在 2022/3/17 6:00, Richard Weinberger 写道:
> ----- Ursprüngliche Mail -----
>> Von: "libaokun" <[email protected]>
>> An: "richard" <[email protected]>, "David Woodhouse" <[email protected]>, "linux-mtd" <[email protected]>,
>> "linux-kernel" <[email protected]>
>> CC: "yukuai3" <[email protected]>, "libaokun" <[email protected]>
>> Gesendet: Donnerstag, 10. März 2022 09:34:35
>> Betreff: Re: [PATCH -next v3 0/2] jffs2: fix two memory leak when mount jffs2
>> A gentle ping, sorry for the noise.
> Patches applied.
> Thanks for fixing!
>
> Thanks,
> //richard
> .
Thank you for your review!
--
With Best Regards,
Baokun Li
----- Ursprüngliche Mail -----
> Von: "libaokun" <[email protected]>
> An: "richard" <[email protected]>, "David Woodhouse" <[email protected]>, "linux-mtd" <[email protected]>,
> "linux-kernel" <[email protected]>
> CC: "yukuai3" <[email protected]>, "libaokun" <[email protected]>
> Gesendet: Donnerstag, 10. März 2022 09:34:35
> Betreff: Re: [PATCH -next v3 0/2] jffs2: fix two memory leak when mount jffs2
> A gentle ping, sorry for the noise.
Patches applied.
Thanks for fixing!
Thanks,
//richard