2020-05-28 02:03:28

by Qiushi Wu

[permalink] [raw]
Subject: [PATCH] vfio/mdev: Fix reference count leak in add_mdev_supported_type.

From: Qiushi Wu <[email protected]>

kobject_init_and_add() takes reference even when it fails.
If this function returns an error, kobject_put() must be called to
properly clean up the memory associated with the object. Thus,
replace kfree() by kobject_put() to fix this issue. Previous
commit "b8eb718348b8" fixed a similar problem.

Fixes: 7b96953bc640 ("vfio: Mediated device Core driver")
Signed-off-by: Qiushi Wu <[email protected]>
---
drivers/vfio/mdev/mdev_sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vfio/mdev/mdev_sysfs.c b/drivers/vfio/mdev/mdev_sysfs.c
index 8ad14e5c02bf..917fd84c1c6f 100644
--- a/drivers/vfio/mdev/mdev_sysfs.c
+++ b/drivers/vfio/mdev/mdev_sysfs.c
@@ -110,7 +110,7 @@ static struct mdev_type *add_mdev_supported_type(struct mdev_parent *parent,
"%s-%s", dev_driver_string(parent->dev),
group->name);
if (ret) {
- kfree(type);
+ kobject_put(&type->kobj);
return ERR_PTR(ret);
}

--
2.17.1


2020-05-28 07:05:07

by Cornelia Huck

[permalink] [raw]
Subject: Re: [PATCH] vfio/mdev: Fix reference count leak in add_mdev_supported_type.

On Wed, 27 May 2020 21:01:09 -0500
[email protected] wrote:

> From: Qiushi Wu <[email protected]>
>
> kobject_init_and_add() takes reference even when it fails.
> If this function returns an error, kobject_put() must be called to
> properly clean up the memory associated with the object. Thus,
> replace kfree() by kobject_put() to fix this issue. Previous
> commit "b8eb718348b8" fixed a similar problem.
>
> Fixes: 7b96953bc640 ("vfio: Mediated device Core driver")
> Signed-off-by: Qiushi Wu <[email protected]>
> ---
> drivers/vfio/mdev/mdev_sysfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Cornelia Huck <[email protected]>

2020-05-29 17:58:49

by Kirti Wankhede

[permalink] [raw]
Subject: Re: [PATCH] vfio/mdev: Fix reference count leak in add_mdev_supported_type.



On 5/28/2020 12:32 PM, Cornelia Huck wrote:
> On Wed, 27 May 2020 21:01:09 -0500
> [email protected] wrote:
>
>> From: Qiushi Wu <[email protected]>
>>
>> kobject_init_and_add() takes reference even when it fails.
>> If this function returns an error, kobject_put() must be called to
>> properly clean up the memory associated with the object. Thus,
>> replace kfree() by kobject_put() to fix this issue. Previous
>> commit "b8eb718348b8" fixed a similar problem.
>>
>> Fixes: 7b96953bc640 ("vfio: Mediated device Core driver")
>> Signed-off-by: Qiushi Wu <[email protected]>
>> ---
>> drivers/vfio/mdev/mdev_sysfs.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Reviewed-by: Cornelia Huck <[email protected]>
>

Thanks for fixing.

Reviewed-by: Kirti Wankhede <[email protected]>

2020-05-29 22:24:29

by Alex Williamson

[permalink] [raw]
Subject: Re: [PATCH] vfio/mdev: Fix reference count leak in add_mdev_supported_type.

On Wed, 27 May 2020 21:01:09 -0500
[email protected] wrote:

> From: Qiushi Wu <[email protected]>
>
> kobject_init_and_add() takes reference even when it fails.
> If this function returns an error, kobject_put() must be called to
> properly clean up the memory associated with the object. Thus,
> replace kfree() by kobject_put() to fix this issue. Previous
> commit "b8eb718348b8" fixed a similar problem.
>
> Fixes: 7b96953bc640 ("vfio: Mediated device Core driver")
> Signed-off-by: Qiushi Wu <[email protected]>
> ---

Applied to vfio next branch for v5.8 with Connie's and Kirti's reviews.
Thanks,

Alex

> drivers/vfio/mdev/mdev_sysfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/vfio/mdev/mdev_sysfs.c b/drivers/vfio/mdev/mdev_sysfs.c
> index 8ad14e5c02bf..917fd84c1c6f 100644
> --- a/drivers/vfio/mdev/mdev_sysfs.c
> +++ b/drivers/vfio/mdev/mdev_sysfs.c
> @@ -110,7 +110,7 @@ static struct mdev_type *add_mdev_supported_type(struct mdev_parent *parent,
> "%s-%s", dev_driver_string(parent->dev),
> group->name);
> if (ret) {
> - kfree(type);
> + kobject_put(&type->kobj);
> return ERR_PTR(ret);
> }
>