Received: by 2002:a17:90a:2044:0:0:0:0 with SMTP id n62csp1277171pjc;
        Wed, 22 May 2019 13:06:20 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy9QtaEOUlORH0EpT0gxRmllY7NYyy+ifRK1woC8jk3j6cnFjZvSPS1bwrIWf1Wfu8wP1tq
X-Received: by 2002:a17:902:a98b:: with SMTP id bh11mr19639593plb.8.1558555579967;
        Wed, 22 May 2019 13:06:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558555579; cv=none;
        d=google.com; s=arc-20160816;
        b=K92nD2wtpU/y00eDhy3WvWLh/uZ2fozxmWGwA4V8gSptRGXHV+W6DlP74Qd62cS4+n
         tVVvLK9acl79lYriMbpn3tw/cSO0hWoCUsBzgher2M7a+PSTjf/xv3vDIRbnOeg6615t
         BvEnz+zZ4Erjfs7G2wlCmoZsUApdr0c5u4A/7U73KRHBRStkzpcJBlEzYUCtweNwKCOV
         CScXgbVDuN8NG1J7n+pqpIcJ4+oqTWEU6/XNvYPF8wU3ZhmsrB8xq2/A+u0yUzBeAw0t
         A8zBo+3+kao7aZgwIiUI4cJM3IFwMO1zPi3o/TsCrMOcJ7ZV8NpgdQpgHqbVYBC9uChU
         PmqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=8/DA6bLIlGEpWkUNUigB/Pnym+u5GROCIkibznKqnqI=;
        b=SnCbrntSQjCrrTe381/+BH/LeChGLrIMvHqWbaoX8eDjeMUsgB0wVKcL6+uEOqlbXt
         SJ8TkvN62C/9T7Bsc0B5CDJoaZp2pT8j1BkSw3zArMkTkcOQwG98meIBud147mmx9MfX
         3eNMLynJDs674SC5Y//oxAZDj1ljJUtoY1872xyNlGFUKS0YiEB+MRx9QxardbURmNVu
         QTdTZ6gCYiegRIM/MuklmQ2k27AR7GgBplusErw849w6sNERSFDPQf3Xov7hME8hcB6V
         5VMnlt+PbLo18KylqjEl7wYK8sJx+Ihb9SpY7nkJPaj3LolRWToL+VZYHn3vYLiDJmcq
         LZ6w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u24si8141849pfa.245.2019.05.22.13.06.04;
        Wed, 22 May 2019 13:06:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731257AbfEVUDH (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Wed, 22 May 2019 16:03:07 -0400
Received: from nautica.notk.org ([91.121.71.147]:49794 "EHLO nautica.notk.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730075AbfEVTVq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 May 2019 15:21:46 -0400
Received: by nautica.notk.org (Postfix, from userid 1001)
        id E8FC1C009; Wed, 22 May 2019 21:21:44 +0200 (CEST)
Date:   Wed, 22 May 2019 21:21:29 +0200
From:   Dominique Martinet <asmadeus@codewreck.org>
To:     Bharath Vedartham <linux.bhar@gmail.com>
Cc:     ericvh@gmail.com, lucho@ionkov.net,
        v9fs-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] 9p/cache.c: Fix memory leak in
 v9fs_cache_session_get_cookie
Message-ID: <20190522192129.GA30941@nautica>
References: <20190522191655.GA4657@bharath12345-Inspiron-5559>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20190522191655.GA4657@bharath12345-Inspiron-5559>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Bharath Vedartham wrote on Thu, May 23, 2019:
> v9fs_cache_session_get_cookie assigns a random cachetag to
> v9ses->cachetag, if the cachetag is not assigned previously.
> 
> v9fs_random_cachetag allocates memory to v9ses->cachetag with kmalloc
> and uses scnprintf to fill it up with a cachetag.
> 
> But if scnprintf fails, v9ses->cachetag is not freed in the current code causing a memory leak.
> 
> Fix this by freeing v9ses->cachetag it v9fs_random_cachetag fails.
> 
> This was reported by syzbot, the link to the report is below:
> https://syzkaller.appspot.com/bug?id=f012bdf297a7a4c860c38a88b44fbee43fd9bbf3
> 
> Reported-by: syzbot+3a030a73b6c1e9833815@syzkaller.appspotmail.com 
> Signed-off-by: Bharath Vedartham <linux.bhar@gmail.com>
> ---
>  fs/9p/cache.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/9p/cache.c b/fs/9p/cache.c
> index 9eb3470..4463b91 100644
> --- a/fs/9p/cache.c
> +++ b/fs/9p/cache.c
> @@ -66,6 +66,7 @@ void v9fs_cache_session_get_cookie(struct v9fs_session_info *v9ses)
>  	if (!v9ses->cachetag) {
>  		if (v9fs_random_cachetag(v9ses) < 0) {
>  			v9ses->fscache = NULL;
> +			kfree(v9ses->cachetag);

I would also reset v9ses->cachetag to NULL just in case,
v9fs_cache_session_get_cookie will use v9ses->cachetag as it is if it is
not null and you were leaving an invalid pointer there

I do not see any reason it could be called multiple times but
v9fs_cache_session_get_cookie does not return any error (void function)
so something later on could try to use that cachetag incorrectly later
on

Thanks,
-- 
Dominique