Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1535921ybt; Mon, 15 Jun 2020 02:53:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyYIt0IWiiG9VBUSJ+VAsNB9ZYtENx9JvUcGjXmpS/cCV56aaUiaz7ExdSBN5tQqm5IL73q X-Received: by 2002:a17:906:ae81:: with SMTP id md1mr12536537ejb.128.1592214791307; Mon, 15 Jun 2020 02:53:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592214791; cv=none; d=google.com; s=arc-20160816; b=i3rjlt23y1SgZ4syXYRNoGpC5jvmTLb624SPGr7XNlvzbzsN9zGCcSStcjhtOKff29 7y2jVW7Et0Vki0jJowHHBmPzzk0LJX1Zqi2iY3ABlXYUT/wowxNQp+5hNC4SYO5VkLwS qQVZk9o/b02GBWPnSfXDjsp4i4r6eyzufGVxnRCMWLyehiqorQ0xl5wqaU3NUE8TOM+o MjPvmCMMGf8mPrge6ki1qMoym+xpAKkElSdzpWGJK7X+QkOOV0FN2cAgU7vVpGuoo1ZC jsCG409L0LAVTCr5BXj6l9Ov+MVGPPG6fgBHQEqrQkoKOQs4JFRNL8U2w+nvvm7VYrpF Hctw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=559N+UvfjOlwzxln/dqiNAydBkdiQlnUfjX04eTIepA=; b=vfDrK5OVvz8KbBsChAV2Nru5qWLV8uvnV781xBZs0FJfRB+1eps/+oIRbNIgeklh6F IEHpk0Jx7vVHFIJh6Hf05oWcpkCEZZ/4J6v30tnG95L8yZh65nG7UH0x9MRMP7csYP2x evWtY97zrZMon1DaS/rAEtveye5TsqP0LSR7NqxUULCtD/HeUGtPhf3dDJ+pAcBS2ZfM x2zDGSC9pJ1pQGqdegN/Xyri15KD4UVlCTt/qOeBW6KFBsurA3iY2Fb3Ln3FvkLuan4y IsiMXi5cMA2G1hX+y5uzg2IW3kgPocZvZQFLtqdBdADwVbKh+gn3lYZ+kJ8O1UqFSlFq TW3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LmWXsJtp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dt20si11271428ejc.24.2020.06.15.02.52.49; Mon, 15 Jun 2020 02:53:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LmWXsJtp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729155AbgFOJtG (ORCPT + 99 others); Mon, 15 Jun 2020 05:49:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:44502 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726111AbgFOJtG (ORCPT ); Mon, 15 Jun 2020 05:49:06 -0400 Received: from mail-oi1-f181.google.com (mail-oi1-f181.google.com [209.85.167.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 77C81206D7; Mon, 15 Jun 2020 09:49:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592214545; bh=aqZT/dC6Wve5qO/VQrbYAItbuMUgPlaVWAx/VHhhRII=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=LmWXsJtpJOzqqdfYw3rNIjyR3Qt+0mcOBIKwJcxOXttQ8+ha9zGkTcTZYSVTMX66c X7Vk1to9nbgCldwGDt6fSFPOAfw6rMloIQpPKxmQmR+W+SY5nELh9UXiPzjqsAGlc8 AmlY66QzqgEZ2mzLeKESWS4tlNgyyNBSQJLZQXmY= Received: by mail-oi1-f181.google.com with SMTP id b8so15368287oic.1; Mon, 15 Jun 2020 02:49:05 -0700 (PDT) X-Gm-Message-State: AOAM533GQMoZL/Xw/EYD3mNXfq/ixgZUm6jkvy9DLjepm6/w8T2rnwka IWx3nJzdHrFQZWSUfcID9QnhnmsyXUNgszbY6d8= X-Received: by 2002:aca:ba03:: with SMTP id k3mr1799842oif.33.1592214544820; Mon, 15 Jun 2020 02:49:04 -0700 (PDT) MIME-Version: 1.0 References: <20200528183804.4497-1-wu000273@umn.edu> In-Reply-To: From: Ard Biesheuvel Date: Mon, 15 Jun 2020 11:48:53 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] efi/esrt: Fix reference count leak in esre_create_sysfs_entry. To: Qiushi Wu Cc: Kangjie Lu , Peter Jones , Matt Fleming , linux-efi , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 30 May 2020 at 06:23, Qiushi Wu wrote: > > Thanks for your reply! > > Why are you removing this kfree() call? > > Because kobject_put(&entry->kobj) will call kobject_release(), which will call kobject_cleanup(), which will dynamically call get_ktype(kobj)->release(kobj); . > In this case, the "release" function is defined as: > static struct kobj_type esre1_ktype = { > .release = esre_release. > ... > }; > > and esre_release() is defined as : > static void esre_release(struct kobject *kobj) { > struct esre_entry *entry = to_entry(kobj); > list_del(&entry->list); > kfree(entry); > } > > In this case, if we call both kobject_put() and kfree(), a double-free will be introduced. > Thanks for the explanation Queued in efi/urgent. > On Fri, May 29, 2020 at 12:00 PM Ard Biesheuvel wrote: >> >> On Thu, 28 May 2020 at 20:38, wrote: >> > >> > From: Qiushi Wu >> > >> > kobject_init_and_add() takes reference even when it fails. >> > If this function returns an error, kobject_put() must be called to >> > properly clean up the memory associated with the object. Previous >> > commit "b8eb718348b8" fixed a similar problem. >> > >> > Fixes: 0bb549052d33 ("efi: Add esrt support") >> > Signed-off-by: Qiushi Wu >> > --- >> > drivers/firmware/efi/esrt.c | 2 +- >> > 1 file changed, 1 insertion(+), 1 deletion(-) >> > >> > diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c >> > index e3d692696583..d5915272141f 100644 >> > --- a/drivers/firmware/efi/esrt.c >> > +++ b/drivers/firmware/efi/esrt.c >> > @@ -181,7 +181,7 @@ static int esre_create_sysfs_entry(void *esre, int entry_num) >> > rc = kobject_init_and_add(&entry->kobj, &esre1_ktype, NULL, >> > "entry%d", entry_num); >> > if (rc) { >> > - kfree(entry); >> >> Why are you removing this kfree() call? >> >> > + kobject_put(&entry->kobj); >> > return rc; >> > } >> > } >> > -- >> > 2.17.1 >> >