Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp415456rwi;
        Tue, 18 Oct 2022 20:15:05 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM61G7HCRwYVTHReI/QDynHxxx9/q6w5/FtHoHJYyi9aMR8CH6kTebnFbsuaO18LytSoJnsg
X-Received: by 2002:a17:906:3197:b0:73d:5e1a:44ac with SMTP id 23-20020a170906319700b0073d5e1a44acmr4913654ejy.512.1666149305454;
        Tue, 18 Oct 2022 20:15:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666149305; cv=none;
        d=google.com; s=arc-20160816;
        b=WUIVTIjlNu08X1M4XX7bJ3oXTcyc3+VbseL+1zuqpoGjwNLmqbeZ0CNGb1vqbI0TFu
         fauszfrWFQWR895YSqGffF0w6x3yJ0+QkBjuxOFW44eUPgIL1po724NMi1v8IJHuPhc6
         x3F7cs2mdSqOlXKcsPZifkCLqwVp653ktuTZxxC72UJLkGB72PEvIHRMaB3q6/x8SJ3l
         aBijrmx6AxwY8lWmkkKrjiRH2fgK4vTTlA2RDd4verEbUynF811gYgSPcuqmKBO+WuKE
         QMc0FE4+lBRxNZZ/ZJjDkKAFe2OQCM86oqaKfvVt/w9+frAGvQMDxZ6qCLIrViNuyMvS
         P5fg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-language:content-transfer-encoding
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject;
        bh=up++1pj1dmGlz8dx1C+Bmczyu0GuozG4xcj1VXWmyhE=;
        b=oY/sBFSkef0PVQPM8W5JRq0h7gHoN5GlqKevdV7UubPcqCRBeNXFW/NlplkZ4ARSSI
         uvc3dIKhGMkVnCpIPK9qQe8ppiEMK73JYdVQbemKQok1oA85/gaW2y126hMfXDVA94Dw
         iLeMpE7j4rKtdp8H8wjNLb/8s4bPI/L3pZ1Joqaw8giuD3dHxzNvI52gajiys6VovH0V
         AgHNgE6fB4Pm7cc6SuFbNyhidn5zjkQ4apXdExizG1NWeQXwUExh3sTxC5ZyR8qzCc2q
         pq7T0u9Pqv4sBuUyNqnwtqyOgN69UH5QYQfyMpDnVvRRMq6UX096MHLFC/T66ky440V8
         tVfQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id fj3-20020a1709069c8300b0078d0a31f987si14685047ejc.755.2022.10.18.20.14.40;
        Tue, 18 Oct 2022 20:15:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229763AbiJSC6N (ORCPT <rfc822;artur.folwarczny@gmail.com>
        + 99 others); Tue, 18 Oct 2022 22:58:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37688 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229569AbiJSC6L (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Oct 2022 22:58:11 -0400
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B662E6F4A
        for <linux-kernel@vger.kernel.org>; Tue, 18 Oct 2022 19:58:10 -0700 (PDT)
Received: from dggpemm500020.china.huawei.com (unknown [172.30.72.57])
        by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MsZzn0hW2zmVCH;
        Wed, 19 Oct 2022 10:53:25 +0800 (CST)
Received: from dggpemm500007.china.huawei.com (7.185.36.183) by
 dggpemm500020.china.huawei.com (7.185.36.49) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.31; Wed, 19 Oct 2022 10:57:50 +0800
Received: from [10.174.178.174] (10.174.178.174) by
 dggpemm500007.china.huawei.com (7.185.36.183) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.31; Wed, 19 Oct 2022 10:57:50 +0800
Subject: Re: [PATCH] ocfs2: possible memory leak in mlog_sys_init()
To:     Joseph Qi <joseph.qi@linux.alibaba.com>,
        <linux-kernel@vger.kernel.org>, <ocfs2-devel@oss.oracle.com>
CC:     <mark@fasheh.com>, <jlbec@evilplan.org>,
        <gregkh@linuxfoundation.org>, <akpm@linux-foundation.org>
References: <20221018075213.736562-1-yangyingliang@huawei.com>
 <bf27f347-5ced-98e5-f188-659cc2a9736f@linux.alibaba.com>
 <09bb2844-e20a-98e8-c2af-5b6c4795d48e@huawei.com>
 <c7a3bdac-3ed6-e695-5c45-e7007615a4d9@linux.alibaba.com>
 <0db486eb-6927-927e-3629-958f8f211194@huawei.com>
 <1adbbf98-2700-27c8-4aca-9510bca91458@linux.alibaba.com>
From:   Yang Yingliang <yangyingliang@huawei.com>
Message-ID: <f6bc6dd3-f7b7-e757-fc36-d1cfbc7305e5@huawei.com>
Date:   Wed, 19 Oct 2022 10:57:49 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <1adbbf98-2700-27c8-4aca-9510bca91458@linux.alibaba.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: [10.174.178.174]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
 dggpemm500007.china.huawei.com (7.185.36.183)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 2022/10/19 10:26, Joseph Qi wrote:
>
> On 10/18/22 10:28 PM, Yang Yingliang wrote:
>> On 2022/10/18 21:39, Joseph Qi wrote:
>>> On 10/18/22 6:33 PM, Yang Yingliang wrote:
>>>> Hi,
>>>>
>>>> On 2022/10/18 17:02, Joseph Qi wrote:
>>>>> Hi,
>>>>>
>>>>> On 10/18/22 3:52 PM, Yang Yingliang wrote:
>>>>>> Inject fault while probing module, kset_register() may fail,
>>>>>> if it fails, but the refcount of kobject is not decreased to
>>>>>> 0, the name allocated in kobject_set_name() is leaked. Fix
>>>>>> this by calling kset_put(), so that name can be freed in
>>>>>> callback function kobject_cleanup().
>>>>>>
>>>>>> unreferenced object 0xffff888100da9348 (size 8):
>>>>>>      comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s)
>>>>>>      hex dump (first 8 bytes):
>>>>>>        6c 6f 67 6d 61 73 6b 00                          logmask.
>>>>>>      backtrace:
>>>>>>        [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0
>>>>>>        [<000000007c491a9e>] kstrdup+0x3a/0x70
>>>>>>        [<0000000015719a3b>] kstrdup_const+0x63/0x80
>>>>>>        [<0000000084e458ea>] kvasprintf_const+0x149/0x180
>>>>>>        [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150
>>>>>>        [<000000005f48eeac>] kobject_set_name+0xab/0xe0
>>>>>>
>>>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset")
>>>>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
>>>>>> ---
>>>>>>     fs/ocfs2/cluster/masklog.c | 7 ++++++-
>>>>>>     1 file changed, 6 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c
>>>>>> index 563881ddbf00..7f9ba816d955 100644
>>>>>> --- a/fs/ocfs2/cluster/masklog.c
>>>>>> +++ b/fs/ocfs2/cluster/masklog.c
>>>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = {
>>>>>>     int mlog_sys_init(struct kset *o2cb_kset)
>>>>>>     {
>>>>>>         int i = 0;
>>>>>> +    int ret;
>>>>>>           while (mlog_attrs[i].attr.mode) {
>>>>>>             mlog_default_attrs[i] = &mlog_attrs[i].attr;
>>>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset)
>>>>>>           kobject_set_name(&mlog_kset.kobj, "logmask");
>>>>>>         mlog_kset.kobj.kset = o2cb_kset;
>>>>>> -    return kset_register(&mlog_kset);
>>>>>> +    ret = kset_register(&mlog_kset);
>>>>> If register fails, it will call unregister in o2cb_sys_init(), which
>>>>> will put kobject.
>>>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the
>>>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference
>>>> refcounts.
>>>> Yes, you are right. I've mixed the two ksets up.
>>> In theory, kset_register() may return error because of a NULL kset, so
>>> here we may not call kset_put() directly, I'm not sure if a static
>>> checker will happy.
>>> Though this can't happen since it's already statically allocated...
>> kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name
>> "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is
>> built in kernel, the name is constant, it won't cause a leak), so the name can be leaked.
> What I mean is kset_register() may fail with many reasons, or even
> without kset_init().
> I wonder if we have to handle this internal kset_register(), but not
> leave it to caller. This may benefit other callers as well.
>
> Something like:
> err = kobject_add_internal(&k->kobj);
> if (err) {
> 	kset_put(k);
> 	return err;
> }
I had think about this method to fix this, but some kset is allocated 
dynamically in driver and
it's freed in callback function which is called after kset_put() and in 
error path in driver will free
it again, it leads double free in some drivers.

I think kset_register() is similar with device_register(), if it fails 
need another put function to give
up reference in driver.

Thanks,
Yang
>
> Thanks,
> Joseph
>
> .