Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp199736rwi;
        Wed, 19 Oct 2022 19:59:12 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6Ij9vijtN+hxCS69Oi9pYZdAENWZ+l5MWl1Gatuc65yGF22UKOWWwrQiCglWw3kNx99LM1
X-Received: by 2002:a05:6402:400d:b0:45c:9a5c:444a with SMTP id d13-20020a056402400d00b0045c9a5c444amr10071859eda.283.1666234752505;
        Wed, 19 Oct 2022 19:59:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666234752; cv=none;
        d=google.com; s=arc-20160816;
        b=wye7wHQpNh1kty1yV9wfyg9p63/z8yGQGDz+470+tdy9GMoN5NUbQXDvCa/avQaZjJ
         BystJsJOqjaYGEYD/2OJVhs60xnsMJZiSBjYRJFmEz5vbaCdd0ZBaXTBEipPEFg+MIzX
         Ks/GO4F1eoBgZq62Z5whwhhNzVvWkgOWVhA2lShdo/2+31P5FASnp6dcKNVtLQgXwrgW
         mNA4xHkvReoJ4vGY7qAzQcJUwJaXyzTuRiFgUIJeMlZvHtBo+hHhpBDxy2NWMqGjC3aL
         6Rx/ZfnO2poPj6p1e4aBkqTXn9mnc6S2H9aWLRSCmUtqrD0p3vekeTUhG0zbaDhL65Ks
         bPAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=uT3uNTtXw1VaQsluFvWlEx5jPqZ3cF0ZJBnh4ntz8Ds=;
        b=arpjH10V+vYrjiC/1DYE6VQgs/PEPux6FWTLfWIUlK8NPMx3XD4TegtF3b7dRWeQz1
         gggYWNf3SL6XTI4+1PP7sCrqtvFmfk1h+CHJKygORyb1poDOzqFDn0Hilhn/kzZNbdW7
         TmvKMYRzzdAguRDHxeH4TMMDa1O3/gU7I39/nHZbx81fFHhhwt/FukGHtFROarhvqP0f
         c0l8AtbWl+vEO3HGMpTCT5swG1uzO37ykxeoCxOUOaqbmJ3au46iPg8jtwkRu70ZPBKX
         4oMslslMzBi4L3SyRzRG184BaGJBrfqTdCL2XJH4j+nT3TQ5jB/RNpKo6Nra7uJ8qTPc
         6M8A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id di17-20020a170906731100b0078d8f2658e3si16758715ejc.833.2022.10.19.19.58.20;
        Wed, 19 Oct 2022 19:59:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231302AbiJTCG6 (ORCPT <rfc822;artur.folwarczny@gmail.com>
        + 99 others); Wed, 19 Oct 2022 22:06:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52010 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230519AbiJTCGy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Oct 2022 22:06:54 -0400
Received: from out30-133.freemail.mail.aliyun.com (out30-133.freemail.mail.aliyun.com [115.124.30.133])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0885159D5F
        for <linux-kernel@vger.kernel.org>; Wed, 19 Oct 2022 19:06:52 -0700 (PDT)
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R141e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046050;MF=joseph.qi@linux.alibaba.com;NM=1;PH=DS;RN=7;SR=0;TI=SMTPD_---0VScf.A8_1666231608;
Received: from 30.221.128.181(mailfrom:joseph.qi@linux.alibaba.com fp:SMTPD_---0VScf.A8_1666231608)
          by smtp.aliyun-inc.com;
          Thu, 20 Oct 2022 10:06:49 +0800
Message-ID: <30747fd7-fe79-2ed8-ce63-425a008e3e4f@linux.alibaba.com>
Date:   Thu, 20 Oct 2022 10:06:48 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
 Gecko/20100101 Thunderbird/102.3.3
Subject: Re: [PATCH] ocfs2: possible memory leak in mlog_sys_init()
Content-Language: en-US
To:     Yang Yingliang <yangyingliang@huawei.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     mark@fasheh.com, jlbec@evilplan.org, akpm@linux-foundation.org,
        ocfs2-devel <ocfs2-devel@oss.oracle.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
References: <20221018075213.736562-1-yangyingliang@huawei.com>
 <bf27f347-5ced-98e5-f188-659cc2a9736f@linux.alibaba.com>
 <09bb2844-e20a-98e8-c2af-5b6c4795d48e@huawei.com>
 <c7a3bdac-3ed6-e695-5c45-e7007615a4d9@linux.alibaba.com>
 <0db486eb-6927-927e-3629-958f8f211194@huawei.com>
 <1adbbf98-2700-27c8-4aca-9510bca91458@linux.alibaba.com>
 <f6bc6dd3-f7b7-e757-fc36-d1cfbc7305e5@huawei.com>
From:   Joseph Qi <joseph.qi@linux.alibaba.com>
In-Reply-To: <f6bc6dd3-f7b7-e757-fc36-d1cfbc7305e5@huawei.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00,
        ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,
        SPF_PASS,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 10/19/22 10:57 AM, Yang Yingliang wrote:
> 
> On 2022/10/19 10:26, Joseph Qi wrote:
>>
>> On 10/18/22 10:28 PM, Yang Yingliang wrote:
>>> On 2022/10/18 21:39, Joseph Qi wrote:
>>>> On 10/18/22 6:33 PM, Yang Yingliang wrote:
>>>>> Hi,
>>>>>
>>>>> On 2022/10/18 17:02, Joseph Qi wrote:
>>>>>> Hi,
>>>>>>
>>>>>> On 10/18/22 3:52 PM, Yang Yingliang wrote:
>>>>>>> Inject fault while probing module, kset_register() may fail,
>>>>>>> if it fails, but the refcount of kobject is not decreased to
>>>>>>> 0, the name allocated in kobject_set_name() is leaked. Fix
>>>>>>> this by calling kset_put(), so that name can be freed in
>>>>>>> callback function kobject_cleanup().
>>>>>>>
>>>>>>> unreferenced object 0xffff888100da9348 (size 8):
>>>>>>>      comm "modprobe", pid 257, jiffies 4294701096 (age 33.334s)
>>>>>>>      hex dump (first 8 bytes):
>>>>>>>        6c 6f 67 6d 61 73 6b 00                          logmask.
>>>>>>>      backtrace:
>>>>>>>        [<00000000306e441c>] __kmalloc_node_track_caller+0x44/0x1b0
>>>>>>>        [<000000007c491a9e>] kstrdup+0x3a/0x70
>>>>>>>        [<0000000015719a3b>] kstrdup_const+0x63/0x80
>>>>>>>        [<0000000084e458ea>] kvasprintf_const+0x149/0x180
>>>>>>>        [<0000000091302b42>] kobject_set_name_vargs+0x56/0x150
>>>>>>>        [<000000005f48eeac>] kobject_set_name+0xab/0xe0
>>>>>>>
>>>>>>> Fixes: 34980ca8faeb ("Drivers: clean up direct setting of the name of a kset")
>>>>>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
>>>>>>> ---
>>>>>>>     fs/ocfs2/cluster/masklog.c | 7 ++++++-
>>>>>>>     1 file changed, 6 insertions(+), 1 deletion(-)
>>>>>>>
>>>>>>> diff --git a/fs/ocfs2/cluster/masklog.c b/fs/ocfs2/cluster/masklog.c
>>>>>>> index 563881ddbf00..7f9ba816d955 100644
>>>>>>> --- a/fs/ocfs2/cluster/masklog.c
>>>>>>> +++ b/fs/ocfs2/cluster/masklog.c
>>>>>>> @@ -156,6 +156,7 @@ static struct kset mlog_kset = {
>>>>>>>     int mlog_sys_init(struct kset *o2cb_kset)
>>>>>>>     {
>>>>>>>         int i = 0;
>>>>>>> +    int ret;
>>>>>>>           while (mlog_attrs[i].attr.mode) {
>>>>>>>             mlog_default_attrs[i] = &mlog_attrs[i].attr;
>>>>>>> @@ -165,7 +166,11 @@ int mlog_sys_init(struct kset *o2cb_kset)
>>>>>>>           kobject_set_name(&mlog_kset.kobj, "logmask");
>>>>>>>         mlog_kset.kobj.kset = o2cb_kset;
>>>>>>> -    return kset_register(&mlog_kset);
>>>>>>> +    ret = kset_register(&mlog_kset);
>>>>>> If register fails, it will call unregister in o2cb_sys_init(), which
>>>>>> will put kobject.
>>>>> They are different ksets, the kset unregistered in o2cb_sys_init() is 'o2cb_kset', the
>>>>> kset used to registered in mlog_sys_init() is 'mlog_kset', and they hold difference
>>>>> refcounts.
>>>>> Yes, you are right. I've mixed the two ksets up.
>>>> In theory, kset_register() may return error because of a NULL kset, so
>>>> here we may not call kset_put() directly, I'm not sure if a static
>>>> checker will happy.
>>>> Though this can't happen since it's already statically allocated...
>>> kset_register() may fail if kobject_add_internal() return error (can't allocate memory), the name
>>> "logmask" is dynamically alloctated while ocfs2 is compile as module and insert it (if ocfs2 is
>>> built in kernel, the name is constant, it won't cause a leak), so the name can be leaked.
>> What I mean is kset_register() may fail with many reasons, or even
>> without kset_init().
>> I wonder if we have to handle this internal kset_register(), but not
>> leave it to caller. This may benefit other callers as well.
>>
>> Something like:
>> err = kobject_add_internal(&k->kobj);
>> if (err) {
>>     kset_put(k);
>>     return err;
>> }
> I had think about this method to fix this, but some kset is allocated dynamically in driver and
> it's freed in callback function which is called after kset_put() and in error path in driver will free
> it again, it leads double free in some drivers.
> 
I don't think it's good idea that caller has to take care part of the
internal logic of kset_register() in case of error.
Hi Greg, what do you think?

Thanks,
Joseph

> I think kset_register() is similar with device_register(), if it fails need another put function to give
> up reference in driver.
>