Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp7176176rwi; Mon, 24 Oct 2022 10:46:46 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6yEysGgFz08lkfv1Mq8Ht0n9wWg7JrbyRwrP8Ismdhar0hLgQTNHKSks46YmGcZ40RDCvN X-Received: by 2002:a17:907:3e85:b0:73d:60cc:5d06 with SMTP id hs5-20020a1709073e8500b0073d60cc5d06mr29592351ejc.722.1666633605677; Mon, 24 Oct 2022 10:46:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666633605; cv=none; d=google.com; s=arc-20160816; b=IZerkDDTdFyjB+ZbZmZKbtHjDq+WLmfKZ3A0EuPv5gOm5I4E0VyUrq0PXJczmLObUF 5Ov8N8ERq3ZrRrU25rmx923gJchdYOXWfzdrDL2IKNtrDh+U0S+K6qI7L3YUeDannvbK wuxA194ei3HI/4Q6/i/vDDu+aMGwKdrE7B554cQuu/oQ6PJ4Gv4bgiLve1Wl2RUuUptG VU5N3nXEhPie5wtV9yj93FC5h6hMxjBVOgZ4PjWDCy5sX4glpPeDJeZSmnB/M1Sxct0u PcVIQGciHuZCWsMMr/IRAIPOLz1i/QL8geUbzZoqgsmOHZc+f6cI2VVNcyayY+CljVRK Dw0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=udyUzm35RI/f0W3jtWSfwrk7u0Q87rqFbmMiG41Kfcc=; b=R02dTAv/ICRma/BsakxSqqlt1vJNFoGc1plaLlCQnbTY+VUizIISI9UdwuwW4lLniH bh0rtQAO+1lY9BLVFUmGMFZ7p2TwjjZ0+VBbSiSmAIjtLqRoJZ3LEpZMf9PbCcmpF/aM x1t5Qdgs6XsYUoqRVZR9+veC7UeuJAdqVHOFi/lVzeHakhWIpbAS/08n4MYFj5Os1a2u wXgk22/6fxgmvJp2DKmlwJgB+hRjLqPwoVnx0oAKSOAwv+H0BfcoqnTbGsP9N3l1fldG DggBB8MBOBmbyuU3k03aanRGsxjYDBzCKH/iUZjyavcFoOzANx0TDnGP2yKEeX5ozX9e HPfw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v16-20020aa7cd50000000b004614db9789asi364358edw.127.2022.10.24.10.46.19; Mon, 24 Oct 2022 10:46:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232063AbiJXRMu (ORCPT + 99 others); Mon, 24 Oct 2022 13:12:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232414AbiJXRMg (ORCPT ); Mon, 24 Oct 2022 13:12:36 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B1165A3C4 for ; Mon, 24 Oct 2022 08:47:41 -0700 (PDT) Received: from dggpemm500020.china.huawei.com (unknown [172.30.72.57]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4Mwyzq5YM5z15M0P; Mon, 24 Oct 2022 23:05:11 +0800 (CST) Received: from dggpemm500007.china.huawei.com (7.185.36.183) by dggpemm500020.china.huawei.com (7.185.36.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 24 Oct 2022 23:10:02 +0800 Received: from [10.174.178.174] (10.174.178.174) by dggpemm500007.china.huawei.com (7.185.36.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 24 Oct 2022 23:10:01 +0800 Subject: Re: [PATCH v2] kset: fix memory leak when kset_register() returns error To: Greg KH CC: , , , , , , , , , , , , , , , , , , , , , , References: <20221024121910.1169801-1-yangyingliang@huawei.com> <8281fc72-948a-162d-6e5f-a9fe29d8ee46@huawei.com> From: Yang Yingliang Message-ID: <87e4e75b-a26e-6b4b-4799-c56c0b8891c0@huawei.com> Date: Mon, 24 Oct 2022 23:10:00 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Originating-IP: [10.174.178.174] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpemm500007.china.huawei.com (7.185.36.183) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/10/24 22:53, Greg KH wrote: > On Mon, Oct 24, 2022 at 10:39:44PM +0800, Yang Yingliang wrote: >> On 2022/10/24 21:52, Greg KH wrote: >>> On Mon, Oct 24, 2022 at 08:19:10PM +0800, Yang Yingliang wrote: >>>> Inject fault while loading module, kset_register() may fail. >>>> If it fails, the name allocated by kobject_set_name() which >>>> is called before kset_register() is leaked, because refcount >>>> of kobject is hold in kset_init(). >>>> >>>> As a kset may be embedded in a larger structure which needs >>>> be freed in release() function or error path in callers, we >>>> can not call kset_put() in kset_register(), or it will cause >>>> double free, so just call kfree_const() to free the name and >>>> set it to NULL. >>>> >>>> With this fix, the callers don't need to care about the name >>>> freeing and call an extra kset_put() if kset_register() fails. >>>> >>>> Suggested-by: Luben Tuikov >>>> Signed-off-by: Yang Yingliang >>>> --- >>>> v1 -> v2: >>>> Free name inside of kset_register() instead of calling kset_put() >>>> in drivers. >>>> --- >>>> lib/kobject.c | 8 +++++++- >>>> 1 file changed, 7 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/lib/kobject.c b/lib/kobject.c >>>> index a0b2dbfcfa23..3409a89c81e5 100644 >>>> --- a/lib/kobject.c >>>> +++ b/lib/kobject.c >>>> @@ -834,6 +834,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); >>>> /** >>>> * kset_register() - Initialize and add a kset. >>>> * @k: kset. >>>> + * >>>> + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() >>>> + * which is called before kset_register() in caller need be freed. >>> This comment doesn't make any sense anymore. No caller needs to worry >>> about this, right? >> With this fix, the name is freed inside of kset_register(), it can not be >> accessed, > Agreed. > >> if it allocated dynamically, but callers don't know this if no comment here, >> they may use it in error path (something like to print error message with >> it), >> so how about comment like this to tell callers not to use the name: >> >> NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() >> is freed, it can not be used any more. > Sure, that's a better way to word it. > >>>> */ >>>> int kset_register(struct kset *k) >>>> { >>>> @@ -844,8 +847,11 @@ int kset_register(struct kset *k) >>>> kset_init(k); >>>> err = kobject_add_internal(&k->kobj); >>>> - if (err) >>>> + if (err) { >>>> + kfree_const(k->kobj.name); >>>> + k->kobj.name = NULL; >>> Why are you setting the name here to NULL? >> I set it to NULL to avoid accessing bad pointer in callers, >> if callers use it in error path, current callers won't use this >> name pointer in error path, so we can remove this assignment? > Ah, I didn't think about using it on error paths. Ideally that would > never happen, but that's good to set just to make it obvious. How about > adding a small comment here saying why you are setting it so we all > remember it in 5 years when we look at the code again. OK, I can add it in v3. Thanks, Yang > > thanks, > > greg k-h > .