Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp7555618rwi; Mon, 24 Oct 2022 16:43:25 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7WcCdrmT328ivAaHRYaD3EZsLG+itzG7BTPh1SAbYeLcmXwwGytWBF8LPG35P2QzHNqja6 X-Received: by 2002:a17:907:2723:b0:78e:214b:e3c7 with SMTP id d3-20020a170907272300b0078e214be3c7mr30906781ejl.186.1666655005145; Mon, 24 Oct 2022 16:43:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666655005; cv=none; d=google.com; s=arc-20160816; b=MjxWwO1v/aG/1yYTQKoTlAj8eH7pyc/FvCWZ+NuMMXP5j9kdDuVuHZFPY/ESkm1mR5 iwfWFa1Zz2HVN+nyDWkEJ2cTP+U7a0mGeReoz3peYZvwHbF1+X6Wb3QAW+plLbN/KH+j VVcdC/4Pl5Q4HiZMOahfpGsKZmczlRQqhqVJQBXeNi/oUXHJ5/xE8dunzof1eYyS4uPQ 2lO/+6sntMVpU0KTQQ9Y47jkTAZoqUly7COZQ65fxfCNq8T6xmqH6Jp2vUP/jdM5SpGJ 3A2TkPQUIWJhgXZayLDNz/dYSlAyBQxqE4LFRz6hkfx/UsK/ygrMwysY+tvjke3TIFxt ydaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=XwU2aqiGQz8z0uOImLtTyEFFV5Wc+wbQkhFxJkFiswg=; b=GH2HA5G58IcoErZbbOU7nR8J2CdN2RL2FcM+uLp2oTjjj618fuE80mjt+1ZpwRZWJd FcJjPeVos0OPX5BiPpeuUSnWvdM5TpYBdaFlw8ez9fNT3wOD11+VDnenucECNAg8ZfJy b7C9OxkWBYuSMqas5+l7KCMynlnMS2jxT2WiEz9aUXMcC+aLqiv7ucLopxis3VOBHzRO +WyzfPO9CgpAHCiQV18xLAOiLc0K9kkDJpQtND1gI6tQntHj8pr15omyUKcVJiEFWTGD WQhWXtTKFfqAHKW32sDHQDwvBE+QUV4RO/iSOYpYpFcRK/ayOOm1PrdC53Gswnp6KoF7 TsPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g9-20020a056402428900b00447eb58b921si1150775edc.38.2022.10.24.16.43.00; Mon, 24 Oct 2022 16:43:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231343AbiJXXai (ORCPT + 99 others); Mon, 24 Oct 2022 19:30:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230128AbiJXXaL (ORCPT ); Mon, 24 Oct 2022 19:30:11 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDA188D210 for ; Mon, 24 Oct 2022 14:51:34 -0700 (PDT) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.54]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4MwyJw2YFFz15M0d; Mon, 24 Oct 2022 22:34:56 +0800 (CST) Received: from dggpemm500007.china.huawei.com (7.185.36.183) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 24 Oct 2022 22:39:46 +0800 Received: from [10.174.178.174] (10.174.178.174) by dggpemm500007.china.huawei.com (7.185.36.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 24 Oct 2022 22:39:45 +0800 Subject: Re: [PATCH v2] kset: fix memory leak when kset_register() returns error To: Greg KH CC: , , , , , , , , , , , , , , , , , , , , , , References: <20221024121910.1169801-1-yangyingliang@huawei.com> From: Yang Yingliang Message-ID: <8281fc72-948a-162d-6e5f-a9fe29d8ee46@huawei.com> Date: Mon, 24 Oct 2022 22:39:44 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Originating-IP: [10.174.178.174] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To dggpemm500007.china.huawei.com (7.185.36.183) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/10/24 21:52, Greg KH wrote: > On Mon, Oct 24, 2022 at 08:19:10PM +0800, Yang Yingliang wrote: >> Inject fault while loading module, kset_register() may fail. >> If it fails, the name allocated by kobject_set_name() which >> is called before kset_register() is leaked, because refcount >> of kobject is hold in kset_init(). >> >> As a kset may be embedded in a larger structure which needs >> be freed in release() function or error path in callers, we >> can not call kset_put() in kset_register(), or it will cause >> double free, so just call kfree_const() to free the name and >> set it to NULL. >> >> With this fix, the callers don't need to care about the name >> freeing and call an extra kset_put() if kset_register() fails. >> >> Suggested-by: Luben Tuikov >> Signed-off-by: Yang Yingliang >> --- >> v1 -> v2: >> Free name inside of kset_register() instead of calling kset_put() >> in drivers. >> --- >> lib/kobject.c | 8 +++++++- >> 1 file changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/lib/kobject.c b/lib/kobject.c >> index a0b2dbfcfa23..3409a89c81e5 100644 >> --- a/lib/kobject.c >> +++ b/lib/kobject.c >> @@ -834,6 +834,9 @@ EXPORT_SYMBOL_GPL(kobj_sysfs_ops); >> /** >> * kset_register() - Initialize and add a kset. >> * @k: kset. >> + * >> + * NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() >> + * which is called before kset_register() in caller need be freed. > This comment doesn't make any sense anymore. No caller needs to worry > about this, right? With this fix, the name is freed inside of kset_register(), it can not be accessed, if it allocated dynamically, but callers don't know this if no comment here, they may use it in error path (something like to print error message with it), so how about comment like this to tell callers not to use the name: NOTE: On error, the kset.kobj.name allocated by() kobj_set_name() is freed, it can not be used any more. > >> */ >> int kset_register(struct kset *k) >> { >> @@ -844,8 +847,11 @@ int kset_register(struct kset *k) >> >> kset_init(k); >> err = kobject_add_internal(&k->kobj); >> - if (err) >> + if (err) { >> + kfree_const(k->kobj.name); >> + k->kobj.name = NULL; > Why are you setting the name here to NULL? I set it to NULL to avoid accessing bad pointer in callers, if callers use it in error path, current callers won't use this name pointer in error path, so we can remove this assignment? Thanks, Yang > > thanks, > > greg k-h > .