Received: by 2002:a05:6358:111d:b0:dc:6189:e246 with SMTP id f29csp3413864rwi; Tue, 1 Nov 2022 21:15:20 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4+RsCF0+B07Zm/3ZsoZTnHVjoYnFD0dkAgkzBF1ZgfPLM2gzAjltMVACuU6qMu/UQ4q+LM X-Received: by 2002:a17:90b:2246:b0:213:48f0:297f with SMTP id hk6-20020a17090b224600b0021348f0297fmr23897027pjb.236.1667362520194; Tue, 01 Nov 2022 21:15:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667362520; cv=none; d=google.com; s=arc-20160816; b=WSdERcJ7BPtFHBgSZJ8JuB9xkM8LijwqmLmQfdaACTkfJHilaJ7VONRXZW8Le1MxHG tPYsOxfS3WAwSnSzNSZ3iDVHU+k5HUrnOWuMbjrMz1MVZKbqHOp7dxHP4JNnb9iSCyoH iF3qkHHSpBrhAH1OdGjbAjKZN/X6kJ0E0ZCdWSrld8fu1ZeB6DWkzAJgZrHzMmt85+jJ L5r8ynEoViQjVKRv3VBYIDkb1Kwd3FJbPjE79QhaQ7SnKfQA8/9THx7Z8cVp4T3ae2pI jHiIzYRGsAAs6aZxwW08UKU8EdKX7kouuUyo9/Mcnd5h+3ha+jNMdd9gg3Gy4eus7VPr Ea3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=lOX0gnUZS1nKKh/ME8w4VxQ9VNLAlhVU+WhzCYcyDYM=; b=xGODo0N2pmmn7nzdXrRW9G0VVd50xB0QxRTCyIx9usjpMS3FcuOBsUuA7/4ssHtq8I ArO9V/L+RjBvZf0HKEmgCkf3m4lYsy12OPQXHs2YxmhDdhrPkHqVi7WnoO1iPUOvvoRt 8U9SdyfoqrpysQBlvNNBt2aowN866+cFpFJzthWutr8kWXmoL31RSdAml0hHBiZf8H1T VOSlxg4NZeXaXKDdfBctnBNJDmto9O/vK7xBvavvrVQxprDDxoIzcBhlYy9vBWdwxQrC wz2WNvx6JHb2B34tJyF/ug3nBitFmPkBeNCLvjUktRFeQ1ggQ102zSHw/GHgKBrt5Ev+ yUnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LJJIu1Fb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b11-20020a056a000a8b00b0056be9c34518si15353163pfl.40.2022.11.01.21.15.07; Tue, 01 Nov 2022 21:15:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LJJIu1Fb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230383AbiKBDsY (ORCPT + 96 others); Tue, 1 Nov 2022 23:48:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230379AbiKBDsO (ORCPT ); Tue, 1 Nov 2022 23:48:14 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC8FC275F2 for ; Tue, 1 Nov 2022 20:48:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 788E6617BA for ; Wed, 2 Nov 2022 03:48:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1ACC1C433D7; Wed, 2 Nov 2022 03:48:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1667360891; bh=2FsdKsKH+tYq1Nh5CMQAilAimPBI7XTQXud60nZ5JjM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=LJJIu1FbnadSEvssXm3aPhb95cFa+Gvx2azUkfaAF0RuBcSDSMc+QrsGRu8x6ryrp W8ISutGBrEVPQ1EWneEb5URSZbIzQnI+z6eaE8QD+G3QsCJtGe/LkOenJ+xMfi2pXA +rD/t/ljYbcdtBuHg00VyNobvy04gAtiQlk5wvo8= Date: Wed, 2 Nov 2022 03:59:23 +0100 From: Greg KH To: shangxiaojing Cc: Ian Abbott , hsweeten@visionengravers.com, zhangxuezhi1@coolpad.com, fmhess@users.sourceforge.net, linux-kernel@vger.kernel.org Subject: Re: [PATCH] comedi: Fix potential memory leak in comedi_init() Message-ID: References: <20221101032125.27337-1-shangxiaojing@huawei.com> <32c291d7-0e87-ec1f-e2af-28d7f8ca0981@huawei.com> <5b8ee99d-2358-39c5-b663-2d1c80353639@mev.co.uk> <04bf1874-77bc-ce73-28e2-04fe4d098e58@mev.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-8.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 02, 2022 at 10:51:35AM +0800, shangxiaojing wrote: > > > On 2022/11/2 0:41, Ian Abbott wrote: > > On 01/11/2022 11:40, Ian Abbott wrote: > > > On 01/11/2022 06:16, shangxiaojing wrote: > > > > > > > > > > > > On 2022/11/1 12:45, Greg KH wrote: > > > > > On Tue, Nov 01, 2022 at 11:21:25AM +0800, Shang XiaoJing wrote: > > > > > > comedi_init() will goto out_unregister_chrdev_region if cdev_add() > > > > > > failed, which won't free the resource alloced in kobject_set_name(). > > > > > > Call kfree_const() to free the leaked name before goto > > > > > > out_unregister_chrdev_region. > > > > > > > > > > > > unreferenced object 0xffff8881000fa8c0 (size 8): > > > > > > ?? comm "modprobe", pid 239, jiffies 4294905173 (age 51.308s) > > > > > > ?? hex dump (first 8 bytes): > > > > > > ???? 63 6f 6d 65 64 69 00 ff????????????????????????? comedi.. > > > > > > ?? backtrace: > > > > > > ???? [<000000005f9878f7>] __kmalloc_node_track_caller+0x4c/0x1c0 > > > > > > ???? [<000000000fd70302>] kstrdup+0x3f/0x70 > > > > > > ???? [<000000009428bc33>] kstrdup_const+0x46/0x60 > > > > > > ???? [<00000000ed50d9de>] kvasprintf_const+0xdb/0xf0 > > > > > > ???? [<00000000b2766964>] kobject_set_name_vargs+0x3c/0xe0 > > > > > > ???? [<00000000f2424ef7>] kobject_set_name+0x62/0x90 > > > > > > ???? [<000000005d5a125b>] 0xffffffffa0013098 > > > > > > ???? [<00000000f331e663>] do_one_initcall+0x7a/0x380 > > > > > > ???? [<00000000aa7bac96>] do_init_module+0x5c/0x230 > > > > > > ???? [<000000005fd72335>] load_module+0x227d/0x2420 > > > > > > ???? [<00000000ad550cf1>] __do_sys_finit_module+0xd5/0x140 > > > > > > ???? [<00000000069a60c5>] do_syscall_64+0x3f/0x90 > > > > > > ???? [<00000000c5e0d521>] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > > > > > > > > > > > Fixes: ed9eccbe8970 ("Staging: add comedi core") > > > > > > Signed-off-by: Shang XiaoJing > > > > > > --- > > > > > > ? drivers/comedi/comedi_fops.c | 5 ++++- > > > > > > ? 1 file changed, 4 insertions(+), 1 deletion(-) > > > > > > > > > > > > diff --git a/drivers/comedi/comedi_fops.c > > > > > > b/drivers/comedi/comedi_fops.c > > > > > > index e2114bcf815a..2c508c2cf6f6 100644 > > > > > > --- a/drivers/comedi/comedi_fops.c > > > > > > +++ b/drivers/comedi/comedi_fops.c > > > > > > @@ -3379,8 +3379,11 @@ static int __init comedi_init(void) > > > > > > ????? retval = cdev_add(&comedi_cdev, MKDEV(COMEDI_MAJOR, 0), > > > > > > ??????????????? COMEDI_NUM_MINORS); > > > > > > -??? if (retval) > > > > > > +??? if (retval) { > > > > > > +??????? kfree_const(comedi_cdev.kobj.name); > > > > > > +??????? comedi_cdev.kobj.name = NULL; > > > > > > ????????? goto out_unregister_chrdev_region; > > > > > > +??? } > > > > > > > > > > A driver should never have to poke around in the internals of a cdev > > > > > object like this.? Please fix the cdev core to not need this if > > > > > cdev_add() fails. > > > > > > Or at least there should be a function that can be called to undo > > > the allocations of kobject_set_name(). > > > > Looking at it a bit more, cdev_init() calls kobject_init(), and > > kobject_init() requires a matching call to kobject_put().? Nothing is > > calling kobject_put() in this situation.? Calling cdev_del() will call > > kobject_put(), so is that the correct way to clean up after cdev_init() > > if the call to cdev_add() fails? > > > > Some cdev call cdev_del() when cdev_add() failed (like init_dvbdev()), and > at that time the cdev_unmap() in cdev_del() won't do anything due to the > failure of cdev_add(), which is calling the kobject_put() when cdev_add() > failed. But I'm not sure which one is better. My point is that no one calling the cdev_add() call should have to do this type of "cleanup" The cdev code should do it automatically, we don't want to have to audit every user of cdev_add() today, and in the future for forever, to ensure they got it right. Let's fix it up in the cdev code itself please. The kobject in a cdev is a very odd thing, it's not the "normal" type of kobject that you expect, so the cdev code should handle all of that on its own and that should not "leak" into any caller. thanks, greg k-h