Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp8282961rwb; Wed, 23 Nov 2022 19:07:16 -0800 (PST) X-Google-Smtp-Source: AA0mqf5NXs7onEOFjgg8F62FIW9BuN0hARJ5KwvXvdirzJ1uLeV0igykNQl/I0EoPtaH8/enitcQ X-Received: by 2002:a17:906:30c1:b0:7b7:eaa9:c1cb with SMTP id b1-20020a17090630c100b007b7eaa9c1cbmr11037427ejb.745.1669259235765; Wed, 23 Nov 2022 19:07:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669259235; cv=none; d=google.com; s=arc-20160816; b=WhmSXKb5N+GWulP1nLnWp6DM6zVZvgkwTYcUih69KsRbFoJODWIdyQ9+9wkgcJsvYj 9/pjE4/uqMStM8UIIVxJO2XB+PX68qeh4TXiYC7xsZY5NYsRzERZvePiwvHsmH6QGsr6 27uQyijk2ZvFMtIPifuMizu6TCEamTWXNAvybEK4an/Q0UrKJFIP31p7CWOTV+6jCcrf wVo2DiCCa/I45GJMS+oQjMmAfyaqsafNTRRMcRVvWSgYxX5g8GgCZUPMDgVSkiVzzb3a Ubs3IGvae4nWi8FkiI14lQWnmIqfpWx7BQ1MjT3doORwHIHnQIoVoFIEoc8wb4Q6bovN OD5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=P05fz+5aoOBBj+1FpVLP17Patd43rfkp1LEbx9VqAos=; b=KxXj+pULMPaSJDEhyYyhvdLlgz9x6m3c15ORXeCWe2V5KCCSZwy6lIzsi6VVo9ss8u awiJjilcwJxYxCb7YAbrBUI8y9N/WxkXqS7vJHatO2EHWjLRxK08z9v2zXE2vUyAGz5k 2Unlf3mf84sD8SwXMFHjcaA8sg7yqTHHlwjj3+xl6uNgy86x1020irais1/Ii5CYeidc WsQSDNiBs2WsSEFC+o53TG5Qs8CClO2G3ghQPWXXOG511ECj0mfpOsrx6Pvk05riz090 sUR71lf6CsEvrcHcsKz72TP5BqmzK6LvbOKa8Bt8eXvOsrFoHdvHHsicc6Wyze1xyJZ8 4cxw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hr25-20020a1709073f9900b007b4d76f5b17si784884ejc.82.2022.11.23.19.06.54; Wed, 23 Nov 2022 19:07:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229685AbiKXCQM (ORCPT + 88 others); Wed, 23 Nov 2022 21:16:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229555AbiKXCQL (ORCPT ); Wed, 23 Nov 2022 21:16:11 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF165C6D0C; Wed, 23 Nov 2022 18:16:09 -0800 (PST) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NHhRW5Lp9zmW72; Thu, 24 Nov 2022 10:15:35 +0800 (CST) Received: from dggpemm500007.china.huawei.com (7.185.36.183) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 24 Nov 2022 10:16:08 +0800 Received: from [10.174.178.174] (10.174.178.174) by dggpemm500007.china.huawei.com (7.185.36.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 24 Nov 2022 10:16:07 +0800 Subject: Re: [PATCH] powercap: fix possible name leak while device_register() fails To: Greg Kroah-Hartman , "Rafael J. Wysocki" CC: , Linux Kernel Mailing List References: <20221112094048.3614365-1-yangyingliang@huawei.com> From: Yang Yingliang Message-ID: Date: Thu, 24 Nov 2022 10:16:06 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Originating-IP: [10.174.178.174] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To dggpemm500007.china.huawei.com (7.185.36.183) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/11/24 3:25, Greg Kroah-Hartman wrote: > On Wed, Nov 23, 2022 at 08:00:14PM +0100, Rafael J. Wysocki wrote: >> On Sat, Nov 12, 2022 at 10:42 AM Yang Yingliang >> wrote: >>> If device_register() returns error, the name allocated by Sorry, I didn't describe clearly here, it's not only after device_register() failure, but also in the error path before register, the name is not freed, see description below. >>> dev_set_name() need be freed. In technical, we should call >>> put_device() to give up the reference and free the name in >>> driver core, but in some cases the device is not intizalized, >>> put_device() can not be called, so don't complicate the code, >>> just call kfree_const() to free name in the error path. >>> >>> Fixes: 75d2364ea0ca ("PowerCap: Add class driver") >>> Signed-off-by: Yang Yingliang >>> --- >>> drivers/powercap/powercap_sys.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c >>> index f0654a932b37..11e742dc83b9 100644 >>> --- a/drivers/powercap/powercap_sys.c >>> +++ b/drivers/powercap/powercap_sys.c >>> @@ -572,6 +572,7 @@ struct powercap_zone *powercap_register_zone( >>> err_name_alloc: >>> idr_remove(power_zone->parent_idr, power_zone->id); >>> err_idr_alloc: >>> + kfree_const(dev_name(&power_zone->dev)); >>> if (power_zone->allocated) >>> kfree(power_zone); >>> mutex_unlock(&control_type->lock); >>> @@ -622,6 +623,7 @@ struct powercap_control_type *powercap_register_control_type( >>> dev_set_name(&control_type->dev, "%s", name); >>> result = device_register(&control_type->dev); >>> if (result) { >>> + kfree_const(dev_name(&control_type->dev)); >> Why is it necessary to free a device name explicitly after a failing >> device_register()? powercap_register_zone() {     ...     dev_set_name() // allocate name     ...     if (!power_zone->constraints)         goto err_const_alloc; //the name is leaked in this path     ...     if (!power_zone->zone_dev_attrs)         goto err_attr_alloc; //the name is leaked in this path     ...     if (result)         goto err_dev_ret; //the name is leaked in this path     result = device_register(&power_zone->dev);     if (result)         goto err_dev_ret;//put_device() is not called, the name is leaked in this path     ... err_dev_ret:     kfree(power_zone->zone_dev_attrs); err_attr_alloc:     kfree(power_zone->constraints); err_const_alloc:     kfree(power_zone->name); err_name_alloc:     idr_remove(power_zone->parent_idr, power_zone->id); err_idr_alloc:     if (power_zone->allocated)         kfree(power_zone); } >> >> If it is really necessary, then there is a problem in >> device_register() itself AFAICS, because it uses dev_set_name() at >> least in the dev->init_name present case. When the dev_set_name() called in device_register(), if register fails, the name is freed in its error path. But in this case, dev_set_name() is called outside the register, it needs call put_device() to free the name. > I think we already fixed this in the driver core, so these types of > patches should not be applied. driver core free the name by calling put_device(), but in these two functions, put_device() is not called. Thanks, Yang > > Yang, can you make sure you respond to all of them and say "this is not > needed anymore!" and if any got merged, send reverts for them? > > thanks, > > greg k-h > .