LinuxLists.cc - [PATCH v2 1/3] nfsd: Fix a memory leak in an error handling path

2022-09-01 05:28:22

Subject: [PATCH v2 1/3] nfsd: Fix a memory leak in an error handling path

If this memdup_user() call fails, the memory allocated in a previous call
a few lines above should be freed. Otherwise it leaks.

Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
Signed-off-by: Christophe JAILLET <[email protected]>
---
fs/nfsd/nfs4recover.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index b29d27eaa8a6..248ff9f4141c 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -815,8 +815,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
princhash.data = memdup_user(
&ci->cc_princhash.cp_data,
princhashlen);
- if (IS_ERR_OR_NULL(princhash.data))
+ if (IS_ERR_OR_NULL(princhash.data)) {
+ kfree(name.data);
return -EFAULT;
+ }
princhash.len = princhashlen;
} else
princhash.len = 0;
--
2.34.1

2022-09-01 05:29:13

by Christophe JAILLET

[permalink] [raw]

Subject: [PATCH v2 2/3] nfsd: Avoid some useless tests

memdup_user() can't return NULL, so there is no point for checking for it.

Simplify some tests accordingly.

Suggested-by: Dan Carpenter <[email protected]>
Signed-off-by: Christophe JAILLET <[email protected]>
---
fs/nfsd/nfs4recover.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index 248ff9f4141c..2968cf604e3b 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -807,7 +807,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
if (get_user(namelen, &ci->cc_name.cn_len))
return -EFAULT;
name.data = memdup_user(&ci->cc_name.cn_id, namelen);
- if (IS_ERR_OR_NULL(name.data))
+ if (IS_ERR(name.data))
return -EFAULT;
name.len = namelen;
get_user(princhashlen, &ci->cc_princhash.cp_len);
@@ -815,7 +815,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
princhash.data = memdup_user(
&ci->cc_princhash.cp_data,
princhashlen);
- if (IS_ERR_OR_NULL(princhash.data)) {
+ if (IS_ERR(princhash.data)) {
kfree(name.data);
return -EFAULT;
}
@@ -829,7 +829,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
if (get_user(namelen, &cnm->cn_len))
return -EFAULT;
name.data = memdup_user(&cnm->cn_id, namelen);
- if (IS_ERR_OR_NULL(name.data))
+ if (IS_ERR(name.data))
return -EFAULT;
name.len = namelen;
}
--
2.34.1

2022-09-01 05:29:15

by Christophe JAILLET

[permalink] [raw]

Subject: [PATCH v2 3/3] nfsd: Propagate some error code returned by memdup_user()

Propagate the error code returned by memdup_user() instead of a hard coded
-EFAULT.

Suggested-by: Dan Carpenter <[email protected]>
Signed-off-by: Christophe JAILLET <[email protected]>
---
This patch is speculative. The whole call chains have not been checked to
see if there was no path explicitly expecting a -EFAULT.
---
fs/nfsd/nfs4recover.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index 2968cf604e3b..78b8cd9651d5 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -808,7 +808,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
return -EFAULT;
name.data = memdup_user(&ci->cc_name.cn_id, namelen);
if (IS_ERR(name.data))
- return -EFAULT;
+ return PTR_ERR(name.data);
name.len = namelen;
get_user(princhashlen, &ci->cc_princhash.cp_len);
if (princhashlen > 0) {
@@ -817,7 +817,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
princhashlen);
if (IS_ERR(princhash.data)) {
kfree(name.data);
- return -EFAULT;
+ return PTR_ERR(princhash.data);
}
princhash.len = princhashlen;
} else
@@ -830,7 +830,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
return -EFAULT;
name.data = memdup_user(&cnm->cn_id, namelen);
if (IS_ERR(name.data))
- return -EFAULT;
+ return PTR_ERR(name.data);
name.len = namelen;
}
if (name.len > 5 && memcmp(name.data, "hash:", 5) == 0) {
--
2.34.1

2022-09-01 11:26:44

by Jeff Layton

[permalink] [raw]

Subject: Re: [PATCH v2 1/3] nfsd: Fix a memory leak in an error handling path

On Thu, 2022-09-01 at 07:27 +0200, Christophe JAILLET wrote:
> If this memdup_user() call fails, the memory allocated in a previous call
> a few lines above should be freed. Otherwise it leaks.
>
> Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
> Signed-off-by: Christophe JAILLET <[email protected]>
> ---
> fs/nfsd/nfs4recover.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
> index b29d27eaa8a6..248ff9f4141c 100644
> --- a/fs/nfsd/nfs4recover.c
> +++ b/fs/nfsd/nfs4recover.c
> @@ -815,8 +815,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> princhash.data = memdup_user(
> &ci->cc_princhash.cp_data,
> princhashlen);
> - if (IS_ERR_OR_NULL(princhash.data))
> + if (IS_ERR_OR_NULL(princhash.data)) {
> + kfree(name.data);
> return -EFAULT;
> + }
> princhash.len = princhashlen;
> } else
> princhash.len = 0;

Reviewed-by: Jeff Layton <[email protected]>

2022-09-01 11:26:57

by Jeff Layton

[permalink] [raw]

Subject: Re: [PATCH v2 2/3] nfsd: Avoid some useless tests

On Thu, 2022-09-01 at 07:27 +0200, Christophe JAILLET wrote:
> memdup_user() can't return NULL, so there is no point for checking for it.
>
> Simplify some tests accordingly.
>
> Suggested-by: Dan Carpenter <[email protected]>
> Signed-off-by: Christophe JAILLET <[email protected]>
> ---
> fs/nfsd/nfs4recover.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
> index 248ff9f4141c..2968cf604e3b 100644
> --- a/fs/nfsd/nfs4recover.c
> +++ b/fs/nfsd/nfs4recover.c
> @@ -807,7 +807,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> if (get_user(namelen, &ci->cc_name.cn_len))
> return -EFAULT;
> name.data = memdup_user(&ci->cc_name.cn_id, namelen);
> - if (IS_ERR_OR_NULL(name.data))
> + if (IS_ERR(name.data))
> return -EFAULT;
> name.len = namelen;
> get_user(princhashlen, &ci->cc_princhash.cp_len);
> @@ -815,7 +815,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> princhash.data = memdup_user(
> &ci->cc_princhash.cp_data,
> princhashlen);
> - if (IS_ERR_OR_NULL(princhash.data)) {
> + if (IS_ERR(princhash.data)) {
> kfree(name.data);
> return -EFAULT;
> }
> @@ -829,7 +829,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> if (get_user(namelen, &cnm->cn_len))
> return -EFAULT;
> name.data = memdup_user(&cnm->cn_id, namelen);
> - if (IS_ERR_OR_NULL(name.data))
> + if (IS_ERR(name.data))
> return -EFAULT;
> name.len = namelen;
> }

Reviewed-by: Jeff Layton <[email protected]>

2022-09-01 11:28:38

by Jeff Layton

[permalink] [raw]

Subject: Re: [PATCH v2 3/3] nfsd: Propagate some error code returned by memdup_user()

On Thu, 2022-09-01 at 07:27 +0200, Christophe JAILLET wrote:
> Propagate the error code returned by memdup_user() instead of a hard coded
> -EFAULT.
>
> Suggested-by: Dan Carpenter <[email protected]>
> Signed-off-by: Christophe JAILLET <[email protected]>
> ---
> This patch is speculative. The whole call chains have not been checked to
> see if there was no path explicitly expecting a -EFAULT.
> ---
> fs/nfsd/nfs4recover.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
> index 2968cf604e3b..78b8cd9651d5 100644
> --- a/fs/nfsd/nfs4recover.c
> +++ b/fs/nfsd/nfs4recover.c
> @@ -808,7 +808,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> return -EFAULT;
> name.data = memdup_user(&ci->cc_name.cn_id, namelen);
> if (IS_ERR(name.data))
> - return -EFAULT;
> + return PTR_ERR(name.data);
> name.len = namelen;
> get_user(princhashlen, &ci->cc_princhash.cp_len);
> if (princhashlen > 0) {
> @@ -817,7 +817,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> princhashlen);
> if (IS_ERR(princhash.data)) {
> kfree(name.data);
> - return -EFAULT;
> + return PTR_ERR(princhash.data);
> }
> princhash.len = princhashlen;
> } else
> @@ -830,7 +830,7 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> return -EFAULT;
> name.data = memdup_user(&cnm->cn_id, namelen);
> if (IS_ERR(name.data))
> - return -EFAULT;
> + return PTR_ERR(name.data);
> name.len = namelen;
> }
> if (name.len > 5 && memcmp(name.data, "hash:", 5) == 0) {

I *think* this error gets propagated to userland on a write to
rpc_pipefs, and the callers already handle a variety of errors. This
looks reasonable to me.

Reviewed-by: Jeff Layton <[email protected]>