lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200705162331.16429.jesper.juhl@gmail.com>
Date:	Wed, 16 May 2007 23:31:16 +0200
From:	Jesper Juhl <jesper.juhl@...il.com>
To:	xfs-masters@....sgi.com
Cc:	xfs@....sgi.com,
	"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
	Jesper Juhl <jesper.juhl@...il.com>
Subject: [RFC][PATCH] XFS: memory leak in xfs_inactive() - is xfs_trans_free() enough or do we need xfs_trans_cancel() ?

Hi,

The Coverity checker found a memory leak in xfs_inactive().

The offending code is this bit : 

1671 		tp = xfs_trans_alloc(mp, XFS_TRANS_INACTIVE);

At conditional (1): "truncate != 0" taking true path

1672 		if (truncate) {
1673 			/*
1674 			 * Do the xfs_itruncate_start() call before
1675 			 * reserving any log space because itruncate_start
1676 			 * will call into the buffer cache and we can't
1677 			 * do that within a transaction.
1678 			 */
1679 			xfs_ilock(ip, XFS_IOLOCK_EXCL);
1680 	
1681 			error = xfs_itruncate_start(ip, XFS_ITRUNC_DEFINITE, 0);

At conditional (2): "error != 0" taking true path

1682 			if (error) {
1683 				xfs_iunlock(ip, XFS_IOLOCK_EXCL);

Event leaked_storage: Returned without freeing storage "tp"
Also see events: [alloc_fn][var_assign]

1684 				return VN_INACTIVE_CACHE;
1685 			}

So, the code allocates a transaction, but in the case where 'truncate' is !=0 and xfs_itruncate_start(ip, XFS_ITRUNC_DEFINITE, 0); happens to return an error, we'll just return from the function without dealing with the memory allocated byxfs_trans_alloc() and assigned to 'tp', thus it'll be orphaned/leaked - not good.

What I'm wondering is this; is it enough, at this point, to call xfs_trans_free(tp); (it would seem to me that would be OK, but I'm not intimite with this code) or do we need a full xfs_trans_cancel(tp, 0);  ???

In case I'm right and xfs_trans_free(tp); is all we need, then please consider the patch below. Otherwise please NACK the patch and I'll cook up another one :-)


Fix memory leak on error in xfs_inactive().

Signed-off-by: Jesper Juhl <jesper.juhl@...il.com>
--- 
 fs/xfs/xfs_vnodeops.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
index de17aed..e0d3d51 100644
--- a/fs/xfs/xfs_vnodeops.c
+++ b/fs/xfs/xfs_vnodeops.c
@@ -1681,6 +1681,7 @@ xfs_inactive(
 		error = xfs_itruncate_start(ip, XFS_ITRUNC_DEFINITE, 0);
 		if (error) {
 			xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+			xfs_trans_free(tp);
 			return VN_INACTIVE_CACHE;
 		}
 


-- 
Jesper Juhl <jesper.juhl@...il.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ