lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1513711816-2618-10-git-send-email-dongwon.kim@intel.com>
Date:   Tue, 19 Dec 2017 11:29:26 -0800
From:   Dongwon Kim <dongwon.kim@...el.com>
To:     linux-kernel@...r.kernel.org
Cc:     dri-devel@...ts.freedesktop.org, xen-devel@...ts.xenproject.org,
        mateuszx.potrola@...el.com, dongwon.kim@...el.com
Subject: [RFC PATCH 10/60] hyper_dmabuf: make sure to free memory to prevent leak

From: Mateusz Polrola <mateuszx.potrola@...el.com>

In hyper_dmabuf_export_remote, page_info->pages needs to
be freed before freeing page_info.

Also, info_entry in hyper_dmabuf_remove_exported/imported
and hyper_dmabuf_remove_exporter/importer_ring needs to
be freed after removal of an entry.

Signed-off-by: Dongwon Kim <dongwon.kim@...el.com>
---
 drivers/xen/hyper_dmabuf/hyper_dmabuf_ioctl.c             | 1 +
 drivers/xen/hyper_dmabuf/hyper_dmabuf_list.c              | 2 ++
 drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm.c      | 2 ++
 drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm_list.c | 2 ++
 4 files changed, 7 insertions(+)

diff --git a/drivers/xen/hyper_dmabuf/hyper_dmabuf_ioctl.c b/drivers/xen/hyper_dmabuf/hyper_dmabuf_ioctl.c
index bace8b2..6f100ef 100644
--- a/drivers/xen/hyper_dmabuf/hyper_dmabuf_ioctl.c
+++ b/drivers/xen/hyper_dmabuf/hyper_dmabuf_ioctl.c
@@ -191,6 +191,7 @@ static int hyper_dmabuf_export_remote(void *data)
 	/* free msg */
 	kfree(req);
 	/* free page_info */
+	kfree(page_info->pages);
 	kfree(page_info);
 
 	return ret;
diff --git a/drivers/xen/hyper_dmabuf/hyper_dmabuf_list.c b/drivers/xen/hyper_dmabuf/hyper_dmabuf_list.c
index 2b3ef6b..1420df9 100644
--- a/drivers/xen/hyper_dmabuf/hyper_dmabuf_list.c
+++ b/drivers/xen/hyper_dmabuf/hyper_dmabuf_list.c
@@ -98,6 +98,7 @@ int hyper_dmabuf_remove_exported(int id)
 	hash_for_each(hyper_dmabuf_hash_exported, bkt, info_entry, node)
 		if(info_entry->info->hyper_dmabuf_id == id) {
 			hash_del(&info_entry->node);
+			kfree(info_entry);
 			return 0;
 		}
 
@@ -112,6 +113,7 @@ int hyper_dmabuf_remove_imported(int id)
 	hash_for_each(hyper_dmabuf_hash_imported, bkt, info_entry, node)
 		if(info_entry->info->hyper_dmabuf_id == id) {
 			hash_del(&info_entry->node);
+			kfree(info_entry);
 			return 0;
 		}
 
diff --git a/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm.c b/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm.c
index 576085f..116850e 100644
--- a/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm.c
+++ b/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm.c
@@ -320,6 +320,8 @@ int hyper_dmabuf_importer_ringbuf_init(int sdomain)
 		ring_info->unmap_op.handle = ops[0].handle;
 	}
 
+	kfree(ops);
+
 	sring = (struct hyper_dmabuf_sring*) pfn_to_kaddr(page_to_pfn(shared_ring));
 
 	BACK_RING_INIT(&ring_info->ring_back, sring, PAGE_SIZE);
diff --git a/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm_list.c b/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm_list.c
index 5778468..a068276 100644
--- a/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm_list.c
+++ b/drivers/xen/hyper_dmabuf/xen/hyper_dmabuf_xen_comm_list.c
@@ -85,6 +85,7 @@ int hyper_dmabuf_remove_exporter_ring(int domid)
 	hash_for_each(hyper_dmabuf_hash_exporter_ring, bkt, info_entry, node)
 		if(info_entry->info->rdomain == domid) {
 			hash_del(&info_entry->node);
+			kfree(info_entry);
 			return 0;
 		}
 
@@ -99,6 +100,7 @@ int hyper_dmabuf_remove_importer_ring(int domid)
 	hash_for_each(hyper_dmabuf_hash_importer_ring, bkt, info_entry, node)
 		if(info_entry->info->sdomain == domid) {
 			hash_del(&info_entry->node);
+			kfree(info_entry);
 			return 0;
 		}
 
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ