[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAGXu5j+HMj92iN+H1482TvWkxf7iv1w95Ru6Z_1kNzPuVjmXUw@mail.gmail.com>
Date: Thu, 17 Jan 2019 08:56:30 -0800
From: Kees Cook <keescook@...omium.org>
To: Yue Hu <huyue2@...ong.com>
Cc: Anton Vorontsov <anton@...msg.org>,
Colin Cross <ccross@...roid.com>,
Tony Luck <tony.luck@...el.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] pstore/ram: Fix failure-path memory leak in ramoops_probe
On Wed, Jan 16, 2019 at 8:11 PM Yue Hu <huyue2@...ong.com> wrote:
>
> From 12a3e710e54a00f1ccb781d38707e7d4b344403b Mon Sep 17 00:00:00 2001
> From: Yue Hu <huyue2@...ong.com>
> Date: Wed, 16 Jan 2019 16:58:19 +0800
> Subject: [PATCH] pstore/ram: Fix failure-path memory leak in
> ramoops_probe
>
> Missing devm_kfree(pdata) if probe fail with successful allocation
> of platform data buffer via devm_kzalloc().
Actually, I think this is missing a free in the normal path too. pdata
is only allocated when:
!dev->platform_data && dev_of_node(dev)
So I think it needs to be freed in both places. However, devm_*alloc()
really only makes sense for something that will have a scope larger
than the current function. Instead, I think we should just switch this
to a stack variable and be done with it. Something like this (pardon
whitespace damage):
diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
index 96f7d32cd184..be7142ae3937 100644
--- a/fs/pstore/ram.c
+++ b/fs/pstore/ram.c
@@ -711,18 +711,15 @@ static int ramoops_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
struct ramoops_platform_data *pdata = dev->platform_data;
+ struct ramoops_platform_data local_data;
struct ramoops_context *cxt = &oops_cxt;
size_t dump_mem_sz;
phys_addr_t paddr;
int err = -EINVAL;
if (dev_of_node(dev) && !pdata) {
- pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata), GFP_KERNEL);
- if (!pdata) {
- pr_err("cannot allocate platform data buffer\n");
- err = -ENOMEM;
- goto fail_out;
- }
+ pdata = &local_data;
+ memset(pdata, 0, sizeof(*pdata));
err = ramoops_parse_dt(pdev, pdata);
if (err < 0)
Does that look sensible to you?
-Kees
>
> Signed-off-by: Yue Hu <huyue2@...ong.com>
> ---
> fs/pstore/ram.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
> index cb9cac1..f9a6a8d 100644
> --- a/fs/pstore/ram.c
> +++ b/fs/pstore/ram.c
> @@ -612,6 +612,7 @@ static int ramoops_probe(struct platform_device
> *pdev) size_t dump_mem_sz;
> phys_addr_t paddr;
> int err = -EINVAL;
> + bool free_pdata = false;
>
> if (dev_of_node(dev) && !pdata) {
> pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata),
> GFP_KERNEL); @@ -619,6 +620,7 @@ static int ramoops_probe(struct
> platform_device *pdev) err = -ENOMEM;
> goto fail_out;
> }
> + free_pdata = true;
>
> err = ramoops_parse_dt(pdev, pdata);
> if (err < 0)
> @@ -754,6 +756,8 @@ static int ramoops_probe(struct platform_device
> *pdev) fail_init_cprz:
> ramoops_free_przs(cxt);
> fail_out:
> + if (free_pdata)
> + devm_kfree(&pdev->dev, pdata);
> return err;
> }
>
> --
> 1.9.1
>
>
>
>
--
Kees Cook
Powered by blists - more mailing lists