lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190502071742.GC16247@kroah.com>
Date:   Thu, 2 May 2019 09:17:42 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     "Tobin C. Harding" <me@...in.cc>
Cc:     "Rafael J. Wysocki" <rafael@...nel.org>, cl@...ux.com,
        tycho@...ho.ws, willy@...radead.org, linux-kernel@...r.kernel.org
Subject: Re: memleak around kobject_init_and_add()

On Thu, May 02, 2019 at 07:56:16AM +1000, Tobin C. Harding wrote:
> On Sat, Apr 27, 2019 at 09:28:09PM +0200, Greg Kroah-Hartman wrote:
> > On Sat, Apr 27, 2019 at 06:13:30PM +1000, Tobin C. Harding wrote:
> > > (Note at bottom on reasons for 'To' list 'Cc' list)
> > > 
> > > Hi,
> > > 
> > > kobject_init_and_add() seems to be routinely misused.  A failed call to this
> > > function requires a call to kobject_put() otherwise we leak memory.
> > > 
> > > Examples memleaks can be seen in:
> > > 
> > > 	mm/slub.c
> > > 	fs/btrfs/sysfs.c
> > > 	fs/xfs/xfs_sysfs.h: xfs_sysfs_init()
> > > 
> > >  Question: Do we fix the misuse or fix the API?
> > 
> > Fix the misuse.
> > 
> > > $ git grep kobject_init_and_add | wc -l
> > > 117
> > > 
> > > Either way, we will have to go through all 117 call sites and check them.
> > 
> > Yes.  Same for other functions like device_add(), that is the "pattern"
> > those users must follow.
> > 
> > > I
> > > don't mind fixing them all but I don't want to do it twice because I chose the
> > > wrong option.  Reaching out to those more experienced for a suggestion please.
> > > 
> > > Fix the API
> > > -----------
> > > 
> > > Typically init functions do not require cleanup if they fail, this argument
> > > leads to this patch
> > > 
> > > diff --git a/lib/kobject.c b/lib/kobject.c
> > > index aa89edcd2b63..62328054bbd0 100644
> > > --- a/lib/kobject.c
> > > +++ b/lib/kobject.c
> > > @@ -453,6 +453,9 @@ int kobject_init_and_add(struct kobject *kobj, struct kobj_type *ktype,
> > >  	retval = kobject_add_varg(kobj, parent, fmt, args);
> > >  	va_end(args);
> > >  
> > > +	if (retval)
> > > +		kobject_put(kobj);
> > > +
> > >  	return retval;
> > >  }
> > >  EXPORT_SYMBOL_GPL(kobject_init_and_add);
> > 
> > I would _love_ to do this, but realize what a kobject really is.
> > 
> > It's just a "base object" that is embedded inside of some other object.
> > The kobject core has no idea what is going on outside of itself.  If the
> > kobject_init_and_add() function fails, it can NOT drop the last
> > reference on itself, as that would cause the memory owned by the _WHOLE_
> > structure the kobject is embedded in, to be freed.
> > 
> > And the kobject core can not "know" that something else needed to be
> > done _before_ that memory could be freed.  What if the larger structure
> > needs to have some other destructor called on it first?  What if
> > some other api initialization needs to be torn down.
> > 
> > As an example, consider this code:
> > 
> > struct foo {
> > 	struct kobject kobj;
> > 	struct baz *baz;
> > };
> > 
> > void foo_release(struct kobject *kobj)
> > {
> > 	struct foo *foo = container_of(kobj, struct foo, kobj);
> > 	kfree(foo);
> > }
> > 
> > struct kobj_type foo_ktype = {
> > 	.release = foo_release,
> > };
> > 
> > struct foo *foo_create(struct foo *parent, char *name)
> > {
> > 	struct *foo;
> > 
> > 	foo = kzalloc(sizeof(*foo), GFP_KERNEL);
> > 	if (!foo)
> > 		return NULL;
> > 
> > 	foo->baz = baz_create(name);
> > 	if (!foo->baz)
> > 		return NULL;
> > 
> > 	ret = kobject_init_and_add(&foo->kobj, foo_ktype, &parent->kobj, "foo-%s", name);
> > 	if (ret) {
> > 		baz_destroy(foo->baz);
> > 		kobject_put(&foo->kobj);
> > 		return NULL;
> > 	}
> > 
> > 	return foo;
> > }
> > 
> > void foo_destroy(struct foo *foo)
> > {
> > 	baz_destroy(foo->baz);
> > 	kobject_del(&foo->kobj);
> 	kojbect_put(&foo->kobj);
> > }
> 
> Does this need this extra call to kobject_put()?  Then foo_create()
> leaves foo with a refcount of 1 and foo_destroy drops that refcount.

Oops, no, I messed this up, it should _only_ be a call to
kobject_put(), kobject_del() is not needed here.

kobject_del() is for people who "really want to control the lifetime" of
a kobject.  All it does is remove the kobject from sysfs, and drop the
parent reference of the kobject, allowing the kobject to be "free" on
it's own.  Later a kobject_put() call must be called on it to really
clean it up.

If you just call kobject_put(), and this is the last reference,
kobject_del() will be correctly called for you by the kobject code, as
it "knows" this is time to clean up the sysfs entities.

A "normal" user should never have to call kobject_del().

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ