lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Jan 2020 17:33:05 +0800 From: <quanyang.wang@...driver.com> To: <richard@....at>, <miquel.raynal@...tlin.com>, <vigneshr@...com> CC: <linux-mtd@...ts.infradead.org>, <linux-kernel@...r.kernel.org>, <quanyang.wang@...driver.com> Subject: [PATCH] ubi: fix memory leak from ubi->fm_anchor From: Quanyang Wang <quanyang.wang@...driver.com> Some ubi_wl_entry are allocated in erase_aeb() and one of them is assigned to ubi->fm_anchor in __erase_worker(). And it should be freed like others which are freed in tree_destroy(). Otherwise, it will cause a memory leak: unreferenced object 0xbc094318 (size 24): comm "ubiattach", pid 491, jiffies 4294954015 (age 420.110s) hex dump (first 24 bytes): 30 43 09 bc 00 00 00 00 00 00 00 00 01 00 00 00 0C.............. 02 00 00 00 04 00 00 00 ........ backtrace: [<6c2d5089>] erase_aeb+0x28/0xc8 [<a1c68fb1>] ubi_wl_init+0x1d8/0x4a8 [<d4f408f8>] ubi_attach+0xffc/0x10d0 [<add3b5d8>] ubi_attach_mtd_dev+0x5b4/0x9fc [<d375a11c>] ctrl_cdev_ioctl+0xb8/0x1d8 [<72b250f2>] vfs_ioctl+0x28/0x3c [<b80095d7>] do_vfs_ioctl+0xb0/0x798 [<bf9ef69e>] ksys_ioctl+0x58/0x74 [<5355bdbe>] ret_fast_syscall+0x0/0x54 [<90c6c3ca>] 0x7eadf854 Signed-off-by: Quanyang Wang <quanyang.wang@...driver.com> --- drivers/mtd/ubi/wl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index 5d77a38dba54..a5e9d1e4dc34 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -1885,6 +1885,7 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai) tree_destroy(ubi, &ubi->used); tree_destroy(ubi, &ubi->free); tree_destroy(ubi, &ubi->scrub); + wl_entry_destroy(ubi, ubi->fm_anchor); kfree(ubi->lookuptbl); return err; } @@ -1920,6 +1921,7 @@ void ubi_wl_close(struct ubi_device *ubi) tree_destroy(ubi, &ubi->erroneous); tree_destroy(ubi, &ubi->free); tree_destroy(ubi, &ubi->scrub); + wl_entry_destroy(ubi, ubi->fm_anchor); kfree(ubi->lookuptbl); } -- 2.17.1
Powered by blists - more mailing lists