lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 Jan 2020 17:33:05 +0800
From:   <quanyang.wang@...driver.com>
To:     <richard@....at>, <miquel.raynal@...tlin.com>, <vigneshr@...com>
CC:     <linux-mtd@...ts.infradead.org>, <linux-kernel@...r.kernel.org>,
        <quanyang.wang@...driver.com>
Subject: [PATCH] ubi: fix memory leak from ubi->fm_anchor

From: Quanyang Wang <quanyang.wang@...driver.com>

Some ubi_wl_entry are allocated in erase_aeb() and one of them is
assigned to ubi->fm_anchor in __erase_worker(). And it should be freed
like others which are freed in tree_destroy(). Otherwise, it will
cause a memory leak:

unreferenced object 0xbc094318 (size 24):
  comm "ubiattach", pid 491, jiffies 4294954015 (age 420.110s)
  hex dump (first 24 bytes):
    30 43 09 bc 00 00 00 00 00 00 00 00 01 00 00 00  0C..............
    02 00 00 00 04 00 00 00                          ........
  backtrace:
    [<6c2d5089>] erase_aeb+0x28/0xc8
    [<a1c68fb1>] ubi_wl_init+0x1d8/0x4a8
    [<d4f408f8>] ubi_attach+0xffc/0x10d0
    [<add3b5d8>] ubi_attach_mtd_dev+0x5b4/0x9fc
    [<d375a11c>] ctrl_cdev_ioctl+0xb8/0x1d8
    [<72b250f2>] vfs_ioctl+0x28/0x3c
    [<b80095d7>] do_vfs_ioctl+0xb0/0x798
    [<bf9ef69e>] ksys_ioctl+0x58/0x74
    [<5355bdbe>] ret_fast_syscall+0x0/0x54
    [<90c6c3ca>] 0x7eadf854

Signed-off-by: Quanyang Wang <quanyang.wang@...driver.com>
---
 drivers/mtd/ubi/wl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
index 5d77a38dba54..a5e9d1e4dc34 100644
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -1885,6 +1885,7 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
 	tree_destroy(ubi, &ubi->used);
 	tree_destroy(ubi, &ubi->free);
 	tree_destroy(ubi, &ubi->scrub);
+	wl_entry_destroy(ubi, ubi->fm_anchor);
 	kfree(ubi->lookuptbl);
 	return err;
 }
@@ -1920,6 +1921,7 @@ void ubi_wl_close(struct ubi_device *ubi)
 	tree_destroy(ubi, &ubi->erroneous);
 	tree_destroy(ubi, &ubi->free);
 	tree_destroy(ubi, &ubi->scrub);
+	wl_entry_destroy(ubi, ubi->fm_anchor);
 	kfree(ubi->lookuptbl);
 }
 
-- 
2.17.1

Powered by blists - more mailing lists