| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Feb 2020 11:22:10 +0100
From: Bartosz Golaszewski <bgolaszewski@...libre.com>
To: Srinivas Kandagatla <srinivas.kandagatla@...aro.org>
Cc: Bartosz Golaszewski <brgl@...ev.pl>,
Linus Walleij <linus.walleij@...aro.org>,
Khouloud Touil <ktouil@...libre.com>,
Geert Uytterhoeven <geert@...ux-m68k.org>,
"open list:GPIO SUBSYSTEM" <linux-gpio@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
stable <stable@...r.kernel.org>
Subject: Re: [PATCH v2 2/7] nvmem: fix another memory leak in error path
wt., 18 lut 2020 o 11:11 Srinivas Kandagatla
<srinivas.kandagatla@...aro.org> napisał(a):
>
>
>
> On 18/02/2020 10:05, Bartosz Golaszewski wrote:
> > wt., 18 lut 2020 o 10:56 Srinivas Kandagatla
> > <srinivas.kandagatla@...aro.org> napisał(a):
> >>
> >>
> >>
> >> On 18/02/2020 09:42, Bartosz Golaszewski wrote:
> >>> From: Bartosz Golaszewski <bgolaszewski@...libre.com>
> >>>
> >>> The nvmem struct is only freed on the first error check after its
> >>> allocation and leaked after that. Fix it with a new label.
> >>>
> >>> Cc: <stable@...r.kernel.org>
> >>> Signed-off-by: Bartosz Golaszewski <bgolaszewski@...libre.com>
> >>> ---
> >>> drivers/nvmem/core.c | 8 ++++----
> >>> 1 file changed, 4 insertions(+), 4 deletions(-)
> >>>
> >>> diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
> >>> index b0be03d5f240..c9b3f4047154 100644
> >>> --- a/drivers/nvmem/core.c
> >>> +++ b/drivers/nvmem/core.c
> >>> @@ -343,10 +343,8 @@ struct nvmem_device *nvmem_register(const struct nvmem_config *config)
> >>> return ERR_PTR(-ENOMEM);
> >>>
> >>> rval = ida_simple_get(&nvmem_ida, 0, 0, GFP_KERNEL);
> >>> - if (rval < 0) {
> >>> - kfree(nvmem);
> >>> - return ERR_PTR(rval);
> >>> - }
> >>> + if (rval < 0)
> >>> + goto err_free_nvmem;
> >>> if (config->wp_gpio)
> >>> nvmem->wp_gpio = config->wp_gpio;
> >>> else
> >>> @@ -432,6 +430,8 @@ struct nvmem_device *nvmem_register(const struct nvmem_config *config)
> >>> put_device(&nvmem->dev);
> >>> err_ida_remove:
> >>> ida_simple_remove(&nvmem_ida, nvmem->id);
> >>> +err_free_nvmem:
> >>> + kfree(nvmem);
> >>
> >> This is not correct fix to start with, if the device has already been
> >> intialized before jumping here then nvmem would be freed as part of
> >> nvmem_release().
> >>
> >> So the bug was actually introduced by adding err_ida_remove label.
> >>
> >> You can free nvmem at that point but not at any point after that as
> >> device core would be holding a reference to it.
> >>
> >
> > OK I see - I missed the release() callback assignment. Frankly: I find
> > this split of resource management responsibility confusing. Since the
> > users are expected to call nvmem_unregister() anyway - wouldn't it be
> > more clear to just free all resources there? What is the advantage of
> > defining the release() callback for device type here?
>
> Because we are using dev pointer from nvmem structure, and this dev
> pointer should be valid until release callback is invoked.
>
> Freeing nvmem at any early stage would make dev pointer invalid and
> device core would dereference it!
>
Ok, let me brew up a v3 with that in mind.
Bart
Powered by blists - more mailing lists