lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 Apr 2020 14:02:23 +0200
From:   Jan Kara <jack@...e.cz>
To:     Yufen Yu <yuyufen@...wei.com>
Cc:     Christoph Hellwig <hch@....de>, axboe@...nel.dk, tj@...nel.org,
        jack@...e.cz, bvanassche@....org, tytso@....edu,
        gregkh@...uxfoundation.org, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/8] bdi: add a ->dev_name field to struct
 backing_dev_info

On Thu 16-04-20 16:34:13, Yufen Yu wrote:
> Hi,
> 
> On 2020/4/16 15:15, Christoph Hellwig wrote:
> > Cache a copy of the name for the life time of the backing_dev_info
> > structure so that we can reference it even after unregistering.
> > 
> > Fixes: 68f23b89067f ("memcg: fix a crash in wb_workfn when a device disappears")
> > Reported-by: Yufen Yu <yuyufen@...wei.com>
> > Signed-off-by: Christoph Hellwig <hch@....de>
> > ---
> >   include/linux/backing-dev-defs.h |  1 +
> >   mm/backing-dev.c                 | 13 ++++++++++---
> >   2 files changed, 11 insertions(+), 3 deletions(-)
> > 
> > diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h
> > index 4fc87dee005a..249590bcccf7 100644
> > --- a/include/linux/backing-dev-defs.h
> > +++ b/include/linux/backing-dev-defs.h
> > @@ -220,6 +220,7 @@ struct backing_dev_info {
> >   	wait_queue_head_t wb_waitq;
> >   	struct device *dev;
> > +	const char *dev_name;
> >   	struct device *owner;
> >   	struct timer_list laptop_mode_wb_timer;
> > diff --git a/mm/backing-dev.c b/mm/backing-dev.c
> > index c2c44c89ee5d..4f6c05df72f9 100644
> > --- a/mm/backing-dev.c
> > +++ b/mm/backing-dev.c
> > @@ -938,9 +938,15 @@ int bdi_register_va(struct backing_dev_info *bdi, const char *fmt, va_list args)
> >   	if (bdi->dev)	/* The driver needs to use separate queues per device */
> >   		return 0;
> > -	dev = device_create_vargs(bdi_class, NULL, MKDEV(0, 0), bdi, fmt, args);
> > -	if (IS_ERR(dev))
> > +	bdi->dev_name = kvasprintf(GFP_KERNEL, fmt, args);
> > +	if (!bdi->dev_name)
> > +		return -ENOMEM;
> > +
> > +	dev = device_create(bdi_class, NULL, MKDEV(0, 0), bdi, bdi->dev_name);
> > +	if (IS_ERR(dev)) {
> > +		kfree(bdi->dev_name);
> >   		return PTR_ERR(dev);
> > +	}
> >   	cgwb_bdi_register(bdi);
> >   	bdi->dev = dev;
> > @@ -1034,6 +1040,7 @@ static void release_bdi(struct kref *ref)
> >   	WARN_ON_ONCE(bdi->dev);
> >   	wb_exit(&bdi->wb);
> >   	cgwb_bdi_exit(bdi);
> > +	kfree(bdi->dev_name);
> >   	kfree(bdi);
> >   }
> 
> 
> When driver try to to re-register bdi but without release_bdi(), the old
> dev_name will be cover directly by the newer in bdi_register_va(). So, I
> am not sure whether it can cause memory leak for bdi->dev_name.

Yes, that can indeed happen. E.g. I remember that drivers/scsi/sd.c calls
device_add_disk() + del_gendisk() repeatedly for one request_queue and that
would result in leaking the name (and possibly cause use-after-free
issues). I think dev_name has to be just a static array inside
backing_dev_info which gets overwritten on reregistration. The question is
how big should be this array... Some grepping shows that 40 bytes should be
enough for everybody except fs/vboxsf/super.c which puts 'fc->source' into
the name which can be presumably rather large. Anyway, I'd make it 40 and
just truncate it case in case it does not fit. bdi_dev_name() is used for
informational purposes anyway...

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists