lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <1590416053-52476-1-git-send-email-xiyuyang19@fudan.edu.cn>
Date:   Mon, 25 May 2020 22:14:13 +0800
From:   Xiyu Yang <xiyuyang19@...an.edu.cn>
To:     Dan Williams <dan.j.williams@...el.com>,
        Vishal Verma <vishal.l.verma@...el.com>,
        Dave Jiang <dave.jiang@...el.com>, linux-nvdimm@...ts.01.org,
        linux-kernel@...r.kernel.org
Cc:     yuanxzhang@...an.edu.cn, kjlu@....edu,
        Xiyu Yang <xiyuyang19@...an.edu.cn>,
        Xin Tan <tanxin.ctf@...il.com>
Subject: [PATCH] dax: Fix dax_region refcnt leak when creating dev_dax

__devm_create_dev_dax() invokes kref_get(), which increases the refcount
of the "dax_region".

The reference counting issue happens in several exception handling paths
of __devm_create_dev_dax(). When those error scenarios occur such as add
device failed, the function forgets to decrease the refcnt increased by
kref_get(), causing a refcnt leak.

Fix this issue by calling kref_put() when those error scenarios occur.

Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@...il.com>
---
 drivers/dax/bus.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c
index df238c8b6ef2..1a861d90321f 100644
--- a/drivers/dax/bus.c
+++ b/drivers/dax/bus.c
@@ -452,12 +452,15 @@ struct dev_dax *__devm_create_dev_dax(struct dax_region *dax_region, int id,
 	if (rc) {
 		kill_dev_dax(dev_dax);
 		put_device(dev);
+		kref_put(&dax_region->kref, dax_region_free);
 		return ERR_PTR(rc);
 	}
 
 	rc = devm_add_action_or_reset(dax_region->dev, unregister_dev_dax, dev);
-	if (rc)
+	if (rc) {
+		kref_put(&dax_region->kref, dax_region_free);
 		return ERR_PTR(rc);
+	}
 
 	return dev_dax;
 
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ