| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BY5PR21MB15069658A7DE04A863C75036CE2C9@BY5PR21MB1506.namprd21.prod.outlook.com>
Date: Tue, 18 May 2021 21:50:17 +0000
From: Long Li <longli@...rosoft.com>
To: Wei Liu <wei.liu@...nel.org>,
Christophe JAILLET <christophe.jaillet@...adoo.fr>
CC: KY Srinivasan <kys@...rosoft.com>,
Haiyang Zhang <haiyangz@...rosoft.com>,
Stephen Hemminger <sthemmin@...rosoft.com>,
Dexuan Cui <decui@...rosoft.com>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kernel-janitors@...r.kernel.org" <kernel-janitors@...r.kernel.org>
Subject: RE: [PATCH 1/2] uio_hv_generic: Fix a memory leak in error handling
paths
> Subject: Re: [PATCH 1/2] uio_hv_generic: Fix a memory leak in error handling
> paths
>
> Cc Long Li.
>
> Long, Stephen suggested I check with you. Do you have any opinion?
>
> Wei.
>
> On Tue, May 11, 2021 at 09:52:27AM +0000, Wei Liu wrote:
> > On Sun, May 09, 2021 at 09:13:03AM +0200, Christophe JAILLET wrote:
> > > If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not
> > > be updated and 'hv_uio_cleanup()' in the error handling path will
> > > not be able to free the corresponding buffer.
> > >
> > > In such a case, we need to free the buffer explicitly.
> > >
> > > Fixes: cdfa835c6e5e ("uio_hv_generic: defer opening vmbus until
> > > first use")
> > > Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr>
> > > ---
> > > Before commit cdfa835c6e5e, the 'vfree' were done unconditionally in
> > > 'hv_uio_cleanup()'.
> > > So, another way for fixing the potential leak is to modify
> > > 'hv_uio_cleanup()' and revert to the previous behavior.
> > >
> >
> > I think this is cleaner.
Christophe has mentioned that the patch is already picked up by Greg KH.
I think both approaches are correct. We can go with this one.
> >
> > Stephen, you authored cdfa835c6e5e. What do you think?
> >
> > Christophe, OOI how did you discover these issues?
> >
> > > I don't know the underlying reason for this change so I don't know
> > > which is the best way to fix this error handling path. Unless there
> > > is a specific reason, changing 'hv_uio_cleanup()' could be better
> > > because it would keep the error handling path of the probe cleaner,
> IMHO.
> > > ---
> > > drivers/uio/uio_hv_generic.c | 8 ++++++--
> > > 1 file changed, 6 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/uio/uio_hv_generic.c
> > > b/drivers/uio/uio_hv_generic.c index 0330ba99730e..eebc399f2cc7
> > > 100644
> > > --- a/drivers/uio/uio_hv_generic.c
> > > +++ b/drivers/uio/uio_hv_generic.c
> > > @@ -296,8 +296,10 @@ hv_uio_probe(struct hv_device *dev,
> > >
> > > ret = vmbus_establish_gpadl(channel, pdata->recv_buf,
> > > RECV_BUFFER_SIZE, &pdata->recv_gpadl);
> > > - if (ret)
> > > + if (ret) {
> > > + vfree(pdata->recv_buf);
> > > goto fail_close;
> > > + }
> > >
> > > /* put Global Physical Address Label in name */
> > > snprintf(pdata->recv_name, sizeof(pdata->recv_name), @@ -316,8
> > > +318,10 @@ hv_uio_probe(struct hv_device *dev,
> > >
> > > ret = vmbus_establish_gpadl(channel, pdata->send_buf,
> > > SEND_BUFFER_SIZE, &pdata->send_gpadl);
> > > - if (ret)
> > > + if (ret) {
> > > + vfree(pdata->send_buf);
> > > goto fail_close;
> > > + }
> > >
> > > snprintf(pdata->send_name, sizeof(pdata->send_name),
> > > "send:%u", pdata->send_gpadl);
> > > --
> > > 2.30.2
> > >
Powered by blists - more mailing lists