| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 May 2021 11:01:22 +0000
From: Wei Liu <wei.liu@...nel.org>
To: Christophe JAILLET <christophe.jaillet@...adoo.fr>,
longli@...rosoft.com
Cc: kys@...rosoft.com, haiyangz@...rosoft.com, sthemmin@...rosoft.com,
wei.liu@...nel.org, decui@...rosoft.com,
gregkh@...uxfoundation.org, linux-hyperv@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH 1/2] uio_hv_generic: Fix a memory leak in error handling
paths
Cc Long Li.
Long, Stephen suggested I check with you. Do you have any opinion?
Wei.
On Tue, May 11, 2021 at 09:52:27AM +0000, Wei Liu wrote:
> On Sun, May 09, 2021 at 09:13:03AM +0200, Christophe JAILLET wrote:
> > If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be
> > updated and 'hv_uio_cleanup()' in the error handling path will not be
> > able to free the corresponding buffer.
> >
> > In such a case, we need to free the buffer explicitly.
> >
> > Fixes: cdfa835c6e5e ("uio_hv_generic: defer opening vmbus until first use")
> > Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr>
> > ---
> > Before commit cdfa835c6e5e, the 'vfree' were done unconditionally
> > in 'hv_uio_cleanup()'.
> > So, another way for fixing the potential leak is to modify
> > 'hv_uio_cleanup()' and revert to the previous behavior.
> >
>
> I think this is cleaner.
>
> Stephen, you authored cdfa835c6e5e. What do you think?
>
> Christophe, OOI how did you discover these issues?
>
> > I don't know the underlying reason for this change so I don't know which is
> > the best way to fix this error handling path. Unless there is a specific
> > reason, changing 'hv_uio_cleanup()' could be better because it would keep
> > the error handling path of the probe cleaner, IMHO.
> > ---
> > drivers/uio/uio_hv_generic.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
> > index 0330ba99730e..eebc399f2cc7 100644
> > --- a/drivers/uio/uio_hv_generic.c
> > +++ b/drivers/uio/uio_hv_generic.c
> > @@ -296,8 +296,10 @@ hv_uio_probe(struct hv_device *dev,
> >
> > ret = vmbus_establish_gpadl(channel, pdata->recv_buf,
> > RECV_BUFFER_SIZE, &pdata->recv_gpadl);
> > - if (ret)
> > + if (ret) {
> > + vfree(pdata->recv_buf);
> > goto fail_close;
> > + }
> >
> > /* put Global Physical Address Label in name */
> > snprintf(pdata->recv_name, sizeof(pdata->recv_name),
> > @@ -316,8 +318,10 @@ hv_uio_probe(struct hv_device *dev,
> >
> > ret = vmbus_establish_gpadl(channel, pdata->send_buf,
> > SEND_BUFFER_SIZE, &pdata->send_gpadl);
> > - if (ret)
> > + if (ret) {
> > + vfree(pdata->send_buf);
> > goto fail_close;
> > + }
> >
> > snprintf(pdata->send_name, sizeof(pdata->send_name),
> > "send:%u", pdata->send_gpadl);
> > --
> > 2.30.2
> >
Powered by blists - more mailing lists