lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Mar 2023 08:53:21 +0100
From:   Ondrej Zary <linux@...y.sk>
To:     Damien Le Moal <damien.lemoal@...nsource.wdc.com>
Cc:     Christoph Hellwig <hch@....de>,
        Sergey Shtylyov <s.shtylyov@....ru>, linux-ide@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] pata_parport: fix possible memory leak

On Monday 13 March 2023, Damien Le Moal wrote:
> On 3/13/23 06:24, Ondrej Zary wrote:
> > On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
> >> On 3/12/23 06:44, Ondrej Zary wrote:
> >>> When ida_alloc() fails, "pi" is not freed although the misleading
> >>> comment says otherwise.
> >>> Move the ida_alloc() call up so we really don't have to free it.
> >>
> >> Certainly you meant: "so we really do free it in case of error.", no ?
> > 
> > I meant "so we don't have to free pi in case of ida_alloc failure".
> 
> That is better. Please rephrase the commit message to this.
> 
> >>>  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
> >>>  	pi->dev.parent = &pata_parport_bus;
> >>>  	pi->dev.bus = &pata_parport_bus_type;
> >>>  	pi->dev.driver = &pr->driver;
> >>>  	pi->dev.release = pata_parport_dev_release;
> >>> -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> >>> -	if (id < 0)
> >>> -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
> >>>  	pi->dev.id = id;
> >>>  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
> >>>  	if (device_register(&pi->dev)) {
> >>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> >>>  out_unreg_dev:
> >>>  	device_unregister(&pi->dev);
> >>
> >> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
> >> return here ?
> > 
> > No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.
> 
> Yes, it should, otherwise you are leaking the ida with the normal (no errors)
> case. Care to send a fix for that too ?

Yes, I'll send it as soon as I fix a problem that I noticed during testing. The ida is never freed with this fix. And neither "pi" because pata_parport_dev_release is never called (confirmed by adding printk).

-- 
Ondrej Zary

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ