lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 1 Jun 2023 19:31:53 -0700 (PDT)
From:   Paul Cassella <cassella@....com>
To:     Ira Weiny <ira.weiny@...el.com>
CC:     Yongqiang Liu <liuyongqiang13@...wei.com>,
        <linux-kernel@...r.kernel.org>, <nvdimm@...ts.linux.dev>,
        <dan.j.williams@...el.com>, <vishal.l.verma@...el.com>,
        <dave.jiang@...el.com>, <akpm@...ux-foundation.org>,
        <joao.m.martins@...cle.com>, <zhangxiaoxu5@...wei.com>
Subject: Re: [PATCH] dax/hmem: Fix refcount leak in dax_hmem_probe()

On Sat, 3 Dec 2022, Ira Weiny wrote:
> On Sat, Dec 03, 2022 at 09:58:58AM +0000, Yongqiang Liu wrote:

> > We should always call dax_region_put() whenever devm_create_dev_dax()
> > succeed or fail to avoid refcount leak of dax_region. Move the return
> > value check after dax_region_put().

> I think dax_region_put is called from dax_region_unregister() automatically on
> tear down.

Hi Ira,

Note the reference dax_region_unregister() will be putting is the one 
devm_create_dev_dax() takes by kref_get(&dax_region->kref). I think 
dax_hmem_probe() needs to put its reference in the error case, as in the 
successful case.

Consider, devm_create_dev_dax() has error paths that return without 
involving dax_region_unregister(), prior to kref_get() and device_add().  
dax_hmem_probe() is clearly responsible for freeing the region in those 
cases.


dax_hmem_probe() drops its own reference in the successful case because 
(per the comment) "child dev_dax instances now own the lifetime of the 
dax_region".  That ownership is the reference that the error-case 
dax_region_unregister() is dropping.  dax_hmem_probe()'s initial reference 
also needs to be dropped in the error case, as in the successful case.


> > Fixes: c01044cc8191 ("ACPI: HMAT: refactor hmat_register_target_device to hmem_register_device")
> 
> I'm also not sure how this patch is related to this fix.
> 
> Ira
> 
> > Signed-off-by: Yongqiang Liu <liuyongqiang13@...wei.com>
> > ---
> >  drivers/dax/hmem/hmem.c | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/dax/hmem/hmem.c b/drivers/dax/hmem/hmem.c
> > index 1bf040dbc834..09f5cd7b6c8e 100644
> > --- a/drivers/dax/hmem/hmem.c
> > +++ b/drivers/dax/hmem/hmem.c
> > @@ -36,12 +36,11 @@ static int dax_hmem_probe(struct platform_device *pdev)
> >  		.size = region_idle ? 0 : resource_size(res),
> >  	};
> >  	dev_dax = devm_create_dev_dax(&data);
> > -	if (IS_ERR(dev_dax))
> > -		return PTR_ERR(dev_dax);
> >  
> >  	/* child dev_dax instances now own the lifetime of the dax_region */

This comment should probably be updated now.  :)


-- 
Paul Cassella


> >  	dax_region_put(dax_region);
> > -	return 0;
> > +
> > +	return IS_ERR(dev_dax) ? PTR_ERR(dev_dax) : 0;
> >  }
> >  
> >  static int dax_hmem_remove(struct platform_device *pdev)
> > -- 
> > 2.25.1
> > 
> > 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ