lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5949965e-0155-4ad1-a019-df220140b085@kernel.org>
Date: Fri, 16 Aug 2024 19:32:34 +0900
From: Damien Le Moal <dlemoal@...nel.org>
To: Yu Kuai <yukuai1@...weicloud.com>, Zheng Qixing <zhengqixing@...wei.com>,
 cassel@...nel.org
Cc: linux-ide@...r.kernel.org, linux-kernel@...r.kernel.org,
 yi.zhang@...wei.com, yangerkun@...wei.com, "yukuai (C)" <yukuai3@...wei.com>
Subject: Re: [PATCH -next] ata: libata: Fix memory leak for error path in
 ata_host_alloc()

On 8/16/24 15:42, Yu Kuai wrote:
> 在 2024/08/16 11:58, Zheng Qixing 写道:
>> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
>> for a port, the allocated 'host' structure is not freed before returning
>> from the function. This results in a potential memory leak.
>>
>> This patch adds a kfree(host) before the error handling code is executed
>> to ensure that the 'host' structure is properly freed in case of an
>> allocation failure.
>>
>> Signed-off-by: Zheng Qixing <zhengqixing@...wei.com>

I did not receive this patch and I do not see it on the list either. Something
went wrong...
Can you resend please ? Thanks.

>> ---
>>   drivers/ata/libata-core.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
>> index e4023fc288ac..f27a18990c38 100644
>> --- a/drivers/ata/libata-core.c
>> +++ b/drivers/ata/libata-core.c
>> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
>>   	}
>>   
>>   	dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
>> -	if (!dr)
>> +	if (!dr) {
>> +		kfree(host);
>>   		goto err_out;
>> +	}
> 
> Looks correct, dev_set_drvdata(dev, host) is not called yet.
> ata_devres_release won't free host in this case.
> 
> I'll suggest to return NULL directly here, and then the 'err_out'
> tag can be removed as well.

I do not think so. Since devres_open_group() was called, need to call either
devres_remove_group() or devres_release_group().

> 
> Anyway, with or without the cleanup:
> Reviewed-by: Yu Kuai <yukuai3@...wei.com>>
> Thanks!
>>   
>>   	devres_add(dev, dr);
>>   	dev_set_drvdata(dev, host);
>>
> 

-- 
Damien Le Moal
Western Digital Research


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ