lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d3a67b6e-c5df-4175-ba75-72aac63a7986@fujitsu.com>
Date: Mon, 19 Aug 2024 03:45:02 +0000
From: "Zhijian Li (Fujitsu)" <lizhijian@...itsu.com>
To: Dan Williams <dan.j.williams@...el.com>, "nvdimm@...ts.linux.dev"
	<nvdimm@...ts.linux.dev>
CC: "vishal.l.verma@...el.com" <vishal.l.verma@...el.com>,
	"dave.jiang@...el.com" <dave.jiang@...el.com>, "ira.weiny@...el.com"
	<ira.weiny@...el.com>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2 1/2] nvdimm: Fix devs leaks in scan_labels()

(Just back from the summer holiday)

Sorry for the late reply.


On 10/08/2024 06:38, Dan Williams wrote:
> I notice this patch is not upstream yet. Let's try to get it over the
> goal line.
> 
> Li Zhijian wrote:
>> The leakage would happen when create_namespace_pmem() meets an invalid
>> label which gets failure in validating isetcookie.
> 
> I would rewrite this as:
> 
> "scan_labels() leaks memory when label scanning fails and it falls back
> to just creating a default "seed" namespace for userspace to configure.
> Root can force the kernel to leak memory."

It sounds good to me.

> 
> ...then a distribution developer knows the urgency to backport this fix.
> 
>> Try to resuse the devs that may have already been allocated with size
>> (2 * sizeof(dev)) previously.
> 
> Rather than conditionally reallocating I think it would be better to
> unconditionally allocate the minimum, something like:


Okay, I will update it in V3.



> 
> diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c
> index d6d558f94d6b..1c38c93bee21 100644
> --- a/drivers/nvdimm/namespace_devs.c
> +++ b/drivers/nvdimm/namespace_devs.c
> @@ -1937,12 +1937,16 @@ static int cmp_dpa(const void *a, const void *b)
>   static struct device **scan_labels(struct nd_region *nd_region)
>   {
>          int i, count = 0;
> -       struct device *dev, **devs = NULL;
> +       struct device *dev, **devs;
>          struct nd_label_ent *label_ent, *e;
>          struct nd_mapping *nd_mapping = &nd_region->mapping[0];
>          struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
>          resource_size_t map_end = nd_mapping->start + nd_mapping->size - 1;
>   
> +       devs = kcalloc(2, sizeof(dev), GFP_KERNEL);
> +       if (!devs)
> +               return NULL;
> +
>          /* "safe" because create_namespace_pmem() might list_move() label_ent */
>          list_for_each_entry_safe(label_ent, e, &nd_mapping->labels, list) {
>                  struct nd_namespace_label *nd_label = label_ent->label;
> @@ -1961,12 +1965,14 @@ static struct device **scan_labels(struct nd_region *nd_region)
>                          goto err;
>                  if (i < count)
>                          continue;
> -               __devs = kcalloc(count + 2, sizeof(dev), GFP_KERNEL);
> -               if (!__devs)
> -                       goto err;
> -               memcpy(__devs, devs, sizeof(dev) * count);
> -               kfree(devs);
> -               devs = __devs;
> +               if (count) {
> +                       __devs = kcalloc(count + 2, sizeof(dev), GFP_KERNEL);
> +                       if (!__devs)
> +                               goto err;
> +                       memcpy(__devs, devs, sizeof(dev) * count);
> +                       kfree(devs);
> +                       devs = __devs;
> +               }
>   
>                  dev = create_namespace_pmem(nd_region, nd_mapping, nd_label);
>                  if (IS_ERR(dev)) {
> @@ -1994,10 +2000,6 @@ static struct device **scan_labels(struct nd_region *nd_region)
>                  /* Publish a zero-sized namespace for userspace to configure. */
>                  nd_mapping_free_labels(nd_mapping);
>   
> -               devs = kcalloc(2, sizeof(dev), GFP_KERNEL);
> -               if (!devs)
> -                       goto err;
> -
>                  nspm = kzalloc(sizeof(*nspm), GFP_KERNEL);
>                  if (!nspm)
>                          goto err;
> @@ -2036,12 +2038,10 @@ static struct device **scan_labels(struct nd_region *nd_region)
>          return devs;
>   
>    err:
> -       if (devs) {
> -               for (i = 0; devs[i]; i++)
> -                       namespace_pmem_release(devs[i]);
> -               kfree(devs);
> -       }
> -       return NULL;
> +        for (i = 0; devs[i]; i++)
> +                namespace_pmem_release(devs[i]);
> +        kfree(devs);
> +        return NULL;
>   }
>   
>   static struct device **create_namespaces(struct nd_region *nd_region)
> 
> 
>> A kmemleak reports:
>> unreferenced object 0xffff88800dda1980 (size 16):
>>    comm "kworker/u10:5", pid 69, jiffies 4294671781
>>    hex dump (first 16 bytes):
>>      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>    backtrace (crc 0):
>>      [<00000000c5dea560>] __kmalloc+0x32c/0x470
>>      [<000000009ed43c83>] nd_region_register_namespaces+0x6fb/0x1120 [libnvdimm]
>>      [<000000000e07a65c>] nd_region_probe+0xfe/0x210 [libnvdimm]
>>      [<000000007b79ce5f>] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm]
>>      [<00000000a5f3da2e>] really_probe+0xc6/0x390
>>      [<00000000129e2a69>] __driver_probe_device+0x78/0x150
>>      [<000000002dfed28b>] driver_probe_device+0x1e/0x90
>>      [<00000000e7048de2>] __device_attach_driver+0x85/0x110
>>      [<0000000032dca295>] bus_for_each_drv+0x85/0xe0
>>      [<00000000391c5a7d>] __device_attach+0xbe/0x1e0
>>      [<0000000026dabec0>] bus_probe_device+0x94/0xb0
>>      [<00000000c590d936>] device_add+0x656/0x870
>>      [<000000003d69bfaa>] nd_async_device_register+0xe/0x50 [libnvdimm]
>>      [<000000003f4c52a4>] async_run_entry_fn+0x2e/0x110
>>      [<00000000e201f4b0>] process_one_work+0x1ee/0x600
>>      [<000000006d90d5a9>] worker_thread+0x183/0x350
> 
> Thanks for including this.
> 
> With the above changes you can add:
> 
> Reviewed-by: Dan Williams <dan.j.williams@...el.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ